1.安装Identity service(Keystone)
1.0 Identity service 简介
身份认证模块主要提供身份验证、授权、提供service目录(每个服务安装完了都要在这里注册)等服务。通常安装在controller节点上。一般用户要先通过Identity service获得授权后然后和其他的service进行交互。其他的服务利用Identity service确认用户身份、发现其他服务的位置。Identity service由以下三部分组成:
| 组成部分 | 描述 |
|---|---|
| Server | 使用RESTful接口的方式进行身份认证和授权 |
| Drivers | 存取身份信息 |
| Modules | 中间件模块 |
1.1 安装Identity service
1.1.1 数据库准备
创建数据库并设置授权
mysql MariaDB [(none)]> CREATE DATABASE keystone; MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'openstack'; MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'openstack';
1.1.2 安装配置软件
1.1.2.1.安装keystone 、apache2、libapache2-mod-wsgi
apt install keystone apache2 libapache2-mod-wsgi
1.1.2.2.修改keystone配置
vi /etc/keystone/keystone.conf
在database节添加如下内容:
[database] # ... connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone #这里这个KEYSTONE_DBPASS是刚刚设置的mysql里面keyston用户的密码
在token节添加如下内容,设置provider为fernet:
[token] # ... provider = fernet
1.1.2.3.迁移Identity service的数据库
su -s /bin/sh -c "keystone-manage db_sync" keystone
1.1.2.4.初始化Fernet key repositories
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
1.1.2.5.引导keystone
#ADMIN_PASS替换为自己的设置的密码 keystone-manage bootstrap --bootstrap-password ADMIN_PASS \ --bootstrap-admin-url http://controller:5000/v3/ \ --bootstrap-internal-url http://controller:5000/v3/ \ --bootstrap-public-url http://controller:5000/v3/ \ --bootstrap-region-id RegionOne
1.1.2.6.设置apache2
vi /etc/apache2/apache2.conf
添加如下内容
ServerName controller
重启apache2
service apache2 restart
1.1.2.7.导入环境变量
export OS_USERNAME=admin export OS_PASSWORD=ADMIN_PASS export OS_PROJECT_NAME=admin export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_DOMAIN_NAME=Default export OS_AUTH_URL=http://controller:5000/v3 export OS_IDENTITY_API_VERSION=3 #ADMIN_PASS替换成刚刚引导keystone设置的keystone密码
1.1.3 创建域、项目、用户和规则
1.创建域
root@ubuntu-ControllerNode:/etc/apache2# openstack domain create --description "An Example Domain" example +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | An Example Domain | | enabled | True | | id | f974e67265a8422c8e3ab330b063d629 | | name | example | | tags | [] | +-------------+----------------------------------+
2.创建项目 首先创建一个用来管理的service项目
root@ubuntu-ControllerNode:/etc/apache2# openstack project create --domain default --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | default | | enabled | True | | id | fcb7986d7e544426a3f1162e0edbcaf7 | | is_domain | False | | name | service | | parent_id | default | | tags | [] | +-------------+----------------------------------+
然后创建一个普通项目myproject
openstack project create --domain default --description "Demo Project" myproject +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Demo Project | | domain_id | default | | enabled | True | | id | 34033e75e58b4fe7af481d6df891f92c | | is_domain | False | | name | myproject | | parent_id | default | | tags | [] | +-------------+----------------------------------+
3.创建一个用户
root@ubuntu-ControllerNode:~# openstack user create --domain default --password-prompt myuser #要求设置一个该用户的密码 User Password: Repeat User Password: +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | default | | enabled | True | | id | 23ee05e8ca9a41db92eae7df293f2933 | | name | myuser | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+
4.创建规则
root@ubuntu-ControllerNode:~# openstack role create myrole +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | c089e2053e9c4601b69b514d16709422 | | name | myrole | +-----------+----------------------------------+
5.设置规则
openstack role add --project myproject --user myuser myrole
2.检测Identity service安装情况
1.取消环境变量
unset OS_AUTH_URL OS_PASSWORD
2.测试admin用户身份认证
root@ubuntu-ControllerNode:~# openstack --os-auth-url http://controller:5000/v3 \ --os-project-domain-name Default --os-user-domain-name Default \ --os-project-name admin --os-username admin token issue Password: +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2019-01-09T09:32:04+0000 | | id | gAAAAABcNbGEpi1vfFJ2059WAfcTLCdbTIQZhV6kCewqssAjxJv5XoHtK0Mc-V4rVpYjG9wsNXhEMm-w01YK5TkP8SXYaQcqaENGlFMdWuwsNN3lxyNL1JX-WMrijRmB1JXSTaMMcjC05CLQP-9aznd-jh9T8bMIxg8eQc6fJoGSjMUclsMRp3A | | project_id | 37bb7182137c419995a57ccea6e2eff8 | | user_id | 2791f0fa251e4de28b314b86a0faaba9 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
3.测试myuer用户获取token
root@ubuntu-ControllerNode:~# openstack --os-auth-url http://controller:5000/v3 \ --os-project-domain-name Default --os-user-domain-name Default \ --os-project-name myproject --os-username myuser token issue Password: +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2019-01-09T09:34:03+0000 | | id | gAAAAABcNbH7Ih6qGbFDOYbVaG-YRVkvZetqhJN195hu-zuojyQLTjUHEGqTZvhW7KahVp4qXYJUmrOneR3Pi8YNM4qneJaGbOU7RR6b8bhCv3E8cDoymvz5WspIE8cFHvFL3hGSeS4YX7aBp7vtQ8N1t6rEfC6E7l9Ns8ziC__sycEWM4LFuYM | | project_id | 34033e75e58b4fe7af481d6df891f92c | | user_id | 23ee05e8ca9a41db92eae7df293f2933 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
3.创建openstack客户端环境变量脚本
为了方便后期使用openstak client,建议创建一个环境变量脚本admin.opensrc,如下:
#将ADMIN_PASS修改为自己的admin密码 export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=ADMIN_PASS export OS_AUTH_URL=http://controller:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2
使用时只需要使用如下命令导入环境变量即可:
. admin.opensrc