openstack-keystone 小鱼儿 2021-11-23 06:52 318阅读 0赞 # Openstack安装(1)--keystone配置 # (controller)keystone的工作细节: [OpenStack Keystone Workflow & Token Scoping][OpenStack Keystone Workflow _ Token Scoping] 1.创建tenant openstackDemo $ keystone --token 558ec87e86aa43b11798 --endpoint http://10.10.4.47:35357/v2.0 tenant-create --name openstackDemo --description "Default Tenant" \+-------------+----------------------------------+ | Property | Value | \+-------------+----------------------------------+ | description | Default Tenant | | enabled | True | | id | ac0da7079c8d4bc2b95009175b21fa66 | | name | openstackDemo | \+-------------+----------------------------------+ 2.创建用户admin keystone --token 558ec87e86aa43b11798 --endpoint http://10.10.4.47:35357/v2.0 user-create --tenant-id ac0da7079c8d4bc2b95009175b21fa66 --name admin --pass keystoneadmin \+----------+-------------------------------------------------------------------------------------------------------------------------+ | Property | Value | \+----------+-------------------------------------------------------------------------------------------------------------------------+ | email | | | enabled | True | | id | 264de00cea3348cda1b968f31b369e92 | | name | admin | | password | $6$rounds=40000$cjEp2NZMf67VgeML$qognuEx/idO5meuCN0VQZfD4t9skm9K25ymF8XWt.4UYaFteJZHQQCUpd6oLYswHdliTKNJT9NNysbT8ozTlm. | | tenantId | ac0da7079c8d4bc2b95009175b21fa66 | \+----------+-------------------------------------------------------------------------------------------------------------------------+ 3.创建role,admin和member keystone --token 558ec87e86aa43b11798 --endpoint http://10.10.4.47:35357/v2.0 role-create --name admin keystone --token 558ec87e86aa43b11798 --endpoint http://10.10.4.47:35357/v2.0 role-create --name Member keystone --token 558ec87e86aa43b11798 --endpoint http://10.10.4.47:35357/v2.0 role-list \+----------------------------------+--------+ | id | name | \+----------------------------------+--------+ | 13253694d6704b19bbcbdc96877d9262 | Member | | 25f36f99603c4c95888e71793365826e | admin | \+----------------------------------+--------+ 4.在租户openStackDemo中,将角色admin赋予用户admin。user-role-add keystone --token 558ec87e86aa43b11798 --endpoint http://10.10.4.47:35357/v2.0 user-role-add --user-id 264de00cea3348cda1b968f31b369e92 --tenant-id ac0da7079c8d4bc2b95009175b21fa66 --role-id 25f36f99603c4c95888e71793365826e 这个命令没有任何输出。 通过以上四步,keystone的基本使用方法明了了。 \------------------------------------------------------分割线--------------------------------------------------------------------------------------------------------- 现在为几个组建创建租户、用户、角色。 一、Glance 1.创建租户service keystone --token 558ec87e86aa43b11798 --endpoint http://10.10.4.47:35357/v2.0 tenant-create --name service --description "Service Tenant" \+-------------+----------------------------------+ | Property | Value | \+-------------+----------------------------------+ | description | Service Tenant | | enabled | True | | id | a295e1962f124d2992beacbec452d9c4 | | name | service | \+-------------+----------------------------------+ 2.在租户service中创建用户glance keystone --token 558ec87e86aa43b11798 --endpoint http://10.10.4.47:35357/v2.0 user-create --tenant-id a295e1962f124d2992beacbec452d9c4 --name glance --pass glance \+----------+-------------------------------------------------------------------------------------------------------------------------+ | Property | Value | \+----------+-------------------------------------------------------------------------------------------------------------------------+ | email | | | enabled | True | | id | b6edb3ec9e2e49d39f3a01d4f8981772 | | name | glance | | password | $6$rounds=40000$5lWn2BruhOqK/O.6$JBpB8DGl8IMEDjbdp9YEGid5r4I96g/qkimZ1zGjNkE8EJJZL7JQBV2A4tLRa/wDBAWXiTCl.RtO/G2RJJtUR. | | tenantId | a295e1962f124d2992beacbec452d9c4 | \+----------+-------------------------------------------------------------------------------------------------------------------------+ 3.在租户service中,将角色admin赋予用户glance。 keystone --token 558ec87e86aa43b11798 --endpoint http://10.10.4.47:35357/v2.0 user-role-add --user-id b6edb3ec9e2e49d39f3a01d4f8981772 --tenant-id a295e1962f124d2992beacbec452d9c4 --role-id 25f36f99603c4c95888e71793365826e 二、Nova 1.在租户service中创建用户nova keystone --token 558ec87e86aa43b11798 --endpoint http://10.10.4.47:35357/v2.0 user-create --tenant-id a295e1962f124d2992beacbec452d9c4 --name nova --pass nova \+----------+-------------------------------------------------------------------------------------------------------------------------+ | Property | Value | \+----------+-------------------------------------------------------------------------------------------------------------------------+ | email | | | enabled | True | | id | d746324fe1aa436087e87e92b38ed2d8 | | name | nova | | password | $6$rounds=40000$.xbXsBlZ3cgkRJe6$j8d.p/6GstU3S5RCbSt5iEBIgXeK9QArjDiIyCW5.j/uZoB2hG3YbKspf0uSfV2UKvvhg/04WgOFGLorZiv7p0 | | tenantId | a295e1962f124d2992beacbec452d9c4 | \+----------+-------------------------------------------------------------------------------------------------------------------------+ 2.