openstack 管理二十八 - rpm 方式部署 openstack [keystone]
2017-02-21 15:11
453 查看
说明
1 keystone 数据存储至 mariadb 中 2 keystone 主要为 nova, neutron, cinder 等组件提供数据认证服务, 3 keystone 自身管理 user, tenant, service, endpoint 等重要信息
安装
yum install -y openstack-keystone.noarch openstack-keystone-doc.noarch python-keystone.noarch python-keystoneclient.noarch python-keystoneclient-doc.noarch python-keyring openstack-utils
配置
直接配置 token# SERVICE_TOKEN=1wef2djdf98324jkl # openstack-config --set /etc/keysto ne/keystone.conf DEFAULT admin_token $SERVICE_TOKEN
强制更新 token 并删除旧 token
# keystone-manage token_flush
直接配置 keystone 的数据库连接方法
# openstack-config --set /etc/keystone/keystone.conf database sql_connection mysql://keystone:test123@240.10.130.25/keystone
keystone 服务器设定
# openstack-config --set /etc/keystone/keystone.conf DEFAULT public_bind_host 240.10.130.25 # openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_bind_host 240.10.130.25 # openstack-config --set /etc/keystone/keystone.conf DEFAULT compute_port 8774 # openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_port 35357 # openstack-config --set /etc/keystone/keystone.conf DEFAULT public_port 5000
keystone 存储格式定义
# openstack-config --set /etc/keystone/keystone.conf signing token_format UUID # openstack-config --set /etc/keystone/keystone.conf token provider keystone.token.providers.uuid.Provider
启动 keystone 服务
# service openstack-keystone start
创建相应数据库表
# keystone-manage db_sync
假如连接成功, 则自动创建下面表
mysql> use keystone; mysql> show tables; +-----------------------+ | Tables_in_keystone | +-----------------------+ | assignment | | credential | | domain | | endpoint | | group | | migrate_version | | policy | | project | | region | | role | | service | | token | | trust | | trust_role | | user | | user_group_membership | +-----------------------+ 16 rows in set (0.00 sec)
keystone 客户端安装
要连接 keystone 需要安装 python-keystoneclientyum install -y python-keystoneclient
创建测试 tenant 与 admin tenant
参考 /etc/keystone/keystone.conf 中自定义的 token 与 admin_bind_host 参考, 对应下面 endpoint 与 token 值# export ENDPOINT=240.10.130.25 # export SERVICE_TOKEN=1wef2djdf98324jkl # export SERVICE_ENDPOINT=http://${ENDPOINT}:35357/v2.0
创建 tenant 测试
[root@hh-yun-compute-130025 ~]# keystone tenant-create --name cookbook --description "Default Cookbook Tenant" --enabled true +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Default Cookbook Tenant | | enabled | True | | id | c74de0a2760343ac93f27095023be1cd | | name | cookbook | +-------------+----------------------------------+
检测 tenant 信息
[root@hh-yun-compute-130025 ~]# keystone tenant-list +----------------------------------+----------+---------+ | id | name | enabled | +----------------------------------+----------+---------+ | c74de0a2760343ac93f27095023be1cd | cookbook | True | +----------------------------------+----------+---------+
另外, 我们必须要创建一个 admin 的 tenant, admin 环境才能够保证用户具有完整的环境
[root@hh-yun-compute-130025 ~]# keystone tenant-create --name admin --description "Admin tenant" --enabled true +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Admin tenant | | enabled | True | | id | 59728cade8b14853a8d3cee8c2567881 | | name | admin | +-------------+----------------------------------+ [root@hh-yun-compute-130025 ~]# keystone tenant-list +----------------------------------+----------+---------+ | id | name | enabled | +----------------------------------+----------+---------+ | 59728cade8b14853a8d3cee8c2567881 | admin | True | | c74de0a2760343ac93f27095023be1cd | cookbook | True | +----------------------------------+----------+---------+
