openstack集群部署—Keystone集群

发表于 | 分类于 | 浏览

概述

Keystone(OpenStack Identity Service)是 OpenStack 框架中负责管理身份验证、服务访问规则和服务令牌功能的组件。用户访问资源需要验证用户的身份与权限,服务执行操作也需要进行权限检测,这些都需要通过 Keystone 来处理。Keystone 类似一个服务总线, 或者说是整个 Openstack 框架的注册表,OpenStack 服务通过 Keystone 来注册其 Endpoint(服务访问的URL),任何服务之间的相互调用,都需要先经过 Keystone 的身份验证,获得目标服务的 Endpoint ,然后再调用。

Keystone 的主要功能如下:

管理用户及其权限;
维护 OpenStack 服务的 Endpoint;
Authentication(认证)和 Authorization(鉴权)。

安装

创建keystone数据库

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# 在任意控制节点创建数据库,数据库自动同步,以controller01节点为例;
[root@controller01 ~]# mysql -uroot -p123456
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 12
Server version: 10.2.29-MariaDB-log MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> CREATE DATABASE keystone;
Query OK, 1 row affected (0.01 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '123456';        Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '123456';         
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.01 sec)

MariaDB [(none)]> exit;
Bye

安装keystone

1
2
# 在全部控制节点安装keystone,以controller01节点为例;
[root@controller01 ~]# yum install openstack-keystone httpd mod_wsgi mod_ssl -y

配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
在全部控制节点设置
[root@controller01 ~]# cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.bak
[root@controller01 ~]# egrep -v "^$|^#" /etc/keystone/keystone.conf
[DEFAULT]
[application_credential]
[assignment]
[auth]
[cache]
backend = oslo_cache.memcache_pool
enabled = true
memcache_servers = controller01:11211,controller02:11211
[catalog]
[cors]
[credential]
[database]
connection = mysql+pymysql://keystone:123456@controller01/keystone
[domain_config]
[endpoint_filter]
[endpoint_policy]
[eventlet_server]
[federation]
[fernet_tokens]
[healthcheck]
[identity]
[identity_mapping]
[ldap]
[matchmaker_redis]
[memcache]
[oauth1]
[oslo_messaging_amqp]
[oslo_messaging_kafka]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_messaging_zmq]
[oslo_middleware]
[oslo_policy]
[paste_deploy]
[policy]
[profiler]
[resource]
[revoke]
[role]
[saml]
[security_compliance]
[shadow_users]
[signing]
[token]
provider = fernet
[tokenless_auth]
[trust]
[unified_limit]



配置文件里面只需改memcache和mysql配置

同步keystone数据库

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
# 任意控制节点操作
[root@controller02 ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
[root@controller02 ~]# mysql -h controller01 -ukeystone -p123456 -e "use keystone;show tables;"               
+-----------------------------+
| Tables_in_keystone          |
+-----------------------------+
| access_token                |
| application_credential      |
| application_credential_role |
| assignment                  |
| config_register             |
| consumer                    |
| credential                  |
| endpoint                    |
| endpoint_group              |
| federated_user              |
| federation_protocol         |
| group                       |
| id_mapping                  |
| identity_provider           |
| idp_remote_ids              |
| implied_role                |
| limit                       |
| local_user                  |
| mapping                     |
| migrate_version             |
| nonlocal_user               |
| password                    |
| policy                      |
| policy_association          |
| project                     |
| project_endpoint            |
| project_endpoint_group      |
| project_tag                 |
| region                      |
| registered_limit            |
| request_token               |
| revocation_event            |
| role                        |
| sensitive_config            |
| service                     |
| service_provider            |
| system_assignment           |
| token                       |
| trust                       |
| trust_role                  |
| user                        |
| user_group_membership       |
| user_option                 |
| whitelisted_config          |
+-----------------------------+

初始化fernet秘钥

1
2
3
4
5
6
7
8
9
10
11
12
13
#在任意控制节点操作
[root@controller01 ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@controller01 ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
[root@controller01 ~]# scp -r /etc/keystone/fernet-keys/ /etc/keystone/credential-keys/ root@192.168.182.132:/etc/keystone/
root@192.168.182.132's password: 
1                                                                           100%   44    32.3KB/s   00:00    
0                                                                           100%   44    31.0KB/s   00:00    
1                                                                           100%   44    30.7KB/s   00:00    
0                                                                           100%   44    34.6KB/s   00:00

