一、keystone簡介
keystone是openstack中的核心服務,它主要作用是實現使用者認證和授權以及服務目錄;所謂服務目錄指所有可用服務的資訊庫,包含所有可用服務及其API endport路徑;簡單點講就是儲存各服務的API endport路徑和各服務的其他資訊;對於openstack的認證服務來講,有幾個核心的術語要了解下;
user:這裡指使用openstack的使用者,一個使用者可以以關聯多個tenant(租戶)
tenant:租戶,這裡的租戶指openstack上的專案project,或者一個組織;通常一個租戶對應一個project或一個組織;
role:角色,這裡的角色類似Linux使用者裡的使用者組概念,擁有授權為一個使用者為一個角色,那麼這個使用者就擁有這個角色所對應的許可權;
token:令牌,用於認證和授權;這是另一種認證的方式;在openstack中各服務之間通過令牌來做認證的;
service:服務,這個和我們理解的服務一樣,沒有特別的不一樣;
endport:服務端點,通常指服務訪問入口;
上述這些術語對應的資料,通常會用一個資料庫來儲存,我們把這個資料庫統稱為driver,對於不同型別的資料我們可以選擇不同的driver來儲存;比如對於token我們可以選擇儲存到k/v鍵值儲存系統中,也可以選擇儲存在memcached中或者mysql中;catalog我們可以選擇儲存在k/v鍵值儲存系統中,也可選擇儲存到mysql中,也可以選擇儲存到一個模板中;identity我們可以儲存k/v鍵值儲存系統中,也可選擇儲存到mysql中或者pam中也可以;
提示:上圖是一個使用者在openstack上建立一個虛擬機器內部驗證的過程;首先使用者要登入openstack上要把使用者的使用者名稱和密碼傳送給keystone進行驗證,如果在keystone中驗證通過後,keystone會給使用者返回一個token,此時使用者就可以拿著這個返回的token去計算節點請求nova服務,進行建立虛擬機器請求,在nova服務接受到使用者的請求後,nova它不能直接相信使用者的token是否是keystone給的,它會把這個token傳送給keystone進行驗證,如果keystone驗證通過,此時nova才會拿著這個token去請求glance進行虛擬機器映象請求,同樣的glance也不相信nova拿到這個token,它會去找keystone驗證,只有keystone通過後,glance才會把映象傳送給nova,nova拿到映象啟動虛擬機器;啟動虛擬機器過程中nova還會拿著使用者的token去請求neutron服務給虛擬機器分配網路,同樣neutron也是不相信nova的token,它也會去keystone上驗證token,只有驗證通過後才給nova建立的虛擬機器分配網路;最後nova啟動好虛擬以後在返回,告訴使用者虛擬機器啟動成功;從上面的過程來看,幾乎所有服務都會去keystone上驗證使用者的token,所以keystone服務會非常繁忙;
二、keystone服務安裝、配置、測試
1、建立資料庫
[root@node02 ~]# mysql Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 2 Server version: 10.1.20-MariaDB MariaDB Server Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> CREATE DATABASE keystone; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> SHOW DATABASES; +--------------------+ | Database | +--------------------+ | information_schema | | keystone | | mysql | | performance_schema | | test | +--------------------+ 5 rows in set (0.04 sec) MariaDB [(none)]>
2、建立keystone使用者並授權允許從任何主機連線資料庫
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone123'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> flush privileges; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]>
驗證:在node01上使用keystone使用者連線資料庫,看看是否能夠正常連線?
