keystone 對使用者進行驗證,每個元件必須得實用一個使用者向keystone進行注冊,隻有成功了,那麼這個元件才能正常工作。是以當我們在建立其他元件的時候,也包括keystone本身,都得為這個元件建立一個使用者名和密碼
keystone也必須知道這些元件到底在什麼地方,比如在那台主機上。
<a href="http://s3.51cto.com/wyfs02/M01/83/C5/wKioL1d7wsrRg91LAAJhGY7B4eM943.png" target="_blank"></a>
User
住飯店的人
Credentials
開啟房間的鑰匙
Authentication
飯店為了拒絕不必要的人進出飯店,專門設定的機制,隻有擁有鑰匙的人才能進出
Token
也是一種鑰匙,有點特别
Tenant
飯店
Service
飯店可以提供的服務類别,比如,飲食類,娛樂類
Endpoint
具體的一種服務,比如吃燒烤,打羽毛球
Role
VIP 等級,VIP越高,享有越高的權限
<a href="http://s1.51cto.com/wyfs02/M01/83/C5/wKioL1d7wtuQjIIKAAL5H8-n9Ow961.png" target="_blank"></a>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<code>[root@h1 ~]</code><code># source keystonerc_admin</code>
<code>[root@h1 ~(keystone_admin)]</code><code># keystone endpoint-list</code>
<code>+----------------------------------+-----------+-------------------------------------------------+-------------------------------------------------+--------------------------------------------+----------------------------------+</code>
<code>| </code><code>id</code> <code>| region | publicurl | internalurl | adminurl | service_id |</code>
<code>| 03bf88d48e2648149242a571684fbfce | RegionOne | http:</code><code>//192</code><code>.168.1.201:9696 | http:</code><code>//192</code><code>.168.1.201:9696 | http:</code><code>//192</code><code>.168.1.201:9696 | 1100243c5a694bc5857218dd0543297b |</code>
<code>| 1b5ccdf306484fefadc63d1eeb20de5d | RegionOne | http:</code><code>//127</code><code>.0.0.1:8774</code><code>/v3</code> <code>| http:</code><code>//127</code><code>.0.0.1:8774</code><code>/v3</code> <code>| http:</code><code>//127</code><code>.0.0.1:8774</code><code>/v3</code> <code>| 4bda82ded4db46f68428d4e00247c14c |</code>
<code>| 2408bc6cb5164053b86c0983fd39961a | RegionOne | http:</code><code>//192</code><code>.168.1.201:8080</code><code>/v1/AUTH_</code><code>%(tenant_id)s | http:</code><code>//192</code><code>.168.1.201:8080</code><code>/v1/AUTH_</code><code>%(tenant_id)s | http:</code><code>//192</code><code>.168.1.201:8080 | 30c62c3c0797462a8bd4ff059a71296e |</code>
<code>| 432e655e85614a5eb69b7de5c5aacf34 | RegionOne | http:</code><code>//192</code><code>.168.1.201:8776</code><code>/v2/</code><code>%(tenant_id)s | http:</code><code>//192</code><code>.168.1.201:8776</code><code>/v2/</code><code>%(tenant_id)s | http:</code><code>//192</code><code>.168.1.201:8776</code><code>/v2/</code><code>%(tenant_id)s | 5d60cb24769e403cb10bb70cb1077f2b |</code>
<code>| 4d5c1e505b30467c9966a5e5e93feef0 | RegionOne | http:</code><code>//192</code><code>.168.1.201:9292 | http:</code><code>//192</code><code>.168.1.201:9292 | http:</code><code>//192</code><code>.168.1.201:9292 | 87d30bb0dd8e44ccba00127f77831e9e |</code>
<code>| 8683d84884d74e7c8a73513260aec774 | RegionOne | http:</code><code>//192</code><code>.168.1.201:8080 | http:</code><code>//192</code><code>.168.1.201:8080 | http:</code><code>//192</code><code>.168.1.201:8080 | e6ced100d94e4f3b86cccfc82e12b83a |</code>
<code>| 8fa0e177bac746f79e229f16954506fb | RegionOne | http:</code><code>//192</code><code>.168.1.201:8776</code><code>/v1/</code><code>%(tenant_id)s | http:</code><code>//192</code><code>.168.1.201:8776</code><code>/v1/</code><code>%(tenant_id)s | http:</code><code>//192</code><code>.168.1.201:8776</code><code>/v1/</code><code>%(tenant_id)s | dc75a046272548db99e1cbbe93c2025c |</code>
