OpenStack云平台搭建(2) | 安装Keystone

目录

1、登录数据库配置

2、数据库导入Keystone表

3、配置http服务

4、创建域、用户

5、创建脚本

---

• Keystone（OpenStack Identity Service）是 OpenStack 框架中负责管理身份验证、服务访问规则和服务令牌功能的组件。
• 下面我们进行Keystone的安装部署

1、登录数据库配置

1.Use the database access client to connect to the database server as the root user（登录数据库）

[root@controller ~]# mysql -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 18
Server version: 10.3.20-MariaDB MariaDB ServerCopyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.MariaDB [(none)]> 

 2.Create the keystone database(数据库里创建keystone)

MariaDB [(none)]> CREATE DATABASE keystone;

3. Grant proper access to the keystone database(授权对keystone数据库的正确访问)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY '123';

4.退出数据库

MariaDB [(none)]> quit

2、数据库导入Keystone表

1.安装httpd mod_wsgi

[root@controller ~]# yum install openstack-keystone httpd mod_wsgi -y

2.备份配置文件并且修改

[root@controller ~]# cp /etc/keystone/keystone.conf{,.bak}
[root@controller ~]# grep -Ev "^$|#" /etc/keystone/keystone.conf.bak > /etc/keystone/keystone.conf
[root@controller ~]# vi /etc/keystone/keystone.conf

[DEFAULT]
[application_credential]
[assignment]
[auth]
[cache]
[catalog]
[cors]
[credential]
[database]
[domain_config]
[endpoint_filter]
[endpoint_policy]
[eventlet_server]
[DEFAULT]
[application_credential]
[assignment]
[auth]
[cache]
[catalog]
[cors]
[credential]
[database]
connection = mysql+pymysql://keystone:123@controller/keystone
[domain_config]
[endpoint_filter]
[endpoint_policy]
[eventlet_server]
[federation]
[fernet_receipts]
[fernet_tokens]
[healthcheck]
[identity]
[identity_mapping]
[jwt_tokens]
[ldap]
[memcache]
[oauth1]
[oslo_messaging_amqp]
[oslo_messaging_kafka]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_middleware]
[oslo_policy]
[policy]
[profiler]
[receipt]
[resource]
[revoke]
[role]
[saml]
[security_compliance]
[shadow_users]
[token]
provider = fernet
[tokenless_auth]
[totp]

3.同步数据库

[root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone

进数据库检查一下看keystone是否有表了，如下说明同步完成

[root@controller ~]# mysql -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 25
Server version: 10.3.20-MariaDB MariaDB ServerCopyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| keystone           |
| mysql              |
| performance_schema |
+--------------------+
4 rows in set (0.001 sec)MariaDB [(none)]> use keystone;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -ADatabase changed
MariaDB [keystone]> show tables;
+------------------------------------+
| Tables_in_keystone                 |
+------------------------------------+
| access_rule                        |
| access_token                       |
| application_credential             |
| application_credential_access_rule |
| application_credential_role        |
| assignment                         |
| config_register                    |
| consumer                           |
| credential                         |
| endpoint                           |
| endpoint_group                     |
| federated_user                     |
| federation_protocol                |
| group                              |
| id_mapping                         |
| identity_provider                  |
| idp_remote_ids                     |
| implied_role                       |
| limit                              |
| local_user                         |
| mapping                            |
| migrate_version                    |
| nonlocal_user                      |
| password                           |
| policy                             |
| policy_association                 |
| project                            |
| project_endpoint                   |
| project_endpoint_group             |
| project_option                     |
| project_tag                        |
| region                             |
| registered_limit                   |
| request_token                      |
| revocation_event                   |
| role                               |
| role_option                        |
| sensitive_config                   |
| service                            |
| service_provider                   |
| system_assignment                  |
| token                              |
| trust                              |
| trust_role                         |
| user                               |
| user_group_membership              |
| user_option                        |
| whitelisted_config                 |
+------------------------------------+

4.安装key repositories:

[root@controller ~]# # keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@controller ~]# # keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

5.引导Identity服务:

keystone-manage bootstrap --bootstrap-password 123 \--bootstrap-admin-url http://controller:5000/v3/ \--bootstrap-internal-url http://controller:5000/v3/ \--bootstrap-public-url http://controller:5000/v3/ \--bootstrap-region-id RegionOne

3、配置http服务

1.编辑http配置文件

[root@controller ~]# vi /etc/httpd/conf/httpd.conf 

# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
#ServerName www.example.com:80
ServerName controller