[root@node01 ~]# mysql -ukeystone -pkeystone123 -hnode02 Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 4 Server version: 10.1.20-MariaDB MariaDB Server Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | keystone | | test | +--------------------+ 3 rows in set (0.00 sec) MariaDB [(none)]>
提示:能夠從別的主機用keystone賬號連線到mysql,並看到我們剛才建立的資料庫,說明我們建立的keystone賬號沒有問題;
3、在控制節點安裝openstack-keystone、httpd和mod_wsgi
[root@node01 ~]# yum install -y openstack-keystone httpd mod_wsgi Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.aliyun.com * centos-qemu-ev: mirrors.aliyun.com * extras: mirrors.aliyun.com * updates: mirrors.aliyun.com Resolving Dependencies --> Running transaction check ---> Package httpd.x86_64 0:2.4.6-93.el7.centos will be installed --> Processing Dependency: httpd-tools = 2.4.6-93.el7.centos for package: httpd-2.4.6-93.el7.centos.x86_64 --> Processing Dependency: /etc/mime.types for package: httpd-2.4.6-93.el7.centos.x86_64 --> Processing Dependency: libaprutil-1.so.0()(64bit) for package: httpd-2.4.6-93.el7.centos.x86_64 --> Processing Dependency: libapr-1.so.0()(64bit) for package: httpd-2.4.6-93.el7.centos.x86_64 ---> Package mod_wsgi.x86_64 0:3.4-18.el7 will be installed ……省略部分內容…… Dependency Installed: MySQL-python.x86_64 0:1.2.5-1.el7 apr.x86_64 0:1.4.8-5.el7 apr-util.x86_64 0:1.5.2-6.el7 httpd-tools.x86_64 0:2.4.6-93.el7.centos mailcap.noarch 0:2.1.41-2.el7 python-aniso8601.noarch 0:0.82-3.el7 python-beaker.noarch 0:1.5.4-10.el7 python-editor.noarch 0:0.4-4.el7 python-jwcrypto.noarch 0:0.4.2-1.el7 python-keystone.noarch 1:14.2.0-1.el7 python-mako.noarch 0:0.8.1-2.el7 python-migrate.noarch 0:0.11.0-1.el7 python-oslo-cache-lang.noarch 0:1.30.4-1.el7 python-oslo-concurrency-lang.noarch 0:3.27.0-1.el7 python-oslo-db-lang.noarch 0:4.40.2-1.el7 python-oslo-middleware-lang.noarch 0:3.36.0-1.el7 python-oslo-policy-lang.noarch 0:1.38.1-1.el7 python-paste.noarch 0:1.7.5.1-9.20111221hg1498.el7 python-paste-deploy.noarch 0:1.5.2-6.el7 python-pycadf-common.noarch 0:2.8.0-1.el7 python-routes.noarch 0:2.4.1-1.el7 python-sqlparse.noarch 0:0.1.18-5.el7 python-tempita.noarch 0:0.5.1-8.el7 python2-alembic.noarch 0:0.9.7-1.el7 python2-amqp.noarch 0:2.4.0-1.el7 python2-bcrypt.x86_64 0:3.1.6-2.el7 python2-cachetools.noarch 0:2.1.0-1.el7 python2-click.noarch 0:6.7-8.el7 python2-defusedxml.noarch 0:0.5.0-2.el7 python2-eventlet.noarch 0:0.20.1-6.el7 python2-fasteners.noarch 0:0.14.1-6.el7 python2-flask.noarch 1:1.0.2-1.el7 python2-flask-restful.noarch 0:0.3.6-7.el7 python2-future.noarch 0:0.18.2-2.el7 python2-futurist.noarch 0:1.7.0-1.el7 python2-greenlet.x86_64 0:0.4.12-1.el7 python2-itsdangerous.noarch 