构建OpenStack私有云--第一步:配置Keystone服务
2023-04-18 17:00:33 时间
配置Keystone服务
keystone是一个认证服务,所有服务在接收到用户请求时,都必须找keystone服务去做认证,把用户请求中的信息拿出来去匹配,能匹配到才去检查你有没有相应的权限,然后给你资源。
还有个作用是目录列表
1. 创建keystone数据库
[root@openstack-controller ~]# mysql -u root -h 172.16.10.2 -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or g.
Your MariaDB connection id is 4
Server version: 10.1.20-MariaDB MariaDB Server
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
+--------------------+
3 rows in set (0.00 sec)
MariaDB [(none)]> CREATE DATABASE keystone;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@localhost' IDENTIFIED BY 'keystone';
# 解释一下这句命令:授予keystone数据库上所有的权限(.*表示数据库上的所有表,*.*表示所有数据库的所有表)给keystone用户(@前的是用户名,这里将用户名起为keystone,@后的表示从哪里登录时才给你这个权限,localhost表示从本机登录时才给你这样的权限;IDENTIFIED后是给用户名起的密码)
不过最后一行命令会抱错,这是因为当前172这个地址登录之后的权限不够,不能GRANT其他数据库所有命令,这时候需要给它添加这个权限
[root@openstack-controller ~]# mysql -u root -p205247
Welcome to the MariaDB monitor. Commands end with ; or g.
Your MariaDB connection id is 8
Server version: 10.1.20-MariaDB MariaDB Server
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
MariaDB [(none)]> GRANT ALL PRIVILEGES ON *.* TO 'root'@'172.16.10.2' IDENTIFIED BY 'redhat' WITH GRANT OPTTION;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON *.* TO 'root'@'172.16.10.%' IDENTIFIED BY 'redhat' WITH GRANT OPTTION;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> SHOW GRANTS FOR 'root'@'172.16.10.%';
+------------------------------------------------------------------------------------------------------------------------------------------+
| Grants for root@172.16.10.% |
+------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'172.16.10.%' IDENTIFIED BY PASSWORD '*84BB5DF4823DA319BBF86C99624479A198E6EEE9' WITH GRANT OPTION |
+------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
MariaDB [(none)]> SHOW GRANTS FOR 'root'@'localhost';
+----------------------------------------------------------------------------------------------------------------------------------------+
| Grants for root@localhost |
+----------------------------------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY PASSWORD '*43C0877E648B1FAA97CF436B1449727E9A47673E' WITH GRANT OPTION |
| GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION |
+----------------------------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
MariaDB [(none)]> exit
Bye
[root@openstack-controller ~]# mysql -u root -h 172.16.10.2 -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or g.
Your MariaDB connection id is 12
Server version: 10.1.20-MariaDB MariaDB Server
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost'
-> IDENTIFIED BY 'keystone';
Query OK, 0 rows affected (0.00 sec)
# 这时就不会报错了
下面命令使得keystone用户无论从哪里登陆上来,都给你这样一个权限
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%'
-> IDENTIFIED BY 'keystone';
Query OK, 0 rows affected (0.00 sec)
2. 安装keystone软件包
MariaDB [(none)]> exit
Bye
[root@openstack-controller ~]# yum install openstack-keystone httpd mod_wsgi
安装时会报错,参考这个即可
https://blog.csdn.net/Qmilumilu/article/details/121330274
3. 修改配置文件并启动keystone服务
- 修改配置文件
/etc/keystone/keystone.conf
主要有两处配置需要修改,一是数据库段:
需要在[database]下添加一行
[database]
connection = mysql+pymysql://keystone:keystone@controller/keystone
