OpenStack-M版(Mitaka)搭建基于(Centos7.2)+++三、Openstack身份认证服务(keystone)
来源:互联网 发布:淘宝产品详情模板 编辑:程序博客网 时间:2024/06/05 20:46
三、Openstack身份认证服务(keystone)
keystone安装在控制节点
进入SQL创建keystone数据库并授予权限
mysql -uroot -p
CREATE DATABASE keystone;GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \ IDENTIFIED BY '123456';GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \ IDENTIFIED BY '123456';
解释:
grant all privileges on 库名.表名 to '用户名'@'IP地址' identified by '密码'
使用grant all privileges on来更改用户对应某些库的远程权限
库名:要远程访问的数据库名称,所有的数据库使用“*”
表名:要远程访问的数据库下的表的名称,所有的表使用“*”
用户名:要赋给远程访问权限的用户名称
IP地址:可以远程访问的电脑的IP地址,所有的地址使用“%”
密码:要赋给远程访问权限的用户对应使用的密码
生成一个随机数作为管理员密码
[root@compute ~]# openssl rand -hex 1041d33a2b1ca810fe25f2
安装httpd,mod_wsgi,keystoen
yum install openstack-keystone httpd mod_wsgi
修改keystone配置文件
vi /etc/keystone/keystone.conf
[DEFAULT]admin_token = 41d33a2b1ca810fe25f2[database]connection = mysql+pymysql://keystone:123456@controller/keystone[token]provider = fernet
同步数据库
su -s /bin/sh -c "keystone-manage db_sync" keystone
查看数据库是否同步成功
[root@controller ~]# mysql -uroot -pEnter password: Welcome to the MariaDB monitor. Commands end with ; or \g.Your MariaDB connection id is 184Server version: 10.1.12-MariaDB MariaDB ServerCopyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.MariaDB [(none)]> use keystone;Reading table information for completion of table and column namesYou can turn off this feature to get a quicker startup with -ADatabase changedMariaDB [keystone]> show tables;+------------------------+| Tables_in_keystone |+------------------------+| access_token || assignment || config_register || consumer || credential || domain || endpoint || endpoint_group || federated_user || federation_protocol || group || id_mapping || identity_provider || idp_remote_ids || implied_role || local_user || mapping || migrate_version || password || policy || policy_association || project || project_endpoint || project_endpoint_group || region || request_token || revocation_event || role || sensitive_config || service || service_provider || token || trust || trust_role || user || user_group_membership || whitelisted_config |+------------------------+37 rows in set (0.00 sec)MariaDB [keystone]>
有表则ok
初始化Fernet keys
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
配置http服务器
编辑
vi /etc/httpd/conf/httpd.conf修改ServerName controller
创建 /etc/httpd/conf.d/wsgi-keystone.conf
vi /etc/httpd/conf.d/wsgi-keystone.confListen 5000Listen 35357<VirtualHost *:5000> WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined <Directory /usr/bin> Require all granted </Directory></VirtualHost><VirtualHost *:35357> WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / /usr/bin/keystone-wsgi-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined <Directory /usr/bin> Require all granted </Directory></VirtualHost>
启动httpd并设置开机自启
systemctl enable httpd.servicesystemctl start httpd.service
验证是否正常开启端口
[root@controller ~]# ss -ntl | grep -E "5000|35357"LISTEN 0 128 :::5000 :::* LISTEN 0 128 :::35357 :::*
如果httpd启动失败
把wsgi-keystone.conf文件删除启动试试能不能启动,如果能启动说明wsgi-keystone.conf配置文件有误或者mod_wsgi模块没有成功安装
如果不能说明http配置文件有误
配置认证令牌
