openstack 管理二十八 - rpm 方式部署 openstack [keystone]

说明

1 keystone 数据存储至 mariadb 中
2 keystone 主要为 nova, neutron, cinder 等组件提供数据认证服务,
3 keystone 自身管理 user, tenant, service, endpoint 等重要信息

安装

yum install -y openstack-keystone.noarch openstack-keystone-doc.noarch python-keystone.noarch python-keystoneclient.noarch python-keystoneclient-doc.noarch python-keyring openstack-utils

配置

直接配置 token

# SERVICE_TOKEN=1wef2djdf98324jkl
# openstack-config --set /etc/keysto ne/keystone.conf DEFAULT admin_token $SERVICE_TOKEN

强制更新 token 并删除旧 token

# keystone-manage token_flush

直接配置 keystone 的数据库连接方法

# openstack-config --set /etc/keystone/keystone.conf  database sql_connection mysql://keystone:test123@240.10.130.25/keystone

keystone 服务器设定

# openstack-config --set /etc/keysto ne/keystone.conf DEFAULT public_bind_host 240.10.130.25
# openstack-config --set /etc/keysto ne/keystone.conf DEFAULT admin_bind_host 240.10.130.25
# openstack-config --set /etc/keysto ne/keystone.conf DEFAULT compute_port 8774
# openstack-config --set /etc/keysto ne/keystone.conf DEFAULT admin_port 35357
# openstack-config --set /etc/keysto ne/keystone.conf DEFAULT public_port 5000

keystone 存储格式定义

# openstack-config --set /etc/keysto ne/keystone.conf signing token_format UUID
# openstack-config --set /etc/keystone/keystone.conf token provider keystone.token.providers.uuid.Provider

启动 keystone 服务

# service openstack-keystone start

创建相应数据库表

# keystone-manage db_sync

假如连接成功, 则自动创建下面表

mysql> use keystone;
mysql> show tables;
+-----------------------+
| Tables_in_keystone    |
+-----------------------+
| assignment            |
| credential            |
| domain                |
| endpoint              |
| group                 |
| migrate_version       |
| policy                |
| project               |
| region                |
| role                  |
| service               |
| token                 |
| trust                 |
| trust_role            |
| user                  |
| user_group_membership |
+-----------------------+
16 rows in set (0.00 sec)

keystone 客户端安装

要连接 keystone 需要安装 python-keystoneclient

yum install -y python-keystoneclient

创建测试 tenant 与 admin tenant

参考 /etc/keystone/keystone.conf 中自定义的 token 与 admin_bind_host 参考, 对应下面 endpoint 与 token 值

# export ENDPOINT=240.10.130.25
# export SERVICE_TOKEN=1wef2djdf98324jkl
# export SERVICE_ENDPOINT=http://${ENDPOINT}:35357/v2.0

创建 tenant 测试

[root@hh-yun-compute-130025 ~]# keystone tenant-create --name cookbook --description "Default Cookbook Tenant" --enabled true
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |     Default Cookbook Tenant      |
|   enabled   |               True               |
|      id     | c74de0a2760343ac93f27095023be1cd |
|     name    |             cookbook             |
+-------------+----------------------------------+

检测 tenant 信息

[root@hh-yun-compute-130025 ~]# keystone tenant-list
+----------------------------------+----------+---------+
|                id                |   name   | enabled |
+----------------------------------+----------+---------+
| c74de0a2760343ac93f27095023be1cd | cookbook |   True  |
+----------------------------------+----------+---------+

另外, 我们必须要创建一个 admin 的 tenant, admin 环境才能够保证用户具有完整的环境

[root@hh-yun-compute-130025 ~]# keystone tenant-create --name admin --description "Admin tenant" --enabled true
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |           Admin tenant           |
|   enabled   |               True               |
|      id     | 59728cade8b14853a8d3cee8c2567881 |
|     name    |              admin               |
+-------------+----------------------------------+

[root@hh-yun-compute-130025 ~]# keystone tenant-list
+----------------------------------+----------+---------+
|                id                |   name   | enabled |
+----------------------------------+----------+---------+
| 59728cade8b14853a8d3cee8c2567881 |  admin   |   True  |
| c74de0a2760343ac93f27095023be1cd | cookbook |   True  |
+----------------------------------+----------+---------+