其中keystone:keystone表示连接keystone数据库的用户名和密码;controller/keystone表示keystone服务器的地址controller以及数据库名称keystone
另外一个是token提供者
找到[token],在其下添加一行
[token]
provider = fernet
- 初始化
keystone数据库,表示切换到keystone用户,并以keystone用户执行keystone-manage db_sync命令
[root@openstack-controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
- 初始化
Fernet Key仓库
[root@openstack-controller ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@openstack-controller ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
- 启动keystone服务
我们现在所有的服务(包括keystone服务)都有三个地址(即endpoint)
[root@openstack-controller ~]# keystone-manage bootstrap --bootstrap-password admin
> --bootstrap-admin-url http://controller:5000/v3/
> --bootstrap-internal-url http://controller:5000/v3/
> --bootstrap-public-url http://192.168.245.137:5000/v3/
> --bootstrap-region-id RegionOne
其中RegionOne表示部署区域,如阿里云的华北地区、华东地区等,我们构建私有云默认使用RegionOne即可
4. 配置Apache HTTP服务
1)备份并修改配置文件
先备份再修改
[root@openstack-controller ~]# cp /etc/httpd/conf/httpd.conf{,.init.bak}
[root@openstack-controller ~]# vim /etc/httpd/conf/httpd.conf
找到ServerName,添加一行ServerName controller
ServerAdmin root@localhost
#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
#ServerName www.example.com:80
ServerName controller
2)此时keystone已经创建好了apache使用的配置文件,我们只需要创建一个软链接文件,让apache能够读取到即可
[root@openstack-controller ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
3)设置开机启动并启动Apache HTTP服务
[root@openstack-controller ~]# systemctl enable httpd.service
[root@openstack-controller ~]# systemctl start httpd.service
[root@openstack-controller ~]# netstat -nltp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:25672 0.0.0.0:* LISTEN 62084/beam.smp
tcp 0 0 172.16.10.2:3306 0.0.0.0:* LISTEN 61962/mysqld
tcp 0 0 172.16.10.2:11211 0.0.0.0:* LISTEN 63270/memcached
tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 63270/memcached
tcp 0 0 0.0.0.0:4369 0.0.0.0:* LISTEN 1/systemd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 18939/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 19119/master
tcp6 0 0 :::5000 :::* LISTEN 69947/httpd
tcp6 0 0 :::5672 :::* LISTEN 62084/beam.smp
tcp6 0 0 :::80 :::* LISTEN 69947/httpd
tcp6 0 0 :::22 :::* LISTEN 18939/sshd
tcp6 0 0 ::1:25 :::* LISTEN 19119/master
可看到该服务监听在5000端口
5. 配置keystone客户端管理用户
方法:可写到配置文件中,需要使用时,source该文件即可:
[root@openstack-controller ~]# vim ~/.admin.openstack
[root@openstack-controller ~]# cat ~/.admin.openstack
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
[root@openstack-controller ~]# echo $OS_USERNAME
[root@openstack-controller ~]# source ~/.admin.openstack
[root@openstack-controller ~]# echo $OS_USERNAME
admin
[root@openstack-controller ~]# echo $OS_PASSWORD
admin
到目前位置,keystone服务已经准备好了,但是还没有用户,接下来介绍怎么创建项目、域、角色、用户
6. 创建域、项目、用户和角色
在OpenStack中,会使用域、项目、用户和角色(即domains, projects, users, and roles)来进行身份验证。
同一个域中,项目名称不能相同。在“项目”中创建“用户”,并且赋予用户相应的“角色”,这样就可以利用这个用户在该项目下申请使用相关的资源。
关于角色,在Rocky版本中,默认有reader | admin | member三者,其中reader主要用于API类的只读操作,admin是超级管理员角色,member指普通用户角色
1)创建一个demo_domain测试域
其实在我们使用keystone-manage bootstrap时已经创建了一个默认域,域名为default
# 下面的命令要先source之后才行,直接按上面的步骤顺着来即可
[root@openstack-controller ~]# openstack domain list
+---------+---------+---------+--------------------+
| ID | Name | Enabled | Description |