配置 keystone 角色
1 role 是用户在 tenant 下的权限的体现 2 常见有 admin 与 member 两种角色
注意: /etc/keystone/policy.json 定义了管理员角色 “admin_required”: “role:admin or is_admin:1”,
从 /etc/keystone/keystone.conf 下获得 keystone 认证信息
# export ENDPOINT=240.10.130.25 # export SERVICE_TOKEN=1wef2djdf98324jkl # export SERVICE_ENDPOINT=http://${ENDPOINT}:35357/v2.0
创建 admin 角色
# keystone role-create --name admin
创建 member 角色
# keystone role-create --name Member (旧版) # keystone role-create --name _member_ ( i 版)
利用 keystone 创建用户
1. 查询 tenant
[root@hh-yun-compute-130025 ~]# keystone tenant-list +----------------------------------+----------+---------+ | id | name | enabled | +----------------------------------+----------+---------+ | 59728cade8b14853a8d3cee8c2567881 | admin | True | | c74de0a2760343ac93f27095023be1cd | cookbook | True | +----------------------------------+----------+---------+
2. 创建 admin 用户
[root@hh-yun-compute-130025 ~]# keystone user-create --name admin --tenant cookbook --pass test123 --email terry.zeng@vipshop.com --enabled true +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | terry.zeng@vipshop.com | | enabled | True | | id | 43f38bc5c1314670b0cf1d925736ff3a | | name | admin | | tenantId | c74de0a2760343ac93f27095023be1cd | | username | admin | +----------+----------------------------------+
3. 查询角色
[root@hh-yun-compute-130025 ~]# keystone role-list +----------------------------------+----------+ | id | name | +----------------------------------+----------+ | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | | 6ddaf6bbd9684a109ecf83f7939bcf94 | admin | +----------------------------------+----------+
4. 查询用户
[root@hh-yun-compute-130025 ~]# keystone user-list +----------------------------------+-------+---------+------------------------+ | id | name | enabled | email | +----------------------------------+-------+---------+------------------------+ | 43f38bc5c1314670b0cf1d925736ff3a | admin | True | terry.zeng@vipshop.com | +----------------------------------+-------+---------+------------------------+
5. 指定用户新的 tenant 角色
[root@hh-yun-compute-130025 ~]# keystone user-role-add --user admin --role admin --tenant admin
参考 为 cookbook tenant 授权 demo 为管理员
[root@hh-yun-compute-130025 ~]# keystone user-create --name demo --tenant cookbook --pass test123 --email demo@localhost --enabled true +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | demo@localhost | | enabled | True | | id | a57b848ff4244b98be66ef8f133fc9ce | | name | demo | | tenantId | c74de0a2760343ac93f27095023be1cd | | username | demo | +----------+----------------------------------+ [root@hh-yun-compute-130025 ~]# keystone user-role-add --user demo --role admin --tenant cookbook
service 定义
1 云环境中每个服务都运行在一个特定的 url 下, 成为 endpoint 地址 2 客户端连接 openstack 环境时候, 允许 openstack 身份验证服务, 这个服务将返回 用户可以访问的 endpoint url
要启用上述功能, 我们需要定义 endpoint,
1 云环境下, 我们可以定义多个区域, 不同区域可以跑在不同的数据中心中 2 在 openstack 身份认证服务下不同区域由不同的 ip 及 urls 进行指定 3 当我们只有一个独立环境时候, 我们配置为 RegionOne
下面是openstack i 版需要定义的服务 endpoint
1. 定义 nova
keystone service-create --name nova --type compute --description 'OpenStack Compute Service'
2. 定义 nova_ec2 (旧版本叫 ec2)
keystone service-create --name nova_ec2 --type ec2 --description 'EC2 Service'
3. 定义 glance 服务
keystone service-create --name glance --type image --description 'OpenStack Image Service'
4. 定义 cinder 服务
keystone service-create --name cinder --type volume --description 'Cinder Service'
5. 定义 cinder_v2
keystone service-create --name cinder_v2 --type volume2 --description 'Cinder Service v2'
6. 定义 keystone