配置 keystone 角色

1 role 是用户在 tenant 下的权限的体现
2 常见有 admin 与 member 两种角色

注意: /etc/keystone/policy.json 定义了管理员角色 “admin_required”: “role:admin or is_admin:1”,

从 /etc/keystone/keystone.conf 下获得 keystone 认证信息

# export ENDPOINT=240.10.130.25
# export SERVICE_TOKEN=1wef2djdf98324jkl
# export SERVICE_ENDPOINT=http://${ENDPOINT}:35357/v2.0

创建 admin 角色

# keystone role-create --name admin

创建 member 角色

# keystone role-create --name Member (旧版)
# keystone role-create --name _member_ ( i 版)

利用 keystone 创建用户

1. 查询 tenant

[root@hh-yun-compute-130025 ~]# keystone tenant-list
+----------------------------------+----------+---------+
|                id                |   name   | enabled |
+----------------------------------+----------+---------+
| 59728cade8b14853a8d3cee8c2567881 |  admin   |   True  |
| c74de0a2760343ac93f27095023be1cd | cookbook |   True  |
+----------------------------------+----------+---------+

2. 创建 admin 用户

[root@hh-yun-compute-130025 ~]# keystone user-create --name admin --tenant cookbook --pass test123 --email terry.zeng@vipshop.com --enabled true
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|  email   |      terry.zeng@vipshop.com      |
| enabled  |               True               |
|    id    | 43f38bc5c1314670b0cf1d925736ff3a |
|   name   |              admin               |
| tenantId | c74de0a2760343ac93f27095023be1cd |
| username |              admin               |
+----------+----------------------------------+

3. 查询角色

[root@hh-yun-compute-130025 ~]# keystone role-list
+----------------------------------+----------+
|                id                |   name   |
+----------------------------------+----------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
| 6ddaf6bbd9684a109ecf83f7939bcf94 |  admin   |
+----------------------------------+----------+

4. 查询用户

[root@hh-yun-compute-130025 ~]# keystone user-list
+----------------------------------+-------+---------+------------------------+
|                id                |  name | enabled |         email          |
+----------------------------------+-------+---------+------------------------+
| 43f38bc5c1314670b0cf1d925736ff3a | admin |   True  | terry.zeng@vipshop.com |
+----------------------------------+-------+---------+------------------------+

5. 指定用户新的 tenant 角色

[root@hh-yun-compute-130025 ~]# keystone user-role-add --user admin --role admin --tenant admin

参考 为 cookbook tenant 授权 demo 为管理员

[root@hh-yun-compute-130025 ~]# keystone user-create --name demo --tenant cookbook --pass test123 --email demo@localhost --enabled true
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|  email   |          demo@localhost          |
| enabled  |               True               |
|    id    | a57b848ff4244b98be66ef8f133fc9ce |
|   name   |               demo               |
| tenantId | c74de0a2760343ac93f27095023be1cd |
| username |               demo               |
+----------+----------------------------------+

[root@hh-yun-compute-130025 ~]# keystone user-role-add --user demo --role admin --tenant cookbook

service 定义

1 云环境中每个服务都运行在一个特定的 url 下, 成为 endpoint 地址
2 客户端连接 openstack 环境时候, 允许 openstack 身份验证服务, 这个服务将返回 用户可以访问的 endpoint url

要启用上述功能, 我们需要定义 endpoint,

1 云环境下, 我们可以定义多个区域, 不同区域可以跑在不同的数据中心中
2 在 openstack 身份认证服务下不同区域由不同的 ip 及 urls 进行指定
3 当我们只有一个独立环境时候, 我们配置为 RegionOne

下面是openstack i 版需要定义的服务 endpoint

1. 定义 nova

keystone service-create --name nova --type compute --description 'OpenStack Compute Service'

2. 定义 nova_ec2 (旧版本叫 ec2)

keystone service-create --name nova_ec2 --type ec2 --description 'EC2 Service'