<code>| 9006207b29a04700922ee55905a7f445 | RegionOne | http:</code><code>//192</code><code>.168.1.201:8774</code><code>/v2/</code><code>%(tenant_id)s | http:</code><code>//192</code><code>.168.1.201:8774</code><code>/v2/</code><code>%(tenant_id)s | http:</code><code>//192</code><code>.168.1.201:8774</code><code>/v2/</code><code>%(tenant_id)s | 1c9e6e4d00824327bfe4e8e7175317e1 |</code>
<code>| a9ec253a705c4b3c9848b5bed32e9768 | RegionOne | http:</code><code>//192</code><code>.168.1.201:8773</code><code>/services/Cloud</code> <code>| http:</code><code>//192</code><code>.168.1.201:8773</code><code>/services/Cloud</code> <code>| http:</code><code>//192</code><code>.168.1.201:8773</code><code>/services/Admin</code> <code>| 81bbcf83509a42e9a867914cde84e9d4 |</code>
<code>| bcab3bbc3281451494428315b24b0dba | RegionOne | http:</code><code>//192</code><code>.168.1.201:8777 | http:</code><code>//192</code><code>.168.1.201:8777 | http:</code><code>//192</code><code>.168.1.201:8777 | 8f54fc4364de49efbeb72020bf2aa176 |</code>
<code>| e3d9a4fa64bd441ea3fe143b1d72b8a4 | RegionOne | http:</code><code>//192</code><code>.168.1.201:5000</code><code>/v2</code><code>.0 | http:</code><code>//192</code><code>.168.1.201:5000</code><code>/v2</code><code>.0 | http:</code><code>//192</code><code>.168.1.201:35357</code><code>/v2</code><code>.0 | 02ce8247c5924913a73422bcf5275c40 |</code>
<code>[root@h1 ~(keystone_admin)]</code><code># keystone service-list 服務</code>
<code>+----------------------------------+------------+--------------+--------------------------------+</code>
<code>| </code><code>id</code> <code>| name | </code><code>type</code> <code>| description |</code>
<code>| 8f54fc4364de49efbeb72020bf2aa176 | ceilometer | metering | Openstack Metering Service |</code>
<code>| dc75a046272548db99e1cbbe93c2025c | cinder | volume | Cinder Service |</code>
<code>| 5d60cb24769e403cb10bb70cb1077f2b | cinderv2 | volumev2 | Cinder Service v2 |</code>
<code>| 87d30bb0dd8e44ccba00127f77831e9e | glance | image | OpenStack Image Service |</code>
<code>| 02ce8247c5924913a73422bcf5275c40 | keystone | identity | OpenStack Identity Service |</code>
<code>| 1100243c5a694bc5857218dd0543297b | neutron | network | Neutron Networking Service |</code>
<code>| 1c9e6e4d00824327bfe4e8e7175317e1 | nova | compute | Openstack Compute Service |</code>
<code>| 81bbcf83509a42e9a867914cde84e9d4 | nova_ec2 | ec2 | EC2 Service |</code>
<code>| 4bda82ded4db46f68428d4e00247c14c | novav3 | computev3 | Openstack Compute Service v3 |</code>
<code>| 30c62c3c0797462a8bd4ff059a71296e | swift | object-store | Openstack Object-Store Service |</code>
<code>| e6ced100d94e4f3b86cccfc82e12b83a | swift_s3 | s3 | Openstack S3 Service |</code>
<code>[root@h1 ~(keystone_admin)]</code><code># keystone role-list 角色</code>
<code>+----------------------------------+---------------+</code>
<code>| </code><code>id</code> <code>| name |</code>
<code>| 7455105a501842e097e7825257eb5be4 | ResellerAdmin |</code>
<code>| 5d2a5d2f80d442e09b9c3d514ded412e | SwiftOperator |</code>
<code>| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |</code>