0:0.24-14.el7 python2-jinja2.noarch 0:2.10-2.el7 python2-keystonemiddleware.noarch 0:5.2.2-1.el7 python2-kombu.noarch 1:4.2.2-1.el7 python2-ldap.x86_64 0:3.1.0-1.el7 python2-ldappool.noarch 0:2.3.1-1.el7 python2-markupsafe.x86_64 0:0.23-16.el7 python2-oauthlib.noarch 0:2.0.1-8.el7 python2-oslo-cache.noarch 0:1.30.4-1.el7 python2-oslo-concurrency.noarch 0:3.27.0-1.el7 python2-oslo-db.noarch 0:4.40.2-1.el7 python2-oslo-messaging.noarch 0:8.1.4-1.el7 python2-oslo-middleware.noarch 0:3.36.0-1.el7 python2-oslo-policy.noarch 0:1.38.1-1.el7 python2-oslo-service.noarch 0:1.31.8-1.el7 python2-osprofiler.noarch 0:2.3.1-1.el7 python2-passlib.noarch 0:1.7.1-1.el7 python2-pyasn1.noarch 0:0.3.7-6.el7 python2-pyasn1-modules.noarch 0:0.3.7-6.el7 python2-pycadf.noarch 0:2.8.0-1.el7 python2-pyngus.noarch 0:2.3.0-1.el7 python2-pysaml2.noarch 0:4.5.0-4.el7 python2-qpid-proton.x86_64 0:0.32.0-2.el7 python2-scrypt.x86_64 0:0.8.0-2.el7 python2-sqlalchemy.x86_64 0:1.2.7-1.el7 python2-statsd.noarch 0:3.2.1-5.el7 python2-tenacity.noarch 0:4.12.0-1.el7 python2-vine.noarch 0:1.2.0-1.el7 python2-webob.noarch 0:1.8.2-1.el7 python2-werkzeug.noarch 0:0.14.1-3.el7 qpid-proton-c.x86_64 0:0.32.0-2.el7 Complete! [root@node01 ~]#
4、生成token
[root@node01 ~]# openssl rand -hex 10 752e7981c9f3bb1b1a91 [root@node01 ~]#
5、編輯keystone配置檔案/etc/keystone/keystone.conf,在default配置段裡新增admin_token,把我們生成的token配置上;
在database配置段配置連線資料庫的地址;
提示:連線資料庫前邊的mysql+pymysql://這一段不用變,預設格式就是這個,雙斜線後面的是keystone使用者,冒號後面是對應keystone使用者的密碼;@後面是資料庫伺服器地址;斜線後面是指連線那個資料庫;我這裡是因為配置了主機名解析,所以資料庫伺服器我用主機名代替了;
在token配置段配置provider = fernet
keystone的最終配置
[root@node01 ~]# grep "^[a-Z\[]" /etc/keystone/keystone.conf [DEFAULT] admin_token = 752e7981c9f3bb1b1a91 [application_credential] [assignment] [auth] [cache] [catalog] [cors] [credential] [database] connection = mysql+pymysql://keystone:keystone123@node02/keystone [domain_config] [endpoint_filter] [endpoint_policy] [eventlet_server] [federation] [fernet_tokens] [healthcheck] [identity] [identity_mapping] [ldap] [matchmaker_redis] [memcache] [oauth1] [oslo_messaging_amqp] [oslo_messaging_kafka] [oslo_messaging_notifications] [oslo_messaging_rabbit] [oslo_messaging_zmq] [oslo_middleware] [oslo_policy] [policy] [profiler] [resource] [revoke] [role] [saml] [security_compliance] [shadow_users] [signing] [token] provider = fernet [tokenless_auth] [trust] [unified_limit] [wsgi] [root@node01 ~]#
提示:這個配置檔案是ini風格的配置檔案,裡面有很多配置段,其實生效的就只有我們剛才配置的三段;
6、在控制節點初始化keystone資料庫
[root@node01 ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone [root@node01 ~]#
提示:以上命令會通過我們剛才配置的連線資料庫的地址,通過keystone連線到資料庫中建立一堆表;
驗證:在node02上驗證,看看keystone庫中是否多了很多表?