3. 定义 glance 服务

keystone service-create --name glance --type image --description 'OpenStack Image Service'

4. 定义 cinder 服务

keystone service-create --name cinder --type volume --description 'Cinder Service'

5. 定义 cinder_v2

keystone service-create --name cinder_v2 --type volume2 --description 'Cinder Service v2'

6. 定义 keystone

keystone service-create --name keystone --type identity --description 'OpenStack Identity Service'

7. 定义 neutron

keystone service-create --name neutron --type network --description 'Neutron Networking Service'

定义 endpoint

Openstack 身份服务可以配置三种服务请求方法

1 public Url (针对最终用户)
2 administration Url (具有管理权限的用户, 可以与 public url 使用不同的地址)
3 internal Url (使用在一个专用网络上, 与公网隔离)  当前品云使这种方式, 同时调用 eth1 作为组件间通讯方法

当服务定义后, 我们可以为服务添加 endpoint urls, 参考命令语法

[root@hh-yun-compute-130025 ~]# keystone endpoint-create
usage: keystone endpoint-create [--region <endpoint-region>] --service
                                <service> --publicurl <public-url>
                                [--adminurl <admin-url>]
                                [--internalurl <internal-url>]

定义 nova endpoint

# PUBLIC="http://240.10.130.30:8774/v2/\$(tenant_id)s" 
# keystone endpoint-create --region RegionOne --service nova --publicurl $PUBLIC --adminurl $PUBLIC --internalurl $PUBLIC 

+-------------+--------------------------------------------+
|   Property  |                   Value                    |
+-------------+--------------------------------------------+
|   adminurl  | http://240.10.130.30:8774/v2/$(tenant_id)s |
|      id     |      fe31d81f395f46e39dd2e3ba9276c4ba      |
| internalurl | http://240.10.130.30:8774/v2/$(tenant_id)s |
|  publicurl  | http://240.10.130.30:8774/v2/$(tenant_id)s |
|    region   |                 RegionOne                  |
|  service_id |      38df11244f3e42698f3c123cc89e9a82      |
+-------------+--------------------------------------------+

定义 nova_ec2 endpoint

# PUBLIC="http://240.10.130.30:8773/services/Cloud" 
# ADMIN="http://240.10.130.30:8773/services/Admin" 
# INTERNAL=$PUBLIC
# keystone endpoint-create --region RegionOne --service_id nova_ec2 --publicurl $PUBLIC --adminurl $ADMIN --internalurl $INTERNAL

+-------------+------------------------------------------+
|   Property  |                  Value                   |
+-------------+------------------------------------------+
|   adminurl  | http://240.10.130.30:8773/services/Admin |
|      id     |     a835a2aeba444692b215136e641a9e5c     |
| internalurl | http://240.10.130.30:8773/services/Cloud |
|  publicurl  | http://240.10.130.30:8773/services/Cloud |
|    region   |                RegionOne                 |
|  service_id |     18cbe76bbcab479595d90d7a50b7dcdf     |
+-------------+------------------------------------------+

定义 glance endpoint

# PUBLIC="http://240.10.130.25:9292/v1" 
# keystone endpoint-create --region RegionOne --service_id glance --publicurl $PUBLIC --adminurl $PUBLIC --internalurl $PUBLIC

+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
|   adminurl  |   http://240.10.130.25:9292/v1   |
|      id     | b3773df6ad2643fa84c6cae71a7a71cc |
| internalurl |   http://240.10.130.25:9292/v1   |
|  publicurl  |   http://240.10.130.25:9292/v1   |
|    region   |            RegionOne             |
|  service_id | d23d46ad40bd4fc89c9c88118acedf75 |
+-------------+----------------------------------+

定义 cinder endpoint

# PUBLIC="http://240.10.130.25:8776/v1/%(tenant_id)s" 
# keystone endpoint-create --region RegionOne --service_id cinder --publicurl $PUBLIC --adminurl $PUBLIC --internalurl $PUBLIC

