3.openstack之mitaka搭建keystone认证服务
2016-10-08 23:19
344 查看
认证服务keystone部署
一:安装和配置服务
1.建库建用户
2.安装httpdweb服务器
3.编辑/etc/keystone/keystone.conf
4.同步修改到数据库
5.初始化fernet keys
6.配置apache服务
7.启动服务:
二:创建服务实体和访问端点
1.实现配置管理员环境变量,用于获取后面创建的权限
2.基于上一步给的权限,创建认证服务实体(目录服务)
3.基于上一步建立的服务实体,创建访问该实体的三个api端点
一:安装和配置服务
1.建库建用户
mysql -u root -p CREATE DATABASE keystone; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '密码'; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '密码'; flush privileges;
2.安装httpdweb服务器
yum install openstack-keystone httpd mod_wsgi -y
3.编辑/etc/keystone/keystone.conf
创建秘钥 # openssl rand -hex 10 ada2c9751d94be18d74a #vim /etc/keystone/keystone.conf [DEFAULT] admin_token = ada2c9751d94be18d74a #建议用命令制作token:openssl rand -hex 10 [database] connection = mysql+pymysql://keystone:liuyao@controller/keystone [token] provider = fernet #学习博客 #Token Provider:UUID, PKI, PKIZ, or Fernet #http://blog.csdn.net/miss_yang_cloud/article/details/49633719
4.同步修改到数据库
#su -s /bin/sh -c "keystone-manage db_sync" keystone
5.初始化fernet keys
#keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
6.配置apache服务
编辑:/etc/httpd/conf/httpd.conf ServerName controller 编辑:/etc/httpd/conf.d/wsgi-keystone.conf 新增配置 Listen 5000 Listen 35357 <VirtualHost *:5000> WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined <Directory /usr/bin> Require all granted </Directory> </VirtualHost> <VirtualHost *:35357> WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / /usr/bin/keystone-wsgi-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined <Directory /usr/bin> Require all granted </Directory> </VirtualHost>
7.启动服务:
systemctl enable httpd.service systemctl start httpd.service
二:创建服务实体和访问端点
1.实现配置管理员环境变量,用于获取后面创建的权限
export OS_TOKEN=ada2c9751d94be18d74a #此token是上面生成的 export OS_URL=http://controller:35357/v3 export OS_IDENTITY_API_VERSION=3
2.基于上一步给的权限,创建认证服务实体(目录服务)
#openstack service create \ --name keystone --description "OpenStack Identity" identity
3.基于上一步建立的服务实体,创建访问该实体的三个api端点
openstack endpoint create --region RegionOne \ identity public http://controller:5000/v3 openstack endpoint create --region RegionOne \ identity internal http://controller:5000/v3 openstack endpoint create --region RegionOne \ identity admin http://controller:35357/v3[/code] 三:创建域,租户,用户,角色,把四个元素关联到一起建立一个公共的域名: #openstack domain create --description "Default Domain" default 管理员:admin openstack project create --domain default \ --description "Admin Project" admin openstack user create --domain default \ --password-prompt admin openstack role create admin openstack role add --project admin --user admin admin 普通用户:demo openstack project create --domain default \ --description "Demo Project" demo openstack user create --domain default \ --password-prompt demo openstack role create user openstack role add --project demo --user demo user
为后续的服务创建统一租户service
解释:后面每搭建一个新的服务都需要在keystone中执行四种操作:1.建租户 2.建用户 3.建角色 4.做关联
后面所有的服务公用一个租户service,都是管理员角色admin,所以实际上后续的服务安装关于keysotne
的操作只剩2,4openstack project create --domain default \ --description "Service Project" service
四:验证操作:编辑:/etc/keystone/keystone-paste.ini 在[pipeline:public_api], [pipeline:admin_api], and [pipeline:api_v3] 三个地方 移走:admin_token_auth unset OS_TOKEN OS_URL openstack --os-auth-url http://controller:35357/v3 \ --os-project-domain-name default --os-user-domain-name default \ --os-project-name admin --os-username admin token issue Password: +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2016-08-17T08:29:18.528637Z | | id | gAAAAABXtBJO-mItMcPR15TSELJVB2iwelryjAGGpaCaWTW3YuEnPpUeg799klo0DaTfhFBq69AiFB2CbFF4CE6qgIKnTauOXhkUkoQBL6iwJkpmwneMo5csTBRLAieomo4z2vvvoXfuxg2FhPUTDEbw-DPgponQO-9FY1IAEJv_QV1qRaCRAY0 | | project_id | 9783750c34914c04900b606ddaa62920 | | user_id | 8bc9b323a3b948758697cb17da304035 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
五:新建客户端脚本文件管理员:admin-openrc export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=liuyao export OS_AUTH_URL=http://controller:35357/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 普通用户demo:demo-openrc export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=demo export OS_USERNAME=demo export OS_PASSWORD=liuyao export OS_AUTH_URL=http://controller:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 效果: source admin-openrc [root@controller01 ~]# openstack token issue
相关文章推荐
- OpenStack-M版(Mitaka)搭建- – -身份认证服务(Keystone)篇
- [ Openstack ] OpenStack-Mitaka 高可用之 认证服务(keystone)
- openstack mitaka之三:搭建keystone认证服务
- OpenStack Newton版本部署----认证服务(keystone)
- OpenStack-M版(Mitaka)搭建- – -Dashboard服务(Horizon)篇
- Oauth2认证授权服务(django-oauth-toolkit)搭建及操作流程
- Centos7手动部署Openstack Mitaka版安装配置--(三)安装keystone认证服务
- Win10上搭建Nginx+SimpleSAMLphp认证服务
- 搭建vsftpd服务pam认证
- OpenStack-M版(Mitaka)搭建- – -计算服务(Nova)篇
- 搭建Jasig CAS中央认证服务实现单点登录――搭建Tomcat并实现SSL安全连接
- Postfix+Dovecot 搭建简单认证的邮件服务
- OpenStack 认证服务 KeyStone连接和用户管理(四)
- OpenStack 认证服务 KeyStone 服务注册(五)
- 搭建ldap,samba和nfs 统一认证服务
- Centos7 Openstack - (第二节)添加认证服务(Keystone)
- linux下ftp服务各种模式和ca证书认证的搭建
- 4.openstack之mitaka搭建glance镜像服务
- 【N版】openstack——认证服务keystone(三)