MariaDB [(none)]> use keystone Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MariaDB [keystone]> show tables; +-----------------------------+ | Tables_in_keystone | +-----------------------------+ | access_token | | application_credential | | application_credential_role | | assignment | | config_register | | consumer | | credential | | endpoint | | endpoint_group | | federated_user | | federation_protocol | | group | | id_mapping | | identity_provider | | idp_remote_ids | | implied_role | | limit | | local_user | | mapping | | migrate_version | | nonlocal_user | | password | | policy | | policy_association | | project | | project_endpoint | | project_endpoint_group | | project_tag | | region | | registered_limit | | request_token | | revocation_event | | role | | sensitive_config | | service | | service_provider | | system_assignment | | token | | trust | | trust_role | | user | | user_group_membership | | user_option | | whitelisted_config | +-----------------------------+ 44 rows in set (0.00 sec) MariaDB [keystone]>
7、在控制節點上初始化Fernet金鑰
[root@node01 ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone [root@node01 ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone [root@node01 ~]#
提示:以上命令會在/etc/keystone/fernet-keys/目錄下生成兩個key檔案;
驗證:檢視/etc/keystone/fernet-keys/目錄下是否有兩個key生成?
[root@node01 ~]# ll /etc/keystone/fernet-keys/ total 8 -rw------- 1 keystone keystone 44 Oct 28 19:23 0 -rw------- 1 keystone keystone 44 Oct 28 19:23 1 [root@node01 ~]#
8、配置httpd代理keystone
提示:以上主要修改了httpd的servername監聽地址,其實這裡不修改也行,不影響;重要的是下面的配置;
把/usr/share/keystone/wsgi-keystone.conf連線至/etc/httpd/conf.d/下
[root@node01 ~]# ln -sv /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/ ‘/etc/httpd/conf.d/wsgi-keystone.conf’ -> ‘/usr/share/keystone/wsgi-keystone.conf’ [root@node01 ~]# ll /etc/httpd/conf.d/ total 16 -rw-r--r-- 1 root root 2926 Apr 2 2020 autoindex.conf -rw-r--r-- 1 root root 366 Apr 2 2020 README -rw-r--r-- 1 root root 1252 Nov 27 2019 userdir.conf -rw-r--r-- 1 root root 824 Nov 27 2019 welcome.conf lrwxrwxrwx 1 root root 38 Oct 28 19:30 wsgi-keystone.conf -> /usr/share/keystone/wsgi-keystone.conf [root@node01 ~]#
提示:以上操作就是把httpd代理keystone的配置匯入到httpd中,預設安裝keystone以後就會有一個這樣的配置檔案;我們只需要把這個配置檔案軟連線到httpd的配置目錄下即可;
啟動httpd,並設定為開機啟動
[root@node01 ~]# systemctl start httpd [root@node01 ~]# systemctl enable httpd Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service. [root@node01 ~]# ss -tnl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:22 *:* LISTEN 0 100 127.0.0.1:25 *:* LISTEN 0 128 :::80 :::* LISTEN 0 128 :::22 :::* LISTEN 0 100 ::1:25 :::* LISTEN 0 128 :::5000 :::* [root@node01 ~]#
提示:如果能夠看到5000埠正常監聽,說明我們匯入的配置沒有問題;
9、通過OS_TOKEN環境變數匯出admin的token,使用OS_URL環境變數匯出控制節點api介面地址,使用OS_IDENTITY_API_VERSION環境變數匯出api的版本號
[root@node01 ~]# export OS_TOKEN=752e7981c9f3bb1b1a91 [root@node01 ~]# export OS_URL=http://node01:5000/v3 [root@node01 ~]# export OS_IDENTITY_API_VERSION=3
提示:這裡的admin_token就是我們剛才在配置檔案中配置的token;因為最開始我們只有手動生成一個token進行驗證;
10、在匯出以上三個環境變數的終端上建立域、使用者、專案、角色、服務;
建立default域
[root@node01 ~]# openstack domain create --description "Default Domain" default +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Default Domain | | enabled | True | | id | 47c0915c914c49bb8670703e4315a80f | | name | default | | tags | [] | +-------------+----------------------------------+ [root@node01 ~]#
建立一個admin的專案 並把域指向default