export OS_TOKEN=41d33a2b1ca810fe25f2export OS_URL=http://controller:35357/v3export OS_IDENTITY_API_VERSION=3
创建实体服务和API端点
如果不能正常创建查看数据库是否ok,检查配置的认证令牌是否是一样
创建keystone服务
openstack service create --name keystone --description "OpenStack Identity" identity
创建keystone端点
openstack endpoint create --region RegionOne identity public http://controller:5000/v3openstack endpoint create --region RegionOne identity internal http://controller:5000/v3openstack endpoint create --region RegionOne identity admin http://controller:35357/v3
创建域
openstack domain create --description "Default Domain" default
创建admin项目
openstack project create --domain default --description "Admin Project" admin
openstack user create --domain default --password-prompt admin
创建admin角色
openstack role create admin
将``admin`` 角色到 admin 项目和用户上
openstack role add --project admin --user admin admin
此操作无返回是正确的
创建demo项目
openstack project create --domain default --description "Demo Project" demo
openstack user create --domain default --password-prompt demo
创建demo角色
openstack role create user
将``user`` 角色到 demo 项目和用户上
openstack role add --project demo --user demo user此操作无返回是正确的
创建service项目
openstack project create --domain default --description "Service Project" service
验证:
清除环境
unset OS_TOKEN OS_URL
创建脚本
vi admin-openrcexport OS_PROJECT_DOMAIN_NAME=defaultexport OS_USER_DOMAIN_NAME=defaultexport OS_PROJECT_NAME=adminexport OS_USERNAME=adminexport OS_PASSWORD=123456export OS_AUTH_URL=http://controller:35357/v3export OS_IDENTITY_API_VERSION=3export OS_IMAGE_API_VERSION=2
vi demo-openrcexport OS_PROJECT_DOMAIN_NAME=defaultexport OS_USER_DOMAIN_NAME=defaultexport OS_PROJECT_NAME=demoexport OS_USERNAME=demoexport OS_PASSWORD=123456export OS_AUTH_URL=http://controller:5000/v3export OS_IDENTITY_API_VERSION=3export OS_IMAGE_API_VERSION=2
. admin-openrc
[root@controller ~]# openstack --os-auth-url http://controller:35357/v3 \> --os-project-domain-name default --os-user-domain-name default \> --os-project-name admin --os-username admin token issue+------------+---------------------------------------------------------------------------------------------------------------------------+| Field | Value |+------------+---------------------------------------------------------------------------------------------------------------------------+| expires | 2017-11-16T19:50:34.017639Z || id | gAAAAABaDd36Wnp2Eh0EcWxacw7on8IHaxogU4Ybb7bMJSIDfBwnVFharYBNBIJ5_HXci9CUp4OPAPg8OhVu0BfaDNVRDYcHsmAEf- || | 8cy_4DDbGYm8C7g0g6q2hmlj14Zv5kJrdwkA60GnoUjHn3Zpa9X_C7XTrEv9wftHtOhIXRMFE0oM7OO-o || project_id | af24a3c94886470183c864ef0f161b4c || user_id | daf189d8436f4568abf06b741e948f31 |+------------+---------------------------------------------------------------------------------------------------------------------------+
demo 用户,请求认证令牌:
. demo-openrc
