四、认证服务
keystone 安装在 controller 节点,为了提高服务性能,使用 apache 提供WEB请求,由 memcached 来保存 Token 信息
1、安装修改软件包
yum install openstack-keystone httpd mod_wsgi memcached python-memcached openstack-utils python-openstackclient
后面许多命令包含在python-openstackclient openstack-utils里面哦
2、配置keystone
修改keystone配置文件 /etc/keystone/keystone.conf,太长了,还是使用命令吧
openssl rand -hex 10 #生成随机数 ee36fc4faf6a3f1f07b1
openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token ee36fc4faf6a3f1f07b1
openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:keystone@controller/keystone
openstack-config --set /etc/keystone/keystone.conf token provider fernet
openstack-config --set /etc/keystone/keystone.conf token driver memcache #设置token存放的位置
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone #初始化Fernet keys
chown -R keystone:keystone /etc/keystone #要不然启动是会报没有存放token的目录
3、创建数据库表
同步数据库:注意权限,所以要用su -s 切换到keystone用户下执行
su -s /bin/sh -c "keystone-manage db_sync" keystone
验证数据是否创建成功
mysql -ukeystone -pkeystone
use keystone;
show tables;
4、使用httpd做代理
必须要配置httpd的ServerName,否则keystone服务不能起来
vim /etc/httpd/conf/httpd.conf
ServerName master
链接keystone配置文件,并用apache来代理它:5000 正常的api来访问 35357 管理访问的端口
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
在用openstack-staus时,keystone服务的状态是inactive。
需要做一下服务链接
ln -s /usr/lib/systemd/system/httpd.service /etc/systemd/system/openstack-keystone.service
systemctl daemon-reload
systemctl restart openstack-keystone
openstack-status
#配置启动memcached
systemctl enable memcached
systemctl start memcached
systemctl enable httpd
systemctl start httpd
#查看是否启动
netstat -lntup|grep httpd
5、Bootstrap the Identity service:
# keystone-manage bootstrap --bootstrap-password admin\
--bootstrap-admin-url http://controller:35357/v3/ \
--bootstrap-internal-url http://controller:5000/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne
创建keystone的项目,角色,用户
先配置两个用户的环境(/home目录)
vim admin-openrc.sh
export OS_TOKEN=ee36fc4faf6a3f1f07b1
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
vim demo-openrc.sh
export OS_TOKEN=ee36fc4faf6a3f1f07b1
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=demo
export OS_TENANT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
##添加执行权限
chmod +x admin-openrc.sh demo-openrc.sh
source admin-openrc.sh #使环境生效
grep -n '^admin_token' /etc/keystone/keystone.conf#ee36fc4faf6a3f1f07b1
export OS_TOKEN =ee36fc4faf6a3f1f07b1
如果报401,token等错误
unset OS_TOKEN OS_AUTH_URL
source admin-openrc.sh #使环境生效
创建keystone的项目,角色,用户
openstack service create --name keystone --description "OpenStack Identity" identity #创建identity项目
openstack project create --domain default --description "Admin Project" admin #创建admin项目
openstack project create --domain default --description "Service Project" service #创建service项目
openstack user create --domain default --password-prompt admin #创建admin用户
openstack role create admin #创建admin角色
openstack role add --project admin --user admin admin #将admin用户,admin项目,admin角色关联起来
-------下面是创建普通用户"demo"--------
openstack project create --domain default --description "Demo Project" demo
openstack user create --domain default --password=demo demo
openstack role create user
openstack role add --project demo --user demo user
6、验证是否正常
检查是否正常:
openstack --os-auth-url http://controller:35357/v3 --os-project-domain-id default --os-user-domain-id default --os-project-name admin --os-username admin --os-auth-type admin token issue
查看api接口
openstack endpoint list
网友评论