+---------+---------+---------+--------------------+
| default | Default | True | The default domain |
+---------+---------+---------+--------------------+
来创建
[root@openstack-controller ~]# openstack domain create --description "An demo Domain" demo_domain
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | An demo Domain |
| enabled | True |
| id | 174cfbd8061d403fb7ec9134bc9a437b |
| name | demo_domain |
| tags | [] |
+-------------+----------------------------------+
# 这时候就有两个域了
[root@openstack-controller ~]# openstack domain list
+----------------------------------+-------------+---------+--------------------+
| ID | Name | Enabled | Description |
+----------------------------------+-------------+---------+--------------------+
| 174cfbd8061d403fb7ec9134bc9a437b | demo_domain | True | An demo Domain |
| default | Default | True | The default domain |
+----------------------------------+-------------+---------+--------------------+
下面演示删除一个域
[root@openstack-controller ~]# openstack domain set --disable demo_domain
[root@openstack-controller ~]# openstack domain delete demo_domain
2)创建一个管理项目和测试项目
service项目主要用来做服务管理
[root@openstack-controller ~]# openstack project create --domain default
> --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 796543d538824b9b8068d137ccb4ac21 |
| is_domain | False |
| name | service |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
myproject项目是用来管理普通(non-admin)任务以及普通用户和权限的
[root@openstack-controller ~]# openstack project create --domain default
> --description "Demo Project" myproject
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | 55575380f90040b5ba0395abf82b799b |
| is_domain | False |
| name | myproject |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
3)创建用户
[root@openstack-controller ~]# openstack user create --domain default
> --password-prompt myuser
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 8205cbff00094898951d04106ec941f5 |
| name | myuser |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
4)创建角色
[root@openstack-controller ~]# openstack role create myrole
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | c37cb947401c495ab94f29ef082bfcdc |
| name | myrole |
+-----------+----------------------------------+
5)把角色myrole添加到myproject和myuser上(附加角色到项目和用户)
[root@openstack-controller ~]# openstack role add --project myproject --user myuser myrole
7. 验证keystone
a)撤销当前的OS_AUTH_URL和OS_PASSWORD环境变量
[root@openstack-controller ~]# echo $OS_AUTH_URL
http://controller:5000/v3
[root@openstack-controller ~]# echo $OS_PASSWORD
admin
[root@openstack-controller ~]# unset OS_AUTH_URL
[root@openstack-controller ~]# unset OS_PASSWORD
[root@openstack-controller ~]# echo $OS_AUTH_URL
[root@openstack-controller ~]# echo $OS_PASSWORD
[root@openstack-controller ~]# openstack domain list
Missing value auth-url required for auth plugin password
b)作为一个admin用户,获取token
[root@openstack-controller ~]# openstack --os-auth-url http://controller:5000/v3
> --os-project-domain-name Default --os-user-domain-name Default
> --os-project-name admin --os-username admin token issue
Password: # 输入admin的密码:admin
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2022-04-11T23:46:25+0000 |