+-------------+--------------------------------------------+
|   Property  |                   Value                    |
+-------------+--------------------------------------------+
|   adminurl  | http://240.10.130.25:8776/v1/%(tenant_id)s |
|      id     |      044bc4aeb52e4ddd9b60984b82f1a619      |
| internalurl | http://240.10.130.25:8776/v1/%(tenant_id)s |
|  publicurl  | http://240.10.130.25:8776/v1/%(tenant_id)s |
|    region   |                 RegionOne                  |
|  service_id |      eb92fe7081394648ae9cc25eec0713d7      |
+-------------+--------------------------------------------+

定义 cinder_v2 endpoint

# PUBLIC="http://240.10.130.25:8776/v2/%(tenant_id)s" 
# keystone endpoint-create --region RegionOne --service_id cinder_v2 --publicurl $PUBLIC --adminurl $PUBLIC --internalurl $PUBLIC

+-------------+--------------------------------------------+
|   Property  |                   Value                    |
+-------------+--------------------------------------------+
|   adminurl  | http://240.10.130.25:8776/v2/%(tenant_id)s |
|      id     |      a4f434470e364ff89030d2919eb39c86      |
| internalurl | http://240.10.130.25:8776/v2/%(tenant_id)s |
|  publicurl  | http://240.10.130.25:8776/v2/%(tenant_id)s |
|    region   |                 RegionOne                  |
|  service_id |      63376b37779846eba1f4a96aa142ba94      |
+-------------+--------------------------------------------+

定义keystone endpoint

# PUBLIC="http://240.10.130.25:5000/v2.0" 
# ADMIN="http://240.10.130.25:35357/v2.0" 
# INTERNAL=$PUBLIC
# keystone endpoint-create --region RegionOne --service_id keystone --publicurl $PUBLIC --adminurl $ADMIN --internalurl $INTERNAL

+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
|   adminurl  | http://240.10.130.25:35357/v2.0  |
|      id     | 047b73ba968d41d98ea707ca51f1db33 |
| internalurl |  http://240.10.130.25:5000/v2.0  |
|  publicurl  |  http://240.10.130.25:5000/v2.0  |
|    region   |            RegionOne             |
|  service_id | 96dba0ee5a154727843cd975f4ce5e29 |
+-------------+----------------------------------+

定义 neutron endpoint

# PUBLIC="http://240.10.130.29:9696/" 
# keystone endpoint-create --region RegionOne --service_id neutron --publicurl $PUBLIC --adminurl $PUBLIC --internalurl $PUBLIC

+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
|   adminurl  |    http://240.10.130.29:9696/    |
|      id     | 52f34a0e1f0446c3b0683a330b1a1ce4 |
| internalurl |    http://240.10.130.29:9696/    |
|  publicurl  |    http://240.10.130.29:9696/    |
|    region   |            RegionOne             |
|  service_id | 7123d8111fa14e06a59b757c3a78901f |
+-------------+----------------------------------+

创建 service tenant

需要创建 service tenant, 用于允许上述服务在 openstack 中运行
并创建对应服务的用户密码并对应 service tenant ### 注意, 品云使用 services 作为 tenant 区别不大 ###
用户创建方法与普通创建方法一样, 并分配至 service tenant 中

创建 service tenant

# keystone tenant-create --name service --description "Service Tenant" --enabled true

创建用户

# keystone user-create --name nova --pass nova --tenant service --email nova@localhost --enabled true
# keystone user-create --name glance --pass glance --tenant service --email glance@localhost --enabled true
# keystone user-create --name keystone --pass keystone --tenant service --email keystone@localhost --enabled true
# keystone user-create --name cinder --pass cinder --tenant service --email cinder@localhost --enabled true
# keystone user-create --name neutron --pass neutron --tenant service --email neutron@localhost --enabled true

修改用户角色

# keystone user-role-add --user nova --role admin --tenant service
# keystone user-role-add --user glance --role admin --tenant service
# keystone user-role-add --user keystone --role admin --tenant service
# keystone user-role-add --user cinder --role admin --tenant service
# keystone user-role-add --user neutron --role admin --tenant service
上一篇:利用memcache来保存tomcat的session会话


下一篇:hadoop学习笔记——环境搭建