openstack(二)配置keystone服务

布署认证服务keystone

1. keystone数据库配置

[mysql]$ mysql -uroot -p123

MariaDB [(none)]> create database keystone;

MariaDB [(none)]> grant all on keystone.* to keystone@'%' identified by '123';

控制端上测试

[controller]$ mysql -ukeystone -h 192.168.99.116 -p123

控制端(管理节点)

控制端添加host文件:/etc/hosts

192.168.99.211 openvip.com

192.168.99.111 controller

试试用vip连接数据库

mysql -hopenvip.com -ukeystone -p123

配置keystone

1. 安装

yum -y install openstack-keystone httpd mod_wsgi python-memcached

2. 生成临时token

openssl rand -hex 10

3. 配置/etc/keystone/keystone.conf

sed -i.bak -e '/^#/d' -e '/^$/d' /etc/keystone/keystone.conf

[DEFAULT]admin_token = 7bca7116f710d749cad3[access_rules_config][application_credential][assignment][auth][cache][catalog][cors][credential][database]connection=mysql+pymysql://keystone:123@openvip.com/keystone[domain_config][endpoint_filter][endpoint_policy][eventlet_server][federation][fernet_receipts][fernet_tokens][healthcheck][identity][identity_mapping][jwt_tokens][ldap][memcache][oauth1][oslo_messaging_amqp][oslo_messaging_kafka][oslo_messaging_notifications][oslo_messaging_rabbit][oslo_middleware][oslo_policy][policy][profiler][receipt][resource][revoke][role][saml][security_compliance][shadow_users][signing][token]provider = fernet[tokenless_auth][trust][unified_limit][wsgi] 

4. 填充Identity服务数据库

su -s /bin/sh -c "keystone-manage db_sync" keystone

5. 初始化Fernet密钥存储库

keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone

keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

验证

ls /etc/keystone/fernet-keys/

1 0 

6. 配置apache配置文件/etc/httpd/conf/httpd.conf

Servername controller:80

7. 软链接配置文件

ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

8. 启动Apache HTTP服务

systemctl enable httpd.service

systemctl start httpd.service

9. 配置管理帐户

export OS_TOKEN=7bca7116f710d749cad3

export OS_URL=http://controller:5000/v3

export OS_IDENTITY_API_VERSION=3

#export OS_USERNAME=admin

#export OS_PASSWORD=123

#export OS_PROJECT_NAME=admin

#export OS_USER_DOMAIN_NAME=default

#export OS_PROJECT_DOMAIN_NAME=default

#export OS_AUTH_URL=http://controller:5000/v3

#export OS_IDENTITY_API_VERSION=3 

验证下:

[controller]$ openstack domain list

The request you have made requires authentication. (HTTP 401) (Request-ID: req-03ea8186-0af9-4fa8-ba53-d043cd28e2c0)

这里出错了,检查下你的token,OS_TOKEN设置变量的时候是不是没有跟你在/etc/keystone/keystone.conf配置文件中设置的TOKEN的一样,改成一样的就可以了。

[controller]$ openstack domain list


输出是空的就对了,因为我们还没有添加

10. 创建新域的方法

openstack domain create --description "exdomain" default


11. 创建项目admin

openstack project create --domain default \ --description "Admin Project" admin


12. 创建admin,密码设置123

openstack user create --domain default --password-prompt admin


13. 创建角色

openstack role create admin


14. 给admin用户授权

openstack role add --project admin --user admin admin

15. 创建demo项目

openstack project create --domain default --description "Demo project" demo

16. 给demo创建用户

openstack user create --domain default --password-prompt demo


17. 创建user角色(现在就有user和admin)

openstack role create user


18. 给demo用户授权user

openstack role add --project demo --user demo user

19. 创建service项目

openstack project create --domain default --description "service project" service

20. 创建keystone的认证服务

openstack service create --name keystone --description "openstack identify" identity


21. 查看服务列表

openstack service list


22. 创建endpoint,地址写vip

公共端点

openstack endpoint create --region RegionOne identity public http://controller:5000/v3


私有端点

openstack endpoint create --region RegionOne identity internal http://controller:5000/v3

管理端点

openstack endpoint create --region RegionOne identity admin http://controller:5000/v3

测试keystone能否验证

unset OS_TOKEN

openstack --os-auth-url http://controller:5000/v3 \--os-project-domain-name default \--os-user-domain-name default \--os-project-name admin \--os-username admin token issue、

使用脚本配置环境变量

admin用户脚本keystone_admin.sh

#!/bin/bashexport OS_PROJECT_DOMAIN_NAME=defaultexport OS_USER_DOMAIN_NAME=defaultexport OS_PROJECT_NAME=adminexport OS_USERNAME=adminexport OS_PASSWORD=123export OS_AUTH_URL=http://controller:5000/v3export OS_IDENTITY_API_VERSION=3export OS_IMAGE_API_VERSION=2 

demo用户脚本keystone_demo.sh

#!/bin/bashexport OS_PROJECT_DOMAIN_NAME=defaultexport OS_USER_DOMAIN_NAME=defaultexport OS_PROJECT_NAME=demoexport OS_USERNAME=demoexport OS_PASSWORD=123export OS_AUTH_URL=http://controller:5000/v3export OS_IDENTITY_API_VERSION=3export OS_IMAGE_API_VERSION=2


资料来自: https://thson.blog.csdn.net/article/details/100054881

©著作权归作者所有,转载或内容合作请联系作者
平台声明:文章内容(如有图片或视频亦包括在内)由作者上传并发布,文章内容仅代表作者本人观点,简书系信息发布平台,仅提供信息存储服务。

推荐阅读更多精彩内容