[root@node01 ~]# openstack project create --domain default --description "Admin Project" admin +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Admin Project | | domain_id | 47c0915c914c49bb8670703e4315a80f | | enabled | True | | id | b4e56eeb160948c581e98d685133d19a | | is_domain | False | | name | admin | | parent_id | 47c0915c914c49bb8670703e4315a80f | | tags | [] | +-------------+----------------------------------+ [root@node01 ~]#
建立admin使用者並設定密碼為admin
[root@node01 ~]# openstack user create --domain default --password-prompt admin
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 47c0915c914c49bb8670703e4315a80f |
| enabled | True |
| id | a105f256dc9f42438212e9d96d46b60d |
| name | admin |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
[root@node01 ~]#
建立admin角色
[root@node01 ~]# openstack role create admin +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | 7f1f7aa119034c2fbd15b46b90632d18 | | name | admin | +-----------+----------------------------------+ [root@node01 ~]#
給admin使用者授權,將admin使用者授予admin專案的admin角色
[root@node01 ~]# openstack role add --project admin --user admin admin [root@node01 ~]#
建立一個用於測試的demo專案
[root@node01 ~]# openstack project create --domain default --description "Demo Project" demo +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Demo Project | | domain_id | 47c0915c914c49bb8670703e4315a80f | | enabled | True | | id | 1a918887f38a42c28f9d0d3774f34b16 | | is_domain | False | | name | demo | | parent_id | 47c0915c914c49bb8670703e4315a80f | | tags | [] | +-------------+----------------------------------+ [root@node01 ~]#
建立demo使用者並設定密碼為demo
[root@node01 ~]# openstack user create --domain default --password-prompt demo
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 47c0915c914c49bb8670703e4315a80f |
| enabled | True |
| id | 5453d68782a34429a7dab7da9c51f0d9 |
| name | demo |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
[root@node01 ~]#
建立一個user角色
[root@node01 ~]# openstack role create user +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | ee2f38096e42409eb47ae67a8c289279 | | name | user | +-----------+----------------------------------+ [root@node01 ~]#
把demo使用者新增到demo專案,然後賦予user角色許可權
[root@node01 ~]# openstack role add --project demo --user demo user [root@node01 ~]#
驗證:檢視現有的使用者、專案、角色、域是否是我們建立的
[root@node01 ~]# openstack user list +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | 5453d68782a34429a7dab7da9c51f0d9 | demo | | a105f256dc9f42438212e9d96d46b60d | admin | +----------------------------------+-------+ [root@node01 ~]# openstack project list +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | 1a918887f38a42c28f9d0d3774f34b16 | demo | | b4e56eeb160948c581e98d685133d19a | admin | +----------------------------------+-------+ [root@node01 ~]# openstack role list +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | 7f1f7aa119034c2fbd15b46b90632d18 | admin | | ee2f38096e42409eb47ae67a8c289279 | user | +----------------------------------+-------+ [root@node01 ~]# openstack domain list +----------------------------------+---------+---------+----------------+ | ID | Name | Enabled | Description | +----------------------------------+---------+---------+----------------+ | 47c0915c914c49bb8670703e4315a80f | default | True | Default Domain | +----------------------------------+---------+---------+----------------+ [root@node01 ~]#
