keystone是OpenStack的元件之一,用于為OpenStack家族中的其它元件成員提供統一的認證服務,包括身份驗證、令牌的發放和校驗、服務清單、使用者權限的定義等等。雲環境中所有的服務之間的授權和認證都需要經過 keystone. 是以 keystone 是雲平台中第一個即需要安裝的服務。
作為 OpenStack 的基礎支援服務,Keystone 做下面這幾件事情:
管理使用者及其權限
維護 OpenStack Services 的 Endpoint(服務端點)
Authentication(認證)和 Authorization(鑒權)
![](https://img.laitimes.com/img/9ZDMuAjOiMmIsIjOiQnIsIyZuBHL0FWby9mZvwVZnFWbp1zczV2YvJHctM3cv1Ce-cXUq5kdFZFZ5pFMWdlWxo1VGtWVvR3aWFFZyIGRx0WW3B3MU1UNtNGSWREVrJVbT9GbuNFVsREVsxGbOpFaHp1U5UVWwp0aZdlSqFFSOdlVI5EVNdFcYpFWWZVVG5ERklnTYlVVah1U6plVlFlRtdFbGVkVqVjMTNTO5pVdCNDW2wWbZRXMywUdO1GTqx2RjhXNpVGcKdlY0lTeMZTTINGMShUYvwlbj5yZtlmbkN3YuQnclZnbvN2Ztl2Lc9CX6MHc0RHaiojIsJye.jpg)
酒店就類似于project項目,酒店提供住宿的服務service,user相當于客人,endpoint相當于客人住酒店時的詢問的酒店的位址,role為角色,如客人定了個豪華套房,name他就是貴賓,定了标間,他就是普通客人,credentials相當于入住酒店時提供的身份證,酒店前台利用身份證擷取身份資訊并提供房間,這個過程相當于authentication,辦理入住後拿到的房卡相當于token,利用token就可以刷開房間門進行住宿這項service。
1.安裝keystone # yum install -y openstack-keystone httpd mod_wsgi memcached python-memcached
2.設定Memcache開啟啟動并啟動Memcached [[email protected] ~]# systemctl enable memcached.service [[email protected] ~]# vim /etc/sysconfig/memcached PORT="11211" USER="memcached" MAXCONN="1024" CACHESIZE="64" OPTIONS="-l 10.0.0.20,::1" [[email protected] ~]# systemctl start memcached.service
3.配置KeyStone資料庫 [[email protected] ~]# vim /etc/keystone/keystone.conf [database] connection = mysql+pymysql://keystone:[email protected]/keystone
2)設定Token和Memcached [token] provider = fernet
3).同步資料庫: [[email protected] ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone [[email protected] ~]# mysql -h 10.0.0.20 -ukeystone -pkeystone -e " use keystone;show tables;"
4)初始化fernet keys [[email protected] ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone [[email protected] ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
5)初始化keystone [[email protected] ~]# keystone-manage bootstrap --bootstrap-password admin \ --bootstrap-admin-url http://10.0.0.0.20:35357/v3/ \ --bootstrap-internal-url http://10.0.0.0.20:35357/v3/ \ --bootstrap-public-url http://10.0.0.0.20:5000/v3/ \ --bootstrap-region-id RegionOne
6).驗證Keystone配置 [[email protected] ~]# grep "^[a-z]" /etc/keystone/keystone.conf connection = mysql+pymysql://keystone:[email protected]/keystone provider = fernet
7)KeyStone啟動 [[email protected] ~]# vim /etc/httpd/conf/httpd.conf ServerName 10.0.0.0.20:80 建立配置檔案 [[email protected] ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
啟動keystone,并檢視端口。 [[email protected] ~]# systemctl enable httpd.service [[email protected] ~]# systemctl start httpd.service
設定環境變量 [[email protected] ~]# export OS_USERNAME=admin [[email protected] ~]# export OS_PASSWORD=admin [[email protected] ~]# export OS_PROJECT_NAME=admin [[email protected] ~]# export OS_USER_DOMAIN_NAME=Default [[email protected] ~]# export OS_PROJECT_DOMAIN_NAME=Default [roo[email protected] ~]# export OS_AUTH_URL=http://10.0.0.0.20:35357/v3 [[email protected] ~]# export OS_IDENTITY_API_VERSION=3
建立項目和demo使用者 # openstack project create --domain default --description "Demo Project" demo # openstack user create --domain default --password demo demo # openstack role create user # openstack role add --project demo --user demo user
建立Service項目 # openstack project create --domain default --description "Service Project" service 建立glance使用者 # openstack user create --domain default --password glance glance # openstack role add --project service --user glance admin 建立nova使用者 # openstack user create --domain default --password nova nova # openstack role add --project service --user nova admin 建立placement使用者 # openstack user create --domain default --password placement placement # openstack role add --project service --user placement admin 建立Neutron使用者 # openstack user create --domain default --password neutron neutron # openstack role add --project service --user neutron admin 建立cinder使用者 # openstack user create --domain default --password cinder cinder # openstack role add --project service --user cinder admin
驗證Keystone [[email protected] ~]# unset OS_AUTH_URL OS_PASSWORD [[email protected] ~]# openstack --os-auth-url http://10.0.0.0.20:35357/v3 \ --os-project-domain-name default --os-user-domain-name default \ --os-project-name admin --os-username admin token issue Password: … [[email protected] ~]# openstack --os-auth-url http://10.0.0.0.20:5000/v3 \ --os-project-domain-name default --os-user-domain-name default \ --os-project-name demo --os-username demo token issue Password:
[[email protected] ~]# source admin-openstack.sh [[email protected] ~]# openstack token issue [[email protected] ~]# source demo-openstack.sh [[email protected] ~]# openstack token issue