keystone service-create --name keystone --type identity --description 'OpenStack Identity Service'
7. 定义 neutron
keystone service-create --name neutron --type network --description 'Neutron Networking Service'
定义 endpoint
Openstack 身份服务可以配置三种服务请求方法1 public Url (针对最终用户) 2 administration Url (具有管理权限的用户, 可以与 public url 使用不同的地址) 3 internal Url (使用在一个专用网络上, 与公网隔离) 当前品云使这种方式, 同时调用 eth1 作为组件间通讯方法
当服务定义后, 我们可以为服务添加 endpoint urls, 参考命令语法
[root@hh-yun-compute-130025 ~]# keystone endpoint-create usage: keystone endpoint-create [--region <endpoint-region>] --service <service> --publicurl <public-url> [--adminurl <admin-url>] [--internalurl <internal-url>]
定义 nova endpoint
# PUBLIC="http://240.10.130.30:8774/v2/\$(tenant_id)s" # keystone endpoint-create --region RegionOne --service nova --publicurl $PUBLIC --adminurl $PUBLIC --internalurl $PUBLIC +-------------+--------------------------------------------+ | Property | Value | +-------------+--------------------------------------------+ | adminurl | http://240.10.130.30:8774/v2/$(tenant_id)s | | id | fe31d81f395f46e39dd2e3ba9276c4ba | | internalurl | http://240.10.130.30:8774/v2/$(tenant_id)s | | publicurl | http://240.10.130.30:8774/v2/$(tenant_id)s | | region | RegionOne | | service_id | 38df11244f3e42698f3c123cc89e9a82 | +-------------+--------------------------------------------+
定义 nova_ec2 endpoint
# PUBLIC="http://240.10.130.30:8773/services/Cloud" # ADMIN="http://240.10.130.30:8773/services/Admin" # INTERNAL=$PUBLIC # keystone endpoint-create --region RegionOne --service_id nova_ec2 --publicurl $PUBLIC --adminurl $ADMIN --internalurl $INTERNAL +-------------+------------------------------------------+ | Property | Value | +-------------+------------------------------------------+ | adminurl | http://240.10.130.30:8773/services/Admin | | id | a835a2aeba444692b215136e641a9e5c | | internalurl | http://240.10.130.30:8773/services/Cloud | | publicurl | http://240.10.130.30:8773/services/Cloud | | region | RegionOne | | service_id | 18cbe76bbcab479595d90d7a50b7dcdf | +-------------+------------------------------------------+
定义 glance endpoint
# PUBLIC="http://240.10.130.25:9292/v1" # keystone endpoint-create --region RegionOne --service_id glance --publicurl $PUBLIC --adminurl $PUBLIC --internalurl $PUBLIC +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | adminurl | http://240.10.130.25:9292/v1 | | id | b3773df6ad2643fa84c6cae71a7a71cc | | internalurl | http://240.10.130.25:9292/v1 | | publicurl | http://240.10.130.25:9292/v1 | | region | RegionOne | | service_id | d23d46ad40bd4fc89c9c88118acedf75 | +-------------+----------------------------------+
定义 cinder endpoint
# PUBLIC="http://240.10.130.25:8776/v1/%(tenant_id)s" # keystone endpoint-create --region RegionOne --service_id cinder --publicurl $PUBLIC --adminurl $PUBLIC --internalurl $PUBLIC +-------------+--------------------------------------------+ | Property | Value | +-------------+--------------------------------------------+ | adminurl | http://240.10.130.25:8776/v1/%(tenant_id)s | | id | 044bc4aeb52e4ddd9b60984b82f1a619 | | internalurl | http://240.10.130.25:8776/v1/%(tenant_id)s | | publicurl | http://240.10.130.25:8776/v1/%(tenant_id)s | | region | RegionOne | | service_id | eb92fe7081394648ae9cc25eec0713d7 | +-------------+--------------------------------------------+
定义 cinder_v2 endpoint
