说明
1 keystone 数据存储至 mariadb 中
2 keystone 主要为 nova, neutron, cinder 等组件提供数据认证服务,
3 keystone 自身管理 user, tenant, service, endpoint 等重要信息
安装
yum install -y openstack-keystone.noarch openstack-keystone-doc.noarch python-keystone.noarch python-keystoneclient.noarch python-keystoneclient-doc.noarch python-keyring openstack-utils
配置
直接配置 token
# SERVICE_TOKEN=1wef2djdf98324jkl
# openstack-config --set /etc/keysto ne/keystone.conf DEFAULT admin_token $SERVICE_TOKEN
强制更新 token 并删除旧 token
# keystone-manage token_flush
直接配置 keystone 的数据库连接方法
# openstack-config --set /etc/keystone/keystone.conf database sql_connection mysql://keystone:test123@240.10.130.25/keystone
keystone 服务器设定
# openstack-config --set /etc/keysto ne/keystone.conf DEFAULT public_bind_host 240.10.130.25
# openstack-config --set /etc/keysto ne/keystone.conf DEFAULT admin_bind_host 240.10.130.25
# openstack-config --set /etc/keysto ne/keystone.conf DEFAULT compute_port 8774
# openstack-config --set /etc/keysto ne/keystone.conf DEFAULT admin_port 35357
# openstack-config --set /etc/keysto ne/keystone.conf DEFAULT public_port 5000
keystone 存储格式定义
# openstack-config --set /etc/keysto ne/keystone.conf signing token_format UUID
# openstack-config --set /etc/keystone/keystone.conf token provider keystone.token.providers.uuid.Provider
启动 keystone 服务
# service openstack-keystone start
创建相应数据库表
# keystone-manage db_sync
假如连接成功, 则自动创建下面表
mysql> use keystone;
mysql> show tables;
+-----------------------+
| Tables_in_keystone |
+-----------------------+
| assignment |
| credential |
| domain |
| endpoint |
| group |
| migrate_version |
| policy |
| project |
| region |
| role |
| service |
| token |
| trust |
| trust_role |
| user |
| user_group_membership |
+-----------------------+
16 rows in set (0.00 sec)
keystone 客户端安装
要连接 keystone 需要安装 python-keystoneclient
yum install -y python-keystoneclient
创建测试 tenant 与 admin tenant
参考 /etc/keystone/keystone.conf 中自定义的 token 与 admin_bind_host 参考, 对应下面 endpoint 与 token 值
# export ENDPOINT=240.10.130.25
# export SERVICE_TOKEN=1wef2djdf98324jkl
# export SERVICE_ENDPOINT=http://${ENDPOINT}:35357/v2.0
创建 tenant 测试
[root@hh-yun-compute-130025 ~]# keystone tenant-create --name cookbook --description "Default Cookbook Tenant" --enabled true
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Default Cookbook Tenant |
| enabled | True |
| id | c74de0a2760343ac93f27095023be1cd |
| name | cookbook |
+-------------+----------------------------------+
检测 tenant 信息
[root@hh-yun-compute-130025 ~]# keystone tenant-list
+----------------------------------+----------+---------+
| id | name | enabled |
+----------------------------------+----------+---------+
| c74de0a2760343ac93f27095023be1cd | cookbook | True |
+----------------------------------+----------+---------+
另外, 我们必须要创建一个 admin 的 tenant, admin 环境才能够保证用户具有完整的环境
[root@hh-yun-compute-130025 ~]# keystone tenant-create --name admin --description "Admin tenant" --enabled true
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Admin tenant |
| enabled | True |
| id | 59728cade8b14853a8d3cee8c2567881 |
| name | admin |
+-------------+----------------------------------+
[root@hh-yun-compute-130025 ~]# keystone tenant-list
+----------------------------------+----------+---------+
| id | name | enabled |
+----------------------------------+----------+---------+