# 同步后,注意controller02节点上秘钥权限
[root@controller02 ~]# chown keystone:keystone /etc/keystone/credential-keys/ -R
[root@controller02 ~]# chown keystone:keystone /etc/keystone/fernet-keys/ -R

配置httpd.conf

1
2
3
4
5
6
7
8
#在全部控制节点设置
[root@controller01 ~]# cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bak
[root@controller01 ~]# sed -i "s/#ServerName www.example.com:80/ServerName ${HOSTNAME}/" /etc/httpd/conf/httpd.conf
[root@controller01 ~]# sed -i "s/Listen\ 80/Listen\ 192.168.182.131:80/g" /etc/httpd/conf/httpd.conf          

[root@controller02 ~]# cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bak
[root@controller02 ~]# sed -i "s/#ServerName www.example.com:80/ServerName ${HOSTNAME}/" /etc/httpd/conf/httpd.conf
[root@controller02 ~]# sed -i "s/Listen\ 80/Listen\ 192.168.182.132:80/g" /etc/httpd/conf/httpd.conf

配置wsgi-keystone.conf

1
2
3
4
5
6
7
8
#在全部控制节点设置
[root@controller01 ~]# cp /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
[root@controller01 ~]# sed -i "s/Listen\ 5000/Listen\ 192.168.182.131:5000/g" /etc/httpd/conf.d/wsgi-keystone.conf
[root@controller01 ~]# sed -i "s/*:5000/192.168.182.131:5000/g" /etc/httpd/conf.d/wsgi-keystone.conf

[root@controller02 ~]# cp /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
[root@controller02 ~]# sed -i "s/Listen\ 5000/Listen\ 192.168.182.132:5000/g" /etc/httpd/conf.d/wsgi-keystone.conf
[root@controller02 ~]# sed -i "s/*:5000/192.168.182.132:5000/g" /etc/httpd/conf.d/wsgi-keystone.conf

认证引导

1
2
3
4
5
6
#任意节点操作
keystone-manage bootstrap --bootstrap-password 123456 \
  --bootstrap-admin-url http://controller01:5000/v3/ \
  --bootstrap-internal-url http://controller01:5000/v3/ \
  --bootstrap-public-url http://controller01:5000/v3/ \
  --bootstrap-region-id RegionOne

启动

1
2
3
4
# 在全部控制节点操作,以controller01节点为例
[root@controller01 ~]# systemctl enable httpd.service
[root@controller01 ~]# systemctl restart httpd.service
[root@controller01 ~]# systemctl status httpd.service

创建domain, projects, users, 与roles

domain

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
#domain
[root@controller01 ~]# openstack domain list
+---------+---------+---------+--------------------+
| ID      | Name    | Enabled | Description        |
+---------+---------+---------+--------------------+
| default | Default | True    | The default domain |
+---------+---------+---------+--------------------+

# 如果需要生成新的domain,
[root@controller01 conf.d]# openstack domain create --description "An Example Domain" example
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | An Example Domain                |
| enabled     | True                             |
| id          | 6e77b351784b479b8fba509ac96a7648 |
| name        | example                          |
| tags        | []                               |
+-------------+----------------------------------+
[root@controller01 conf.d]# openstack domain list
+----------------------------------+---------+---------+--------------------+
| ID                               | Name    | Enabled | Description        |
+----------------------------------+---------+---------+--------------------+
| 6e77b351784b479b8fba509ac96a7648 | example | True    | An Example Domain  |
| default                          | Default | True    | The default domain |
+----------------------------------+---------+---------+--------------------+

projects

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# project属于某个domain;
# 以创建demo项目为例,demo项目属于”default” domain
[root@controller01 conf.d]# openstack project create --domain default --description "Demo Project" demo
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Demo Project                     |
| domain_id   | default                          |
| enabled     | True                             |
| id          | ceb19536c29f4e2094c1a729e7121b50 |
| is_domain   | False                            |
| name        | demo                             |
| parent_id   | default                          |
| tags        | []                               |
+-------------+----------------------------------+

users

1
2
3
4
5
6
7
8
9
10
11
12
13
# user属于某个domain;
# 以创建demo用户为例,demo用户属于”default” domain
[root@controller01 conf.d]# openstack user create --domain default --password=123456 demo
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | 4e1b497157304132baf57bdb054aa251 |
| name                | demo                             |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+

roles

1
2
3
4
5
6
7
8
9
# 创建普通用户角色(区别于admin用户)
[root@controller01 conf.d]# openstack role create user
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | 2f37516c3592405eb0c55736560d8419 |
| name      | user                             |
+-----------+----------------------------------+
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# 向demo项目的demo用户赋予user权限
[root@controller01 conf.d]# openstack role add --project demo --user demo user