[root@controller ~]# openstack --os-auth-url http://controller:5000/v3 \> --os-project-domain-name default --os-user-domain-name default \> --os-project-name demo --os-username demo token issue+------------+---------------------------------------------------------------------------------------------------------------------------+| Field | Value |+------------+---------------------------------------------------------------------------------------------------------------------------+| expires | 2017-11-16T19:51:25.696343Z || id | gAAAAABaDd4tN8sS7WsC3pgAO88nVVNH2-hf7FNgBNQRMxdxywt6leOEY1gc048EWJlU1NsJ7eNkVVY0JQDzD66zmnkLid4Le9Jl- || | gETayiOcSgDtBMcx1W8-2ztj6HjJGfCcnQLipkAZndMPkmG_cN8tFDLaT3PJOIqXrpNeMgKfX2wT9q5ma4 || project_id | 8cc1c04a21ae4165a1667e0bd5029831 || user_id | f16e48a0a33748f68d99c7e6cdd932a5 |+------------+---------------------------------------------------------------------------------------------------------------------------+
最后验证. admin-openrc[root@controller ~]# openstack token issue+------------+---------------------------------------------------------------------------------------------------------------------------+| Field | Value |+------------+---------------------------------------------------------------------------------------------------------------------------+| expires | 2017-11-16T19:56:43.997186Z || id | gAAAAABaDd9st5Qxb14yzoIzsEq8ml9bYSeB5NUpeTszd6KdbMtZ_zVXhmqzm5jxisBfqMKiwAbbY8h1T-wSB9kf9Swa-XOAL8uFGniW8-wc- || | MJRjHAQF8Qg_F8af_x7cstnTg8Qm3C4s_WlzcDP2o5UQR9mkoloI0Z-0Kx7NJO0T2rGWcXuUuQ || project_id | af24a3c94886470183c864ef0f161b4c || user_id | daf189d8436f4568abf06b741e948f31 |+------------+---------------------------------------------------------------------------------------------------------------------------+
注意:
An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-97aadec8-34a0-4076-a613-c4e23dee0752)
http500 数据库错误没有数据表
http401 可能是token错误
- OpenStack-M版(Mitaka)搭建基于(Centos7.2)+++三、Openstack身份认证服务(keystone)
- OpenStack-M版(Mitaka)搭建- – -身份认证服务(Keystone)篇
- OpenStack-M版(Mitaka)搭建基于(Centos7.2)+++十二、Openstack编排服务服务(heat)
- OpenStack-M版(Mitaka)搭建基于(Centos7.2)+++四、Openstack镜像服务(glance)
- OpenStack-M版(Mitaka)搭建基于(Centos7.2)+++五、Openstack计算服务(nova)上
- OpenStack-M版(Mitaka)搭建基于(Centos7.2)+++五、Openstack计算服务(nova)下
- OpenStack-M版(Mitaka)搭建基于(Centos7.2)+++十一、Openstack块存储服务(cinder)
- OpenStack-M版(Mitaka)搭建基于(Centos7.2)+++十、Openstack对象存储服务(swift)上
- OpenStack-M版(Mitaka)搭建基于(Centos7.2)+++十、Openstack对象存储服务(swift)中
- OpenStack-M版(Mitaka)搭建基于(Centos7.2)+++十、Openstack对象存储服务(swift)下
- OpenStack-M版(Mitaka)搭建基于(Centos7.2)+++十、Openstack对象存储服务(swift)完成安装
- OpenStack-M版(Mitaka)搭建基于(Centos7.2)+++六、Openstack网络服务(neutron)上
- OpenStack-M版(Mitaka)搭建基于(Centos7.2)+++六、Openstack网络服务(neutron)下
- OpenStack-M版(Mitaka)搭建基于(Centos7.2)+++九、Openstack配置仪表板(Dashboard)
- OpenStack-M版(Mitaka)搭建基于(Centos7.2)+++二、Openstack环境准备篇上
- OpenStack-M版(Mitaka)搭建基于(Centos7.2)+++二、Openstack环境准备篇中
- OpenStack-M版(Mitaka)搭建基于(Centos7.2)+++二、Openstack环境准备篇下
- OpenStack-M版(Mitaka)搭建基于(Centos7.2)+++七、Openstack创建网络
- Python如何指定一个含有很多库的目录,指定源下载
- [Rcode]管道操作
- usr/bin/ld: cannot find -lxxx的错误
- 汉诺塔
- Mvp与Mvc
- OpenStack-M版(Mitaka)搭建基于(Centos7.2)+++三、Openstack身份认证服务(keystone)
- 爬虫小记(3)
- 【文献阅读】Convolutional neural network architectures for predicting DNA-protein binding
- C++ 内存数据结构与二进制文件之间的序列化和反序列化
- Android memory corruption debugger
- 数组名=&数组名
- 由主页界面引出的几个知识点(五)
- 大数据
- Java并发学习(一)