在CentOS 6.6上安装多节点OpenStack ( part2 of 6 )

cheng029 · 发表于 2015-7-14 15:55:07

三、配置认证服务

0、OpenStack认证服务提供以下功能：

用户管理：管理用户和用户的权限、跟踪用户行为。

服务编目：提供OpenStack服务目录，包括服务项和API Endpoints。

OpenStack使用Keystone提供认证服务，只需要在控制节点（controller node）上配置认证服务，其他节点的OpenStack服务只需要在控制节点的认证服务上注册即可。

1、安装认证服务

（1）安装keystone和python-keystoneclient

[iyunv@controller ~]# yum install openstack-keystone python-keystoneclient

（2）配置数据库连接

认证服务使用数据库来存储信息，需要在keystone的配置文件中指定数据库的位置。这里将使用控制节点上的MySQL数据库，数据库用户名为keystone，密码为123456。

[iyunv@controller ~]# openstack-config --set /etc/keystone/keystone.conf databaseconnection mysql://keystone:123456@controller/keystone

（3）创建数据库用户keystone，密码为123456。

[iyunv@controller ~]# mysql -u root -p

Enter password: # 输入MySQL的root用户的密码123456。

mysql> CREATE DATABASEkeystone;

mysql> GRANT ALLPRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '123456';

mysql> GRANT ALLPRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '123456';

mysql> exit

（4）为认证服务创建数据库表

[iyunv@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone

（5）定义一个授权令牌作为共享密钥，该共享密钥将在认证服务与OpenStack其他服务之间的交流中使用。使用openssl创建一个随机令牌，并把它存储在配置文件中。

[iyunv@controller ~]# ADMIN_TOKEN=$(openssl rand -hex 10)

[iyunv@controller ~]# echo $ADMIN_TOKEN

1d15ab04f8e9d1c74fab # openssl产生的随机令牌，后面会用到！

我的实验是65a909e47b3b8a9275c6

[iyunv@controller ~]# openstack-config --set /etc/keystone/keystone.conf DEFAULTadmin_token $ADMIN_TOKEN

（6）Keystone默认使用PKI令牌，需要创建签名密钥和数字证书并限制权限。

[iyunv@controller ~]# keystone-manage pki_setup --keystone-user keystone--keystone-group keystone

Generating RSA private key, 2048 bit longmodulus

.....................................+++

..................................................+++

e is 65537 (0x10001)

Generating RSA private key, 2048 bit longmodulus

..................+++

..................................................................+++

e is 65537 (0x10001)

Using configuration from/etc/keystone/ssl/certs/openssl.conf

Check that the request matches thesignature

Signature ok

The Subject's Distinguished Name is asfollows

countryName :PRINTABLE:'US'

stateOrProvinceName :ASN.1 12:'Unset'

localityName :ASN.1 12:'Unset'

organizationName :ASN.1 12:'Unset'

commonName :ASN.1 12:'www.example.com'

Certificate is to be certified until Mar 2901:34:56 2025 GMT (3650 days)

Write out database with 1 new entries

Data Base Updated

[iyunv@controller ~]# chown -R keystone:keystone /etc/keystone/ssl

[iyunv@controller ~]# chmod -R o-rwx /etc/keystone/ssl

（7）启动认证服务并将其配置为开机自动启动。

[iyunv@controller ~]# service openstack-keystone start

Starting keystone: [ OK ]

[iyunv@controller ~]# chkconfig openstack-keystone on

（8）（可选）创建计划任务，定期清空过期的令牌。

[iyunv@controller ~]# (crontab -l -u keystone 2>&1 | grep -q token_flush) ||echo '@hourly /usr/bin/keystone-manage token_flush>/var/log/keystone/keystone-tokenflush.log 2>&1' >>/var/spool/cron/keystone

检查计划任务配置：

[iyunv@controller ~]# crontab -l -u keystone

@hourly /usr/bin/keystone-managetoken_flush >/var/log/keystone/keystone-tokenflush.log 2>&1

2、创建管理用户admin

（1）配置环境变量

[iyunv@controller ~]#export OS_SERVICE_TOKEN=1d15ab04f8e9d1c74fab

1d15ab04f8e9d1c74fab是前面openssl rand -hex 10产生的随机令牌。

[iyunv@controller ~]# exportOS_SERVICE_ENDPOINT=http://controller:35357/v2.0

（2）创建管理用户admin，密码为123456，邮箱为admin@localhost。

[iyunv@controller ~]# keystone user-create--name=admin --pass=123456 --email=admin@localhost