#查看
[root@controller01 conf.d]# openstack user list
+----------------------------------+-------+
| ID                               | Name  |
+----------------------------------+-------+
| 4e1b497157304132baf57bdb054aa251 | demo  |
| 9a997ebdd0244ce1ab07c970f5941e5a | admin |
+----------------------------------+-------+
[root@controller01 conf.d]#  openstack role list
+----------------------------------+--------+
| ID                               | Name   |
+----------------------------------+--------+
| 2f37516c3592405eb0c55736560d8419 | user   |
| 2f915bf9da734edda88c55f59bd49c56 | member |
| 7f26aba8e14842b184a8e5b3d63f566b | admin  |
| ff1613d93721433582e10d320fb2f468 | reader |
+----------------------------------+--------+
[root@controller01 conf.d]# openstack role assignment list
+----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
| Role                             | User                             | Group | Project                          | Domain | System | Inherited |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
| 2f37516c3592405eb0c55736560d8419 | 4e1b497157304132baf57bdb054aa251 |       | ceb19536c29f4e2094c1a729e7121b50 |        |        | False     |
| 7f26aba8e14842b184a8e5b3d63f566b | 9a997ebdd0244ce1ab07c970f5941e5a |       | a1f6ca90da2f4562b9c1388a95f3bd00 |        |        | False     |
| 7f26aba8e14842b184a8e5b3d63f566b | 9a997ebdd0244ce1ab07c970f5941e5a |       |                                  |        | all    | False     |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+

openstack client 环境变量脚本

admin-openrc

1
2
3
4
5
6
7
8
9
10
[root@controller01 ~]# cat admin-openrc 
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=123456
export OS_AUTH_URL=http://controller01:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
[root@controller01 ~]# chmod u+x admin-openrc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[root@controller01 ~]# source admin-openrc 
[root@controller01 ~]# openstack domain list
+----------------------------------+---------+---------+--------------------+
| ID                               | Name    | Enabled | Description        |
+----------------------------------+---------+---------+--------------------+
| 6e77b351784b479b8fba509ac96a7648 | example | True    | An Example Domain  |
| default                          | Default | True    | The default domain |
+----------------------------------+---------+---------+--------------------+
[root@controller01 ~]# openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                   |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2019-11-25T10:05:48+0000                                                                                                                                                                |
| id         | gAAAAABd25lsHXz8Evv_EIWYXweY-I8c67ZKz4W9ztKO9P75edhiHw5kVGE2vIKZWdjUz2jhUms7mHHXGGlYfFAmPh6Kin0a2mWvAg36jd9OzkQxP_vVgn-e_G2--IrEdkF6jyLrcBdT-mu57tcqcXKXc5kk0JaxV33fGZhk_xAS0FxXffsWErc |
| project_id | a1f6ca90da2f4562b9c1388a95f3bd00                                                                                                                                                        |
| user_id    | 9a997ebdd0244ce1ab07c970f5941e5a                                                                                                                                                        |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

demo-openrc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
[root@controller01 ~]# cat demo-openrc 
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=123456
export OS_AUTH_URL=http://controller01:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

[root@controller01 ~]# chmod u+x demo-openrc 

[root@controller01 ~]# openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                   |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2019-11-25T10:06:48+0000                                                                                                                                                                |
| id         | gAAAAABd25moqldgU1V3KGU3sfAMs9atlKOWXaVTzP3HlSXAfXT0hlYE-AHsEoXiR4lE1ShSTrppHv8c1BmKsvwaLkStDbM7sECHTcZrTCt4AFooGVQUzsjW6rccG6FsiplJeNN0p5rK19EzmRIiaSWYs-zMLds3nfDerYdQZxBZki4ys1hIIjs |
| project_id | ceb19536c29f4e2094c1a729e7121b50                                                                                                                                                        |
| user_id    | 4e1b497157304132baf57bdb054aa251                                                                                                                                                        |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Donate