| 59728cade8b14853a8d3cee8c2567881 | admin | True |
| c74de0a2760343ac93f27095023be1cd | cookbook | True |
+----------------------------------+----------+---------+
配置 keystone 角色
1 role 是用户在 tenant 下的权限的体现
2 常见有 admin 与 member 两种角色
注意: /etc/keystone/policy.json 定义了管理员角色 “admin_required”: “role:admin or is_admin:1”,
从 /etc/keystone/keystone.conf 下获得 keystone 认证信息
# export ENDPOINT=240.10.130.25
# export SERVICE_TOKEN=1wef2djdf98324jkl
# export SERVICE_ENDPOINT=http://${ENDPOINT}:35357/v2.0
创建 admin 角色
# keystone role-create --name admin
创建 member 角色
# keystone role-create --name Member (旧版)
# keystone role-create --name _member_ ( i 版)
利用 keystone 创建用户
1. 查询 tenant
[root@hh-yun-compute-130025 ~]# keystone tenant-list
+----------------------------------+----------+---------+
| id | name | enabled |
+----------------------------------+----------+---------+
| 59728cade8b14853a8d3cee8c2567881 | admin | True |
| c74de0a2760343ac93f27095023be1cd | cookbook | True |
+----------------------------------+----------+---------+
2. 创建 admin 用户
[root@hh-yun-compute-130025 ~]# keystone user-create --name admin --tenant cookbook --pass test123 --email terry.zeng@vipshop.com --enabled true
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | terry.zeng@vipshop.com |
| enabled | True |
| id | 43f38bc5c1314670b0cf1d925736ff3a |
| name | admin |
| tenantId | c74de0a2760343ac93f27095023be1cd |
| username | admin |
+----------+----------------------------------+
3. 查询角色
[root@hh-yun-compute-130025 ~]# keystone role-list
+----------------------------------+----------+
| id | name |
+----------------------------------+----------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
| 6ddaf6bbd9684a109ecf83f7939bcf94 | admin |
+----------------------------------+----------+
4. 查询用户
[root@hh-yun-compute-130025 ~]# keystone user-list
+----------------------------------+-------+---------+------------------------+
| id | name | enabled | email |
+----------------------------------+-------+---------+------------------------+
| 43f38bc5c1314670b0cf1d925736ff3a | admin | True | terry.zeng@vipshop.com |
+----------------------------------+-------+---------+------------------------+
5. 指定用户新的 tenant 角色
[root@hh-yun-compute-130025 ~]# keystone user-role-add --user admin --role admin --tenant admin
参考 为 cookbook tenant 授权 demo 为管理员
[root@hh-yun-compute-130025 ~]# keystone user-create --name demo --tenant cookbook --pass test123 --email demo@localhost --enabled true
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | demo@localhost |
| enabled | True |
| id | a57b848ff4244b98be66ef8f133fc9ce |
| name | demo |
| tenantId | c74de0a2760343ac93f27095023be1cd |
| username | demo |
+----------+----------------------------------+
[root@hh-yun-compute-130025 ~]# keystone user-role-add --user demo --role admin --tenant cookbook
service 定义
1 云环境中每个服务都运行在一个特定的 url 下, 成为 endpoint 地址
2 客户端连接 openstack 环境时候, 允许 openstack 身份验证服务, 这个服务将返回 用户可以访问的 endpoint url
要启用上述功能, 我们需要定义 endpoint,
1 云环境下, 我们可以定义多个区域, 不同区域可以跑在不同的数据中心中
2 在 openstack 身份认证服务下不同区域由不同的 ip 及 urls 进行指定
3 当我们只有一个独立环境时候, 我们配置为 RegionOne
下面是openstack i 版需要定义的服务 endpoint
1. 定义 nova
keystone service-create --name nova --type compute --description 'OpenStack Compute Service'
2. 定义 nova_ec2 (旧版本叫 ec2)
keystone service-create --name nova_ec2 --type ec2 --description 'EC2 Service'