（3）创建角色admin

[iyunv@controller ~]# keystone role-create--name=admin

（4）创建租户admin

[iyunv@controller ~]# keystone tenant-create--name=admin --description="Admin Tenant"

（5）将admin用户、admin角色和admin租户关联起来。

[iyunv@controller ~]# keystone user-role-add--user=admin --tenant=admin --role=admin

（6）将admin用户、_member_角色和admin租户关联起来。

[iyunv@controller ~]# keystone user-role-add--user=admin --role=_member_ --tenant=admin

3、创建普通用户demo

（1）创建普通用户demo，密码为123456，邮箱为demo@localhost。

[iyunv@controller ~]# keystone user-create--name=demo --pass=123456 --email=demo@localhost

（2）创建租户demo

[iyunv@controller ~]# keystone tenant-create--name=demo --description="Demo Tenant"

（3）将demo用户、_member_角色和demo租户关联起来。

[iyunv@controller ~]# keystone user-role-add--user=demo --role=_member_ --tenant=demo

4、创建租户service

[iyunv@controller ~]# keystone tenant-create--name=service --description="Service Tenant"

该租户将在安装和配置其他OpenStack服务时使用。

5、定义服务和API endpoints

（1）创建认证服务的服务入口

[iyunv@controller ~]# keystoneservice-create --name=keystone --type=identity --description="OpenStackIdentity"

（2）为认证服务指定API endpoint

[iyunv@controller ~]# keystoneendpoint-create --service-id=$(keystone service-list | awk '/ identity / {print$2}') --publicurl=http://controller:5000/v2.0--internalurl=http://controller:5000/v2.0--adminurl=http://controller:35357/v2.0

6、验证认证服务的安装

（1）清除环境变量OS_SERVICE_TOKEN和OS_SERVICE_ENDPOINT

[iyunv@controller ~]# unset OS_SERVICE_TOKENOS_SERVICE_ENDPOINT

（2）使用admin用户（密码为123456）请求一个认证令牌。

[iyunv@controller ~]# keystone--os-username=admin --os-password=123456--os-auth-url=http://controller:35357/v2.0 token-get

+----------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

| Property | Value |

+----------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

| expires | 2015-04-01T03:46:32Z |

| id |MIIC8QYJKoZIhvcNAQcCoIIC4jCCAt4CAQExCTAHBgUrDgMCGjCCAUcGCSqGSIb3DQEHAaCCATgEggE0eyJhY2Nlc3MiOiB7InRva2VuIjogeyJpc3N1ZWRfYXQiOiAiMjAxNS0wNC0wMVQwMjo0NjozMi43MDU5MjEiLCAiZXhwaXJlcyI6ICIyMDE1LTA0LTAxVDAzOjQ2OjMyWiIsICJpZCI6ICJwbGFjZWhvbGRlciJ9LCAic2VydmljZUNhdGFsb2ciOiBbXSwgInVzZXIiOiB7InVzZXJuYW1lIjogImFkbWluIiwgInJvbGVzX2xpbmtzIjogW10sICJpZCI6ICJmMjFkNjUwZDRhYmQ0NjZlYmExMGNkMjY2MGNlYTQwMiIsICJyb2xlcyI6IFtdLCAibmFtZSI6ICJhZG1pbiJ9LCAibWV0YWRhdGEiOiB7ImlzX2FkbWluIjogMCwgInJvbGVzIjogW119fX0xggGBMIIBfQIBATBcMFcxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVVbnNldDEOMAwGA1UEBwwFVW5zZXQxDjAMBgNVBAoMBVVuc2V0MRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20CAQEwBwYFKw4DAhowDQYJKoZIhvcNAQEBBQAEggEAFfD-NloRGKKBZ+Pg8BNzadlgNSIEtWNshFjnr+bdk7b5287FqZrfq2kIZWq4xgunI6z3lDCdPfqSN78AY7eDRM4mjAsKPUyobxX52FKoWQGbkTSLCMvKnP4mXMUGavvWkFNNVhvsMV50h5a5RDu-Rh5v83WiJBqpfCmWk2qS3du32vAT9XLunkJqQInbur+eymNcpRQaNhdsj5PKI9t0P7p4NoZ-9O5lrolTNgHs7ntmYCOAnemDb0nrpABs7btt4uuq5NXqxb8k3dlSJzux30MNb6svqwBvfLoBPkuFZJiaceFJkYasJOIUL7XyP1baSN-h-ihg8LBlpLfO8y7+CA==|

| user_id | f21d650d4abd466eba10cd2660cea402 |

+----------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

（3）为租户请求授权，验证授权行为。（admin用户的密码为123456。）

[iyunv@controller ~]# keystone--os-username=admin --os-password=123456 --os-tenant-name=admin--os-auth-url=http://controller:35357/v2.0 token-get