# PUBLIC="http://240.10.130.25:8776/v2/%(tenant_id)s" # keystone endpoint-create --region RegionOne --service_id cinder_v2 --publicurl $PUBLIC --adminurl $PUBLIC --internalurl $PUBLIC +-------------+--------------------------------------------+ | Property | Value | +-------------+--------------------------------------------+ | adminurl | http://240.10.130.25:8776/v2/%(tenant_id)s | | id | a4f434470e364ff89030d2919eb39c86 | | internalurl | http://240.10.130.25:8776/v2/%(tenant_id)s | | publicurl | http://240.10.130.25:8776/v2/%(tenant_id)s | | region | RegionOne | | service_id | 63376b37779846eba1f4a96aa142ba94 | +-------------+--------------------------------------------+
定义keystone endpoint
# PUBLIC="http://240.10.130.25:5000/v2.0" # ADMIN="http://240.10.130.25:35357/v2.0" # INTERNAL=$PUBLIC # keystone endpoint-create --region RegionOne --service_id keystone --publicurl $PUBLIC --adminurl $ADMIN --internalurl $INTERNAL +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | adminurl | http://240.10.130.25:35357/v2.0 | | id | 047b73ba968d41d98ea707ca51f1db33 | | internalurl | http://240.10.130.25:5000/v2.0 | | publicurl | http://240.10.130.25:5000/v2.0 | | region | RegionOne | | service_id | 96dba0ee5a154727843cd975f4ce5e29 | +-------------+----------------------------------+
定义 neutron endpoint
# PUBLIC="http://240.10.130.29:9696/" # keystone endpoint-create --region RegionOne --service_id neutron --publicurl $PUBLIC --adminurl $PUBLIC --internalurl $PUBLIC +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | adminurl | http://240.10.130.29:9696/ | | id | 52f34a0e1f0446c3b0683a330b1a1ce4 | | internalurl | http://240.10.130.29:9696/ | | publicurl | http://240.10.130.29:9696/ | | region | RegionOne | | service_id | 7123d8111fa14e06a59b757c3a78901f | +-------------+----------------------------------+
创建 service tenant
需要创建 service tenant, 用于允许上述服务在 openstack 中运行 并创建对应服务的用户密码并对应 service tenant ### 注意, 品云使用 services 作为 tenant 区别不大 ### 用户创建方法与普通创建方法一样, 并分配至 service tenant 中
创建 service tenant
# keystone tenant-create --name service --description "Service Tenant" --enabled true
创建用户
# keystone user-create --name nova --pass nova --tenant service --email nova@localhost --enabled true # keystone user-create --name glance --pass glance --tenant service --email glance@localhost --enabled true # keystone user-create --name keystone --pass keystone --tenant service --email keystone@localhost --enabled true # keystone user-create --name cinder --pass cinder --tenant service --email cinder@localhost --enabled true # keystone user-create --name neutron --pass neutron --tenant service --email neutron@localhost --enabled true
修改用户角色
# keystone user-role-add --user nova --role admin --tenant service # keystone user-role-add --user glance --role admin --tenant service # keystone user-role-add --user keystone --role admin --tenant service # keystone user-role-add --user cinder --role admin --tenant service # keystone user-role-add --user neutron --role admin --tenant service
相关文章推荐
- openstack 管理二十六 - rpm 方式部署 openstack [mariadb]
- openstack 管理三十三 - rpm 方式部署 openstack [compute]
- openstack 管理二十九 - rpm 方式部署 openstack [glance]
- openstack 管理二十五 - rpm 方式部署 openstack(架构说明)
- openstack 管理三十 - rpm 方式部署 openstack [cinder]
- openstack 管理二十七 - rpm 方式部署 openstack [rabbitmq]
- openstack 管理三十二 - rpm 方式部署 openstack [neutron]
- openstack 管理三十一 - rpm 方式部署 openstack [nova]
- 拾遗:{rpm、yum及源码方式管理软件包}
- OpenStack学习笔记————OpenStack安装部署管理中常见问题解决方
- openstack keystone 部署遇到的各种问题
- 基于suse linux系统的cacti系统部署——rpm包方式
- OpenStack Keystone安装部署流程
- Openstack 自动化部署puppet代码管理
- 《2》CentOS7.0+OpenStack+kvm云平台部署—配置Keystone
- RPM方式搭建的LAMP+rsyslog+loganalyzer以实现集中式日志管理系统
- openstack安装部署的一种实现方式
- OpenStack安装部署管理中常见问题解决方法(OpenStack-Lite-FAQ)
- OpenStack安装部署管理中常见问题解决方法
- OpenStack多节点部署(四)——KeyStone