3. 定义 glance 服务
keystone service-create --name glance --type image --description 'OpenStack Image Service'
4. 定义 cinder 服务
keystone service-create --name cinder --type volume --description 'Cinder Service'
5. 定义 cinder_v2
keystone service-create --name cinder_v2 --type volume2 --description 'Cinder Service v2'
6. 定义 keystone
keystone service-create --name keystone --type identity --description 'OpenStack Identity Service'
7. 定义 neutron
keystone service-create --name neutron --type network --description 'Neutron Networking Service'
定义 endpoint
Openstack 身份服务可以配置三种服务请求方法
1 public Url (针对最终用户)
2 administration Url (具有管理权限的用户, 可以与 public url 使用不同的地址)
3 internal Url (使用在一个专用网络上, 与公网隔离) 当前品云使这种方式, 同时调用 eth1 作为组件间通讯方法
当服务定义后, 我们可以为服务添加 endpoint urls, 参考命令语法
[root@hh-yun-compute-130025 ~]# keystone endpoint-create
usage: keystone endpoint-create [--region <endpoint-region>] --service
<service> --publicurl <public-url>
[--adminurl <admin-url>]
[--internalurl <internal-url>]
定义 nova endpoint
# PUBLIC="http://240.10.130.30:8774/v2/\$(tenant_id)s"
# keystone endpoint-create --region RegionOne --service nova --publicurl $PUBLIC --adminurl $PUBLIC --internalurl $PUBLIC
+-------------+--------------------------------------------+
| Property | Value |
+-------------+--------------------------------------------+
| adminurl | http://240.10.130.30:8774/v2/$(tenant_id)s |
| id | fe31d81f395f46e39dd2e3ba9276c4ba |
| internalurl | http://240.10.130.30:8774/v2/$(tenant_id)s |
| publicurl | http://240.10.130.30:8774/v2/$(tenant_id)s |
| region | RegionOne |
| service_id | 38df11244f3e42698f3c123cc89e9a82 |
+-------------+--------------------------------------------+
定义 nova_ec2 endpoint
# PUBLIC="http://240.10.130.30:8773/services/Cloud"
# ADMIN="http://240.10.130.30:8773/services/Admin"
# INTERNAL=$PUBLIC
# keystone endpoint-create --region RegionOne --service_id nova_ec2 --publicurl $PUBLIC --adminurl $ADMIN --internalurl $INTERNAL
+-------------+------------------------------------------+
| Property | Value |
+-------------+------------------------------------------+
| adminurl | http://240.10.130.30:8773/services/Admin |
| id | a835a2aeba444692b215136e641a9e5c |
| internalurl | http://240.10.130.30:8773/services/Cloud |
| publicurl | http://240.10.130.30:8773/services/Cloud |
| region | RegionOne |
| service_id | 18cbe76bbcab479595d90d7a50b7dcdf |
+-------------+------------------------------------------+
定义 glance endpoint
# PUBLIC="http://240.10.130.25:9292/v1"
# keystone endpoint-create --region RegionOne --service_id glance --publicurl $PUBLIC --adminurl $PUBLIC --internalurl $PUBLIC
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| adminurl | http://240.10.130.25:9292/v1 |
| id | b3773df6ad2643fa84c6cae71a7a71cc |
| internalurl | http://240.10.130.25:9292/v1 |
| publicurl | http://240.10.130.25:9292/v1 |
| region | RegionOne |
| service_id | d23d46ad40bd4fc89c9c88118acedf75 |
+-------------+----------------------------------+
定义 cinder endpoint
# PUBLIC="http://240.10.130.25:8776/v1/%(tenant_id)s"
# keystone endpoint-create --region RegionOne --service_id cinder --publicurl $PUBLIC --adminurl $PUBLIC --internalurl $PUBLIC
+-------------+--------------------------------------------+
| Property | Value |
+-------------+--------------------------------------------+
| adminurl | http://240.10.130.25:8776/v1/%(tenant_id)s |