+-----------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

| Property | Value |

+-----------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

| expires | 2015-04-01T03:50:14Z |

| id |MIIE7AYJKoZIhvcNAQcCoIIE3TCCBNkCAQExCTAHBgUrDgMCGjCCA0IGCSqGSIb3DQEHAaCCAzMEggMveyJhY2Nlc3MiOiB7InRva2VuIjogeyJpc3N1ZWRfYXQiOiAiMjAxNS0wNC0wMVQwMjo1MDoxNC4zMjI5MDUiLCAiZXhwaXJlcyI6ICIyMDE1LTA0LTAxVDAzOjUwOjE0WiIsICJpZCI6ICJwbGFjZWhvbGRlciIsICJ0ZW5hbnQiOiB7ImRlc2NyaXB0aW9uIjogIkFkbWluIFRlbmFudCIsICJlbmFibGVkIjogdHJ1ZSwgImlkIjogIjAxZDRhNzg3Y2ZiMzRkZjJiZTVmZjI5YWIwYjE4MWUzIiwgIm5hbWUiOiAiYWRtaW4ifX0sICJzZXJ2aWNlQ2F0YWxvZyI6IFt7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly9jb250cm9sbGVyOjM1MzU3L3YyLjAiLCAicmVnaW9uIjogInJlZ2lvbk9uZSIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vY29udHJvbGxlcjo1MDAwL3YyLjAiLCAiaWQiOiAiODA1ZWI2OGE2MDdmNDA1OWE2NzE0ZmE5MDg3ZGQyMmYiLCAicHVibGljVVJMIjogImh0dHA6Ly9jb250cm9sbGVyOjUwMDAvdjIuMCJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJpZGVudGl0eSIsICJuYW1lIjogImtleXN0b25lIn1dLCAidXNlciI6IHsidXNlcm5hbWUiOiAiYWRtaW4iLCAicm9sZXNfbGlua3MiOiBbXSwgImlkIjogImYyMWQ2NTBkNGFiZDQ2NmViYTEwY2QyNjYwY2VhNDAyIiwgInJvbGVzIjogW3sibmFtZSI6ICJfbWVtYmVyXyJ9LCB7Im5hbWUiOiAiYWRtaW4ifV0sICJuYW1lIjogImFkbWluIn0sICJtZXRhZGF0YSI6IHsiaXNfYWRtaW4iOiAwLCAicm9sZXMiOiBbIjlmZTJmZjllZTQzODRiMTg5NGE5MDg3OGQzZTkyYmFiIiwgImU4M2EwZDJhYjkzZjRjZDU4ZDNmZWUxMGJhNzQ0MTM5Il19fX0xggGBMIIBfQIBATBcMFcxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVVbnNldDEOMAwGA1UEBwwFVW5zZXQxDjAMBgNVBAoMBVVuc2V0MRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20CAQEwBwYFKw4DAhowDQYJKoZIhvcNAQEBBQAEggEAVFNmuWzTbuCzdGOb9EFyfgt+ozCcIAhZ1QTtg5piGKI3HW5SEl4jqxbBCVg+Gx2lDe19YZPB3glTdYv42MTDrupKucEqXY50j9MRr2wapOH0B9VcA6hdLUQrQ0mmrFt0K80yd90cHkX7JVzwn2lGdFBCMHhZtyPnn+PhPa0ztz6elqs2jV+K4J0MpPkfWyZ-T6b82AARcJplqkBsCNb8BJn5NSWoYsiEBXs5iooFmTTUDw7TfZRAox0q+ZtXg8383oCfrzucLb89K88ngWPO4DYcTi5gc+8BJ-c+XNavaAecdltfiuTlbxOdbMSQ62EmLVVUa1JbxZhpqC5sEFfdZg==|