<code>| 794f590d02344bafb280f37ff29433ae | admin |</code>
<code>[root@h1 ~(keystone_admin)]</code><code># keystone role-create --name test1 </code>
<code>+----------+----------------------------------+</code>
<code>| Property | Value |</code>
<code>| </code><code>id</code> <code>| 467d36315d9c4e529e9400c606f8d7a2 |</code>
<code>| name | test1 |</code>
<code>[root@h1 ~(keystone_admin)]</code><code># keystone role-delete test1</code>
18
19
20
21
22
23
<code>[root@h1 ~(keystone_admin)]</code><code># keystone user-list 使用者</code>
<code>+----------------------------------+------------+---------+----------------------+</code>
<code>| </code><code>id</code> <code>| name | enabled | email |</code>
<code>| 1627cc3d61c04f9db9608e9703a01371 | admin | True | root@localhost |</code>
<code>| 04247710cdf34914a7f5b315ab166731 | ceilometer | True | ceilometer@localhost |</code>
<code>| cb5e12e30a4a4c1dae57255c184b8b30 | cinder | True | cinder@localhost |</code>
<code>| 632fb20205ea4c40988d7d65b2844ff6 | glance | True | glance@localhost |</code>
<code>| 23c4fb48a5a247d68e50c6b74fb6f035 | http | True | |</code>
<code>| 80069f5c8edc454b8038e7f116df4ff5 | neutron | True | neutron@localhost |</code>
<code>| adbcaaf58d09495988b57be8e82b4e6b | nova | True | nova@localhost |</code>
<code>| 4f488ff4859e4973afefea6e7872ed83 | swift | True | swift@localhost |</code>
<code>[root@h1 ~(keystone_admin)]</code><code># keystone user-create --name hequan --pass hequan --email [email protected]</code>
<code>| email | [email protected] |</code>
<code>| enabled | True |</code>
<code>| </code><code>id</code> <code>| 9d12907283b64b02a80f1e98074a9c84 |</code>
<code>| name | hequan |</code>
<code>| username | hequan |</code>
<code>[root@h1 ~(keystone_admin)]</code><code># keystone user-get hequan ##檢視資訊</code>
<code>[root@h1 ~(keystone_admin)]</code><code># keystone user-delete hequan</code>
<code>[root@h1 ~(keystone_admin)]</code><code># keystone user-password-update --pass hequan1 hequan ##密碼更新</code>
<code>[root@h1 ~(keystone_admin)]</code><code># keystone user-role-add --user hequan --role _member_ --tenant=http #劃分角色和租戶</code>
<code>[root@h1 ~(keystone_admin)]</code><code># keystone tenant-list 租戶</code>
<code>+----------------------------------+----------+---------+</code>
<code>| </code><code>id</code> <code>| name | enabled |</code>
<code>| 43986fb013804aa0a04ca277e4d0e69c | admin | True |</code>
<code>| 1af10fa8077e4b52b3427786bb15e968 | http | True |</code>
<code>| 842da711a1b740ddbf006a9f0a7ee116 | services | True | </code><code>##内置服務預設都屬于services</code>
<code>[root@h1 ~(keystone_admin)]</code><code># keystone tenant-create --name 123 ###建立租戶123</code>
<code>+-------------+----------------------------------+</code>
<code>| Property | Value |</code>
<code>| description | |</code>
<code>| enabled | True |</code>
<code>| </code><code>id</code> <code>| c2a2e3aadf614bb08b1fc943157b668e |</code>
<code>| name | 123 |</code>
<code>[root@h1 ~(keystone_admin)]</code><code># keystone tenant-delete 123</code>
配置安裝keystone
首先建立資料庫
使用token登陸keystone
建立服務 endpoint
建立使用者
關閉token登陸,使用admin登陸
基本環境
<code>192.168.1.204 h4.hequan.com h4 </code><code>## keystone</code>
<code>systemctl stop NetworkManager</code>