提示:可以看到當前控制節點上有兩個使用者,兩個專案,兩個角色,分別是admin和demo;一個default域;這都是我們剛才建立的;
建立一個service專案,各服務之間與keystone進行訪問和認證,service用於給服務建立使用者;
[root@node01 ~]# openstack project create --domain default --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | 47c0915c914c49bb8670703e4315a80f | | enabled | True | | id | 9c9d6f24fc23464a810ef97ce199bffa | | is_domain | False | | name | service | | parent_id | 47c0915c914c49bb8670703e4315a80f | | tags | [] | +-------------+----------------------------------+ [root@node01 ~]#
建立一個keystone認證服務
[root@node01 ~]# openstack service create --name keystone --description "OpenStack Identity" identity +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | OpenStack Identity | | enabled | True | | id | a32cffed26924a87b21b4e86e00c63b4 | | name | keystone | | type | identity | +-------------+----------------------------------+ [root@node01 ~]#
檢視當前服務列表
[root@node01 ~]# openstack service list +----------------------------------+----------+----------+ | ID | Name | Type | +----------------------------------+----------+----------+ | a32cffed26924a87b21b4e86e00c63b4 | keystone | identity | +----------------------------------+----------+----------+ [root@node01 ~]#
11、建立endpoint(註冊服務)
建立公共端
[root@node01 ~]# openstack endpoint create --region RegionOne identity public http://controller:5000/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 5293ad18db674ea1b01d8f401cb2cf14 | | interface | public | | region | RegionOne | | region_id | RegionOne | | service_id | a32cffed26924a87b21b4e86e00c63b4 | | service_name | keystone | | service_type | identity | | url | http://controller:5000/v3 | +--------------+----------------------------------+ [root@node01 ~]#
建立私有端
[root@node01 ~]# openstack endpoint create --region RegionOne identity internal http://controller:5000/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 6593f8d808094b01a6311828f2ef72bd | | interface | internal | | region | RegionOne | | region_id | RegionOne | | service_id | a32cffed26924a87b21b4e86e00c63b4 | | service_name | keystone | | service_type | identity | | url | http://controller:5000/v3 | +--------------+----------------------------------+ [root@node01 ~]#
建立管理端
[root@node01 ~]# openstack endpoint create --region RegionOne identity admin http://controller:5000/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 3bd05493999b462eb4b4af8d5e5c1fa9 | | interface | admin | | region | RegionOne | | region_id | RegionOne | | service_id | a32cffed26924a87b21b4e86e00c63b4 | | service_name | keystone | | service_type | identity | | url | http://controller:5000/v3 | +--------------+----------------------------------+ [root@node01 ~]#
驗證:看看endport 列表是否都已經有我們剛才建立的三個端點?
[root@node01 ~]# openstack endpoint list +----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------+ | ID | Region | Service Name | Service Type | Enabled | Interface | URL | +----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------+ | 3bd05493999b462eb4b4af8d5e5c1fa9 | RegionOne | keystone | identity | True | admin | http://controller:5000/v3 | | 5293ad18db674ea1b01d8f401cb2cf14 | RegionOne | keystone | identity | True | public | http://controller:5000/v3 | | 6593f8d808094b01a6311828f2ef72bd | RegionOne | keystone | identity | True | internal | http://controller:5000/v3 | +----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------+ [root@node01 ~]#