2.生成软链接

[root@controller ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

3.启动httpd

[root@controller ~]# systemctl enable httpd
[root@controller ~]# systemctl start httpd

4.配置环境变量

[root@controller ~]# vi /etc/keystone/admin-openrc.sh

#!/bin/bashexport OS_USERNAME=adminexport OS_PASSWORD=123export OS_PROJECT_NAME=adminexport OS_USER_DOMAIN_NAME=Defaultexport OS_PROJECT_DOMAIN_NAME=Defaultexport OS_AUTH_URL=http://controller:5000/v3export OS_IDENTITY_API_VERSION=3

[root@controller ~]# source /etc/keystone/admin-openrc.sh 

4、创建域、用户

[root@controller ~]#  openstack domain create --description "An Example Domain" example
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | An Example Domain                |
| enabled     | True                             |
| id          | ee0a6bbc972d4355a0910e73c515f96f |
| name        | example                          |
| options     | {}                               |
| tags        | []                               |
+-------------+----------------------------------+

[root@controller ~]# openstack project create --domain default \
>   --description "Service Project" service
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Service Project                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 13c13a875184458a940e9e195688c2ff |
| is_domain   | False                            |
| name        | service                          |
| options     | {}                               |
| parent_id   | default                          |
| tags        | []                               |
+-------------+----------------------------------+

5、创建脚本

[root@controller ~]# vi /etc/keystone/admin-openrc.sh

#!/bin/bah
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=123
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
~                               

加载一下 

[root@controller ~]# source /etc/keystone/admin-openrc.sh 

[root@controller ~]# openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                   |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2023-02-08T16:49:18+0000                                                                                                                                                                |
| id         | gAAAAABj48R-5UKgioRRedEM1uDIImmqKdI00OnFYE2yy-7vzw8MpO2NZgpfbEvk90Sq4SqMN2aK4PRXT5TLExWMVbZacpJHHcr0gPLQ_B1cMj0TgDqHtZ9Tohngxh6ImnFZ7VA-sUu2n4oWZjSmFOySWgDCBdYJ8MJaIPCsxlnCf8riQFQiRQI |
| project_id | 4c7bdbb75b9e481db886549f7d2711be                                                                                                                                                        |
| user_id    | 41944ebcbb2541acbc31bfd591107fff                                                                                                                                                        |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

到这里keystone部署完成

---

Keystone（OpenStack Identity Service）是 OpenStack 框架中负责管理身份验证、服务访问规则和服务令牌功能的组件。用户访问资源需要验证用户的身份与权限，服务执行操作也需要进行权限检测，这些都需要通过 Keystone 来处理。Keystone 类似一个服务总线， 或者说是整个 Openstack 框架的注册表，OpenStack 服务通过 Keystone 来注册其 Endpoint（服务访问的URL），任何服务之间的相互调用，都需要先经过 Keystone 的身份验证，获得目标服务的 Endpoint ，然后再调用。

Keystone 的主要功能如下：

• 管理用户及其权限；
• 维护 OpenStack 服务的 Endpoint；
• Authentication（认证）和 Authorization（鉴权）。

用户认证介绍
在用户认证中，有以下名词：
1、User（用户）

• 在Openstack中，使用一个数字来代表使用Openstack的人、系统或者是一个服务，Openstack会对用户的请求进行验证。在Openstack中，一个租户可以有多个用户、一个用户也可以有多个租户，用户对租户的操作权限由用户在租户中承担的角色来确定。

2、Project（项目）

• Project是Openstack中一些可被访问的资源或者是资源组，本质上是一个容器，可以起到隔离的作用，或者用于标识对象。

3、Token（令牌）

• Openstack中的用户用来进行身份验证的凭证。

4、Role（角色）

• 在Openstack中，Role代表一组权限，并且总是和用户所绑定，用于声明用户可以访问的资源。

服务目录介绍
在服务目录中，有以下名词：
1、Service（服务）

• Service就是Openstack中的服务，比如Nova、Glance、Swift等等。

2、Endpoints（端点）

• 一个Endpoints即一个服务所对外暴露的接口，如果我们要访问一个服务，那么我们必须知道该服务的Endpoints。Endpoint的每个URL都对应一个服务实例访问地址，并且具有public、private和admin三种权限。public url可以被公开访问，private url可以被局域网内的设备所访问，而admin url则被从常规的访问中分离。