<code>systemctl disable NetworkManager</code>
<code>[root@h4 ~]</code><code># yum install centos-release-openstack-liberty</code>
<code>[root@h4 ~]</code><code># yum install openstack-keystone openstack-utils openstack-selinux -y</code>
<code>[root@h4 ~]</code><code># openstack-db --init --service keystone --rootpw 123456 --password keystone</code>
<code>keystone default DB is not mysql. Would you like to reset to mysql now? (y</code><code>/n</code><code>): y</code>
<code>mysql-server is not installed. Would you like to </code><code>install</code> <code>it now? (y</code><code>/n</code><code>): y</code>
<code>mysqld is not running. Would you like to start it now? (y</code><code>/n</code><code>): y</code>
<code>Verified connectivity to MySQL.</code>
<code>Creating </code><code>'keystone'</code> <code>database.</code>
<code>Initializing the keystone database, please wait...</code>
<code>Complete!</code>
<code>[root@h4 ~]</code><code># mysql -uroot -p123456</code>
<code>MariaDB [(none)]> show databases;</code>
<code>[root@h4 keystone]</code><code># openssl rand -hex 10</code>
<code>73fa731f6fa567630fdd</code>
<code>[root@h4 keystone]</code><code># pwd</code>
<code>/etc/keystone</code>
<code>[root@h4 keystone]</code><code># vim keystone.conf</code>
<code> </code>
<code>admin_token = 73fa731f6fa567630fdd</code>
<code>rabbit_host = localhost</code>
<code>rabbit_port = 5672</code>
<code>rabbit_hosts = $rabbit_host:$rabbit_port</code>
<code>rabbit_use_ssl = </code><code>false</code>
<code>rabbit_userid = guest</code>
<code>rabbit_password = guest</code>
<code>rabbit_login_method = AMQPLAIN</code>
<code>rabbit_virtual_host = /</code>
<code>connection = mysql:</code><code>//keystone</code><code>:[email protected]</code><code>/keystone</code> <code>###用到上面寫的使用者名和密碼</code>
啟動服務
<code>[root@h4 keystone]</code><code># systemctl list-unit-files | grep keyston</code>
<code>openstack-keystone.service disabled</code>
<code>[root@h4 keystone]</code><code># systemctl start openstack-keystone.service</code>
<code>[root@h4 keystone]</code><code># systemctl enable openstack-keystone.service</code>
現在沒有使用者,隻有token
24
25
26
27
28
29
<code>cat</code> <code>keystone_token </code><code>##建立檔案</code>
<code>export</code> <code>SERVICE_TOKEN=73fa731f6fa567630fdd</code>
<code>export</code> <code>SERVICE_ENDPOINT=http:</code><code>//192</code><code>.168.1.204:35357/ v2.0</code>
<code>export</code> <code>PS1=</code><code>'[\u@\h \W(keystone_token)]\$ '</code>
<code>source</code> <code>keystone_token</code>
<code>ps</code> <code>aux | </code><code>grep</code> <code>keystone</code>
<code>keystone 3343 1.5 1.6 321844 68704 ? Ss 20:10 0:05 </code><code>/usr/bin/python2</code> <code>/usr/bin/keystone-all</code>
<code>netstat</code> <code>-lntup | </code><code>grep</code> <code>35357</code>
<code>tcp 0 0 0.0.0.0:35357 0.0.0.0:* LISTEN 3343</code><code>/python2</code>
<code>keystone service-list</code>
<code>[root@h4 ~]</code><code># keystone service-create --name keystone --type identity --description="keystone"</code>
<code>| description | keystone |</code>
<code>| </code><code>id</code> <code>| e0c6163cb7dd42098225f13a3fa4220e |</code>
<code>| name | keystone |</code>