提示:如果建立錯誤或者多建立了,就需要全部刪除,重新註冊;
到此keystone服務就配置完了;接下來測試keystone是否可以用來做認證服務
驗證:重新開啟一個終端視窗,匯出OS_IDENTITY_API_VERSION環境變數,使用命令的方式驗證admin使用者密碼是admin
[root@node01 ~]# echo $OS_IDENTITY_API_VERSION [root@node01 ~]# export OS_IDENTITY_API_VERSION=3 [root@node01 ~]# echo $OS_IDENTITY_API_VERSION 3 [root@node01 ~]# openstack --os-auth-url http://node01:5000/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue Password: +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2020-10-28T13:16:54+0000 | | id | gAAAAABfmWE2udKuo4ambgxh3RsrzoDwrA8IHa1dx5gYk_sZoU5HmZUM9qHTguwMasYGzRIno0LawlZDbB4i3IJold3sZdAlEZGwiNuPtYJMgP5nikDUR8YrXNPNQNDMjCchDMMN6bWhZ26pQXVEZ0VXcN5v5xOj_bx7nskJ8bnvKWFiRf4ckPQ | | project_id | b4e56eeb160948c581e98d685133d19a | | user_id | a105f256dc9f42438212e9d96d46b60d | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ [root@node01 ~]#
提示:輸入正確的密碼會返回一個表,記錄的有過期時長,id,和專案id和使用者id;如果輸入密碼錯誤則不會返回這些內容,其實這些內容主要用來描述返回給使用者token屬性,我們可以理解它就是返回了這樣一個token給我們;
[root@node01 ~]# openstack --os-auth-url http://node01:5000/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue Password: The request you have made requires authentication. (HTTP 401) (Request-ID: req-79d8afbe-56dc-47f9-ab4e-8065a295923e) [root@node01 ~]#
提示:輸入錯誤的密碼它給我們返回了響應碼為401,表示驗證未通過;
建立admin使用者環境變數指令碼
[root@node01 ~]# cat admin.sh #!/bin/bash export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=admin export OS_AUTH_URL=http://controller:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 [root@node01 ~]# chmod a+x admin.sh [root@node01 ~]#
建立demo使用者環境變數指令碼
[root@node01 ~]# cat demo.sh #!/bin/bash export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=demo export OS_USERNAME=demo export OS_PASSWORD=demo export OS_AUTH_URL=http://controller:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 [root@node01 ~]# chmod a+x demo.sh [root@node01 ~]#
提示:有了上面兩個指令碼以後,我們就實現要使用那個使用者測試,直接把對應的使用者環境變數匯出即可;
驗證:測試admin使用者的環境變數指令碼是否可用?
[root@node01 ~]# ll total 8 -rwxr-xr-x 1 root root 272 Oct 28 20:23 admin.sh -rwxr-xr-x 1 root root 269 Oct 28 20:24 demo.sh [root@node01 ~]# source admin.sh [root@node01 ~]# openstack token issue +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2020-10-28T13:29:08+0000 | | id | gAAAAABfmWQU2Z97wzxv94lLY4hcSWe4X6Udp_OyeYw3_wY54_znLFb4TFLcMnR96-ogNAcJEvXiQcJWdvQJHBObYbR-gAEulagQq2sjXLxedMYLUN4j2y_L4G5NhbaogGKtHed4WMR0N72Js4INyHjKWCwwSd2d4NJpZUe14pQjNX8ihleP09g | | project_id | b4e56eeb160948c581e98d685133d19a | | user_id | a105f256dc9f42438212e9d96d46b60d | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ [root@node01 ~]#
提示:重新開一個終端,匯出admin使用者環境變數,然後直接使用openstack token issue命令就能驗證admin使用者;有了這個環境變數指令碼,我們不用輸密碼和不用寫那麼長的命令了;
驗證demo使用者的環境變數指令碼
[root@node01 ~]# ll total 8 -rwxr-xr-x 1 root root 272 Oct 28 20:23 admin.sh -rwxr-xr-x 1 root root 269 Oct 28 20:24 demo.sh [root@node01 ~]# source demo.sh [root@node01 ~]# openstack token issue +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2020-10-28T13:31:34+0000 | | id | gAAAAABfmWSmj5PHp8x3m3szKwZ0_dWSdY-JM-TBbo-bMk4OaTHl3BLNVrglKXRMe5jpbCOBPb5l2AyHWVvzvJdi2Jx4va7PJksJGlx_JluhOx9vry1kjiZoKcW7Ri3Y7qkYFvDcpDHXy0KkYeHSyMW9zjNaFvvJtrPpozgfw7gsghYJNfZoYz0 | | project_id | 1a918887f38a42c28f9d0d3774f34b16 | | user_id | 5453d68782a34429a7dab7da9c51f0d9 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ [root@node01 ~]#
提示:demo使用者的環境變數指令碼也都能夠正常通過驗證;到此keystone服務的安裝配置測試就完成了;