| id | gAAAAABiVK_BCAu86axHi4MyF89vlxmIKEM2VJl9iEcoYsBvClJECBl_RtK9GFwHgeY9CTMyhuWoTf6sVn0egamsaIzeI1Gr46LVu8sudS1OsaWLlLB_GFU6VvB3S76p4l1PGpRS0DKEQQWasRPM2tnBqotzoZ8QssbG-9ADbz-6Vdg-1akxMBI |
| project_id | 7d3b70fafbfe4391ab3b305f378c8911 |
| user_id | dad0fd43430f4c4cb91cd3d38c8bb8ab |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
c)作为一个普通用户myuser,获取token
[root@openstack-controller ~]# openstack --os-auth-url http://controller:5000/v3
> --os-project-domain-name Default --os-user-domain-name Default
> --os-project-name myproject --os-username myuser token issue
Password: # 这里输入myuser的密码:myuser
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2022-04-11T23:49:28+0000 |
| id | gAAAAABiVLB4T-YsSa1lDN20GTBS_khBhhZEey6oxOmgGg1lIkwoNyr_vVHRH51n16YMMZ13-orxNv_95mb4towa-9N6azO5hzLaKodIuhpqUWu8PiP7u0FDsRSXSfUQNqrHmefSizERV1LhSo71Kvht0N89Xz5Mup5ganFiu4vavCCtkP7P4Gw |
| project_id | 55575380f90040b5ba0395abf82b799b |
| user_id | 8205cbff00094898951d04106ec941f5 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
如果能够为不同用户获取到不同的token,则表示keystone服务部署以及用户创建等操作成功。
这说明,我们可以通过keystone来获取token,而获取token是keystone非常重要的功能,keystone就是通过token去认证的。你用户来,我给你发一个token,你通过用户名密码过来请求,请求完之后我给你发一个token,然后你拿着token就可以去做其他的事情了 。
8. 创建OpenStack客户端环境变量脚本
其实跟我们之前说的环境变量处理方式一致,把变量写入到文件中,需要用到的时候通过source或者.的方式读取变量内容。
[root@openstack-controller ~]# vim ~/.myuser.openstack
[root@openstack-controller ~]# vim ~/.admin.openstack
[root@openstack-controller ~]# cat ~/.admin.openstack
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
[root@openstack-controller ~]# cat ~/.myuser.openstack
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=myproject
export OS_USERNAME=myuser
export OS_PASSWORD=myuser
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
接下来验证一下
[root@openstack-controller ~]# source ~/.admin.openstack
[root@openstack-controller ~]# openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2022-04-12T00:04:29+0000 |
| id | gAAAAABiVLP9pumUxh-BEStjvx1E-J1dIAwjPQEpFVNlR597IRC0Vtk18CswVaeL1CbV19AI4pCFLDoqreBc5Oyq2iMUoK2xW6J1gfbfXPzGXEN45UzPoxXb-mQOs4YpCGtFEUmJvHdAN_p3j3mhCUP4LQT9hGK8zpEMX5uxJXKzrfgY1V4X-Sw |
| project_id | 7d3b70fafbfe4391ab3b305f378c8911 |
| user_id | dad0fd43430f4c4cb91cd3d38c8bb8ab |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
[root@openstack-controller ~]# source ~/.myuser.openstack
[root@openstack-controller ~]# openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2022-04-12T00:04:46+0000 |
| id | gAAAAABiVLQOIkhfHM20dUbupfYFap3vWYx3IICI6XLTxrXzkg5rl3Tj_jLhSv0Z3QCzpgSSNVDMPByW0QBMGGzZhRIZ4NV6d_2Z6IRct3ektcv6CQYLgyETMLPEwNgPL7CZDLGzMIDXDtwoBJd57MFYLujGFxCOKfkXNdvUCh7WsY8dE9JKuN8 |
| project_id | 55575380f90040b5ba0395abf82b799b |
| user_id | 8205cbff00094898951d04106ec941f5 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
相关文章
- 【技术种草】cdn+轻量服务器+hugo=让博客“云原生”一下
- CLB运维&运营最佳实践 ---访问日志大洞察
- vnc方式登陆服务器
- 轻松学排序算法:眼睛直观感受几种常用排序算法
- 十二个经典的大数据项目
- 为什么使用 CDN 内容分发网络?
- 大数据——大数据默认端口号列表
- Weld 1.1.5.Final,JSR-299 的框架
- JavaFX 2012:彻底开源
- 提升as3程序性能的十大要点
- 通过凸面几何学进行独立于边际的在线多类学习
- 利用行动影响的规律性和部分已知的模型进行离线强化学习
- ModelLight:基于模型的交通信号控制的元强化学习
- 浅谈Visual Source Safe项目分支
- 基于先验知识的递归卡尔曼滤波的代理人联合状态和输入估计
- 结合网络结构和非线性恢复来提高声誉评估的性能
- 最佳实践丨云开发CloudBase多环境管理实践
- TimeVAE:用于生成多变量时间序列的变异自动编码器
- 具有线性阈值激活的神经网络:结构和算法
- 内网渗透之横向移动 -- 从域外向域内进行密码喷洒攻击