<code>| </code><code>type</code> <code>| identity |</code>
<code>[root@h4 ~]</code><code># keystone endpoint-create --service-id e0c6163cb7dd42098225f13a3fa4220e --publicurl '' --internalurl '' --adminurl ''</code>
<code>可以找一個模闆去抄</code>
<code>+----------------------------------+-----------+-------------------------------------------------+-------------------------------------------------+--------------------------------------------+----------------------------------+ </code>
<code>[root@h1 ~(keystone_admin)]</code><code># keystone service-list</code>
<code>[root@h4 ~]</code><code># keystone endpoint-create --service-id e0c6163cb7dd42098225f13a3fa4220e --publicurl 'http://192.168.1.201:5000/v2.0' --internalurl '' --adminurl '' --publicurl 'http://192.168.1.204:5000/v2.0' --internalurl 'http://192.168.1.204:5000/v2.0' --adminurl 'http://192.168.1.204:35357/v2.0' </code>
<code>| adminurl | http:</code><code>//192</code><code>.168.1.204:35357</code><code>/v2</code><code>.0 |</code>
<code>| </code><code>id</code> <code>| 810e5faef22f44aebd17f55d1808e3c5 |</code>
<code>| internalurl | http:</code><code>//192</code><code>.168.1.204:5000</code><code>/v2</code><code>.0 |</code>
<code>| publicurl | http:</code><code>//192</code><code>.168.1.204:5000</code><code>/v2</code><code>.0 |</code>
<code>| region | regionOne |</code>
<code>| service_id | e0c6163cb7dd42098225f13a3fa4220e |</code>
建立管理者
30
31
<code>[root@h4 ~]</code><code># keystone tenant-create --name admin</code>
<code>| </code><code>id</code> <code>| 3a331dd90062458b8fcc259ce84be0e5 |</code>
<code>| name | admin |</code>
<code>[root@h4 ~]</code><code># keystone role-create --name admin</code>
<code>| </code><code>id</code> <code>| c63ed09a433144108a23a592632e2e08 |</code>
<code>| name | admin |</code>
<code>[root@h4 ~]</code><code># keystone user-create --name admin --pass 123456</code>
<code>| email | |</code>
<code>| </code><code>id</code> <code>| 172b6a61991e4fbeafe9039688eb2afc |</code>
<code>| username | admin |</code>
<code>[root@h4 ~]</code><code># keystone user-role-add --user admin --tenant admin --role admin</code>
<code>[root@h4 ~]</code><code># cp keystone_token keystone_token_admin</code>
<code>[root@h4 ~(keystone_admin)]</code><code># cat keystone_token_admin</code>
<code>unset</code> <code>SERVICE_TOKEN</code>
<code>unset</code> <code>SERVICE_ENDPOINT</code>
<code>export</code> <code>OS_TENANT_NAME=admin</code>
<code>export</code> <code>OS_USERNAME=admin</code>
<code>export</code> <code>OS_PASSWORD=123456</code>
<code>export</code> <code>OS_AUTH_URL=http:</code><code>//192</code><code>.168.1.204:35357</code><code>/v2</code><code>.0</code>
<code>export</code> <code>PS1=</code><code>'[\u@\h \W(keystone_admin)]\$ '</code>
<code>[root@h4 ~(keystone_admin)]</code><code># keystone user-list ##可以看到就表示成功了</code>
<code>+----------------------------------+-------+---------+-------+</code>
<code>| </code><code>id</code> <code>| name | enabled | email |</code>
<code>| 172b6a61991e4fbeafe9039688eb2afc | admin | True | |</code>
關閉token驗證
<code> </code><code>12 </code><code>#admin_token = 73fa731f6fa567630fdd </code>
<code> </code><code>13</code>
至此安裝完成。
本文轉自 295631788 51CTO部落格,原文連結:http://blog.51cto.com/hequan/1796108,如需轉載請自行聯系原作者