| id | 044bc4aeb52e4ddd9b60984b82f1a619 |
| internalurl | http://240.10.130.25:8776/v1/%(tenant_id)s |
| publicurl | http://240.10.130.25:8776/v1/%(tenant_id)s |
| region | RegionOne |
| service_id | eb92fe7081394648ae9cc25eec0713d7 |
+-------------+--------------------------------------------+
定义 cinder_v2 endpoint
# PUBLIC="http://240.10.130.25:8776/v2/%(tenant_id)s"
# keystone endpoint-create --region RegionOne --service_id cinder_v2 --publicurl $PUBLIC --adminurl $PUBLIC --internalurl $PUBLIC
+-------------+--------------------------------------------+
| Property | Value |
+-------------+--------------------------------------------+
| adminurl | http://240.10.130.25:8776/v2/%(tenant_id)s |
| id | a4f434470e364ff89030d2919eb39c86 |
| internalurl | http://240.10.130.25:8776/v2/%(tenant_id)s |
| publicurl | http://240.10.130.25:8776/v2/%(tenant_id)s |
| region | RegionOne |
| service_id | 63376b37779846eba1f4a96aa142ba94 |
+-------------+--------------------------------------------+
定义keystone endpoint
# PUBLIC="http://240.10.130.25:5000/v2.0"
# ADMIN="http://240.10.130.25:35357/v2.0"
# INTERNAL=$PUBLIC
# keystone endpoint-create --region RegionOne --service_id keystone --publicurl $PUBLIC --adminurl $ADMIN --internalurl $INTERNAL
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| adminurl | http://240.10.130.25:35357/v2.0 |
| id | 047b73ba968d41d98ea707ca51f1db33 |
| internalurl | http://240.10.130.25:5000/v2.0 |
| publicurl | http://240.10.130.25:5000/v2.0 |
| region | RegionOne |
| service_id | 96dba0ee5a154727843cd975f4ce5e29 |
+-------------+----------------------------------+
定义 neutron endpoint
# PUBLIC="http://240.10.130.29:9696/"
# keystone endpoint-create --region RegionOne --service_id neutron --publicurl $PUBLIC --adminurl $PUBLIC --internalurl $PUBLIC
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| adminurl | http://240.10.130.29:9696/ |
| id | 52f34a0e1f0446c3b0683a330b1a1ce4 |
| internalurl | http://240.10.130.29:9696/ |
| publicurl | http://240.10.130.29:9696/ |
| region | RegionOne |
| service_id | 7123d8111fa14e06a59b757c3a78901f |
+-------------+----------------------------------+
创建 service tenant
需要创建 service tenant, 用于允许上述服务在 openstack 中运行
并创建对应服务的用户密码并对应 service tenant ### 注意, 品云使用 services 作为 tenant 区别不大 ###
用户创建方法与普通创建方法一样, 并分配至 service tenant 中
创建 service tenant
# keystone tenant-create --name service --description "Service Tenant" --enabled true
创建用户
# keystone user-create --name nova --pass nova --tenant service --email nova@localhost --enabled true
# keystone user-create --name glance --pass glance --tenant service --email glance@localhost --enabled true
# keystone user-create --name keystone --pass keystone --tenant service --email keystone@localhost --enabled true
# keystone user-create --name cinder --pass cinder --tenant service --email cinder@localhost --enabled true
# keystone user-create --name neutron --pass neutron --tenant service --email neutron@localhost --enabled true
修改用户角色
# keystone user-role-add --user nova --role admin --tenant service
# keystone user-role-add --user glance --role admin --tenant service
# keystone user-role-add --user keystone --role admin --tenant service
# keystone user-role-add --user cinder --role admin --tenant service
# keystone user-role-add --user neutron --role admin --tenant service