| tenant_id | 01d4a787cfb34df2be5ff29ab0b181e3 |

| user_id | f21d650d4abd466eba10cd2660cea402 |

+-----------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

（4）创建OpenStack RC文件，该文件用来设置环境变量。（admin用户的密码为123456。）

[iyunv@controller ~]# vi admin-openrc.sh

export OS_USERNAME=admin

export OS_PASSWORD=123456

export OS_TENANT_NAME=admin

export OS_AUTH_URL=http://controller:35357/v2.0

（5）使环境变量生效

[iyunv@controller ~]# source admin-openrc.sh

（6）验证环境变量

[iyunv@controller ~]# keystone token-get

+-----------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

| Property | Value |

+-----------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

| expires | 2015-04-01T03:56:13Z |

| id |MIIE7AYJKoZIhvcNAQcCoIIE3TCCBNkCAQExCTAHBgUrDgMCGjCCA0IGCSqGSIb3DQEHAaCCAzMEggMveyJhY2Nlc3MiOiB7InRva2VuIjogeyJpc3N1ZWRfYXQiOiAiMjAxNS0wNC0wMVQwMjo1NjoxMy41OTQ4MzgiLCAiZXhwaXJlcyI6ICIyMDE1LTA0LTAxVDAzOjU2OjEzWiIsICJpZCI6ICJwbGFjZWhvbGRlciIsICJ0ZW5hbnQiOiB7ImRlc2NyaXB0aW9uIjogIkFkbWluIFRlbmFudCIsICJlbmFibGVkIjogdHJ1ZSwgImlkIjogIjAxZDRhNzg3Y2ZiMzRkZjJiZTVmZjI5YWIwYjE4MWUzIiwgIm5hbWUiOiAiYWRtaW4ifX0sICJzZXJ2aWNlQ2F0YWxvZyI6IFt7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly9jb250cm9sbGVyOjM1MzU3L3YyLjAiLCAicmVnaW9uIjogInJlZ2lvbk9uZSIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vY29udHJvbGxlcjo1MDAwL3YyLjAiLCAiaWQiOiAiODA1ZWI2OGE2MDdmNDA1OWE2NzE0ZmE5MDg3ZGQyMmYiLCAicHVibGljVVJMIjogImh0dHA6Ly9jb250cm9sbGVyOjUwMDAvdjIuMCJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJpZGVudGl0eSIsICJuYW1lIjogImtleXN0b25lIn1dLCAidXNlciI6IHsidXNlcm5hbWUiOiAiYWRtaW4iLCAicm9sZXNfbGlua3MiOiBbXSwgImlkIjogImYyMWQ2NTBkNGFiZDQ2NmViYTEwY2QyNjYwY2VhNDAyIiwgInJvbGVzIjogW3sibmFtZSI6ICJfbWVtYmVyXyJ9LCB7Im5hbWUiOiAiYWRtaW4ifV0sICJuYW1lIjogImFkbWluIn0sICJtZXRhZGF0YSI6IHsiaXNfYWRtaW4iOiAwLCAicm9sZXMiOiBbIjlmZTJmZjllZTQzODRiMTg5NGE5MDg3OGQzZTkyYmFiIiwgImU4M2EwZDJhYjkzZjRjZDU4ZDNmZWUxMGJhNzQ0MTM5Il19fX0xggGBMIIBfQIBATBcMFcxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVVbnNldDEOMAwGA1UEBwwFVW5zZXQxDjAMBgNVBAoMBVVuc2V0MRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20CAQEwBwYFKw4DAhowDQYJKoZIhvcNAQEBBQAEggEAO+jGt8xXCoEBeSzJPrFh9kVNCNWbJtpfODjHUaPnrGCb15VsaxJD1zhAvQaOvZWvRzskUh8osa5CZYZG4yrQiiX14L3LF8mKiYl1CiDSgw6JwJbM8FRqbDlTIRlGybfwn-QG1jNplKPknZnRGBWleNYFErFwcBez3pWWNhQmfR1xXIsSF8VNByMYDQo-ozb-TwWJT45uEH97UDv89ODd8wl18XFYGQjWygB45QOEfwY6ziZsnDdB9urgFk80Y-yVXrddXNde4DXDsTZHdelBV4hybyv3iTQI0MNwcOurAmA6IE2KJYj70x-j9p+uGZbZJCNi8MdFKamNfYx3HvER7A==|

| tenant_id | 01d4a787cfb34df2be5ff29ab0b181e3 |

| user_id | f21d650d4abd466eba10cd2660cea402 |

+-----------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

（7）验证admin用户是否有权执行管理命令

[iyunv@controller ~]# keystone user-list

[iyunv@controller ~]# keystoneuser-role-list --user admin --tenant admin

账号		自动登录	找回密码
密码			立即注册

VMware vcenter+vSphere 6.5 U2共享

【跟谁学】韩宇极简英语课-技术人员不得不

用Zabbix通过JMX方式监控weblogic

winhex数据恢复教程（非常巨大，内容丰富）

Symantec Backup Exec 2015 2016/2012 BE20

NetScaler VPX部署之：NetScaler Gateway调

zabbix3.4.1安装部署+微信推送信息+大屏显

[经验分享] 在CentOS 6.6上安装多节点OpenStack ( part2 of 6 )

扫码加入运维网微信交流群