在租户service中,将角色admin赋予用户nova。 keystone --token 558ec87e86aa43b11798 --endpoint http://10.10.4.47:35357/v2.0 user-role-add --user-id d746324fe1aa436087e87e92b38ed2d8 --tenant-id a295e1962f124d2992beacbec452d9c4 --role-id 25f36f99603c4c95888e71793365826e 三、EC2 Service 1.在租户service中创建用户ec2 keystone --token 558ec87e86aa43b11798 --endpoint http://10.10.4.47:35357/v2.0 user-create --tenant-id a295e1962f124d2992beacbec452d9c4 --name ec2 --pass ec2 \+----------+-------------------------------------------------------------------------------------------------------------------------+ | Property | Value | \+----------+-------------------------------------------------------------------------------------------------------------------------+ | email | | | enabled | True | | id | e88417ed8c394d73a52f7709a113bb9a | | name | ec2 | | password | $6$rounds=40000$ki7fxWVrFhEeQclE$BPelQcPtikG4x/yQg26QtnWA4Z1A.Bj7VwALxjMUotPf5syivhj7IgqCuIExZRsNniopKjfGSt.yXgCkIesWc/ | | tenantId | a295e1962f124d2992beacbec452d9c4 | \+----------+-------------------------------------------------------------------------------------------------------------------------+ 2.在租户service中,将角色admin赋予用户ec2 keystone --token 558ec87e86aa43b11798 --endpoint http://10.10.4.47:35357/v2.0 user-role-add --user-id e88417ed8c394d73a52f7709a113bb9a --tenant-id a295e1962f124d2992beacbec452d9c4 --role-id 25f36f99603c4c95888e71793365826e 四、Object Storage Service (swift) 1.在租户service中创建用户swift keystone --token 558ec87e86aa43b11798 --endpoint http://10.10.4.47:35357/v2.0 user-create --tenant-id a295e1962f124d2992beacbec452d9c4 --name swift --pass swift \+----------+-------------------------------------------------------------------------------------------------------------------------+ | Property | Value | \+----------+-------------------------------------------------------------------------------------------------------------------------+ | email | | | enabled | True | | id | 3a8ccf71549f491b8eccc31b4b04d80e | | name | swift | | password | $6$rounds=40000$SthEV8h8scvp9hBJ$r6oCf8J1OGb39QymElLJr79XD6suL4jKimUHLrz8VWz3W2Wxl8EqCYmYZUBs8LigGUNGDrG.9mrhJQ86/AgKH1 | | tenantId | a295e1962f124d2992beacbec452d9c4 | \+----------+-------------------------------------------------------------------------------------------------------------------------+ 2.在租户service中,将角色admin赋予用户swift keystone --token 558ec87e86aa43b11798 --endpoint http://10.10.4.47:35357/v2.0 user-role-add --user-id 3a8ccf71549f491b8eccc31b4b04d80e --tenant-id a295e1962f124d2992beacbec452d9c4 --role-id 25f36f99603c4c95888e71793365826e 查看用户: keystone --token 558ec87e86aa43b11798 --endpoint http://10.10.4.47:35357/v2.0 user-list \+----------------------------------+--------+---------+-------+ | id | name | enabled | email | \+----------------------------------+--------+---------+-------+ | 264de00cea3348cda1b968f31b369e92 | admin | True | | | 3a8ccf71549f491b8eccc31b4b04d80e | swift | True | | | b6edb3ec9e2e49d39f3a01d4f8981772 | glance | True | | | d746324fe1aa436087e87e92b38ed2d8 | nova | True | | | e88417ed8c394d73a52f7709a113bb9a | ec2 | True | | \+----------------------------------+--------+---------+-------+ \---------------------------------------------------分割线------------------------------------------------------------- 为了在命令中少两个参数: export SERVICE\_ENDPOINT="http://localhost:35357/v2.0" export SERVICE\_TOKEN=558ec87e86aa43b11798 为各组件配置服务 keystone service-create --name=keystone --type=identity --description="Keystone Identity Service" keystone service-create --name=nova --type=compute --description="Nova Compute Service" keystone service-create --name=volume --type=volume --description="Nova Volume Service" keystone service-create --name=glance --type=image --description="Glance Image Service" keystone service-create --name=ec2 --type=ec2 --description="EC2 Compatibility Layer" keystone service-create --name=swift --type=object-store --description="Object Storage Service" $ keystone service-list \+----------------------------------+----------+--------------+---------------------------+ | id | name | type | description | \+----------------------------------+----------+--------------+---------------------------+ | 0ef9d77e2ca44d2e94a58f98eaea46fc | keystone | identity | Keystone Identity Service | | 1ab16c3a56314f81bf6d7ab4c96cf9ba | volume | volume | Nova Volume Service | | 2e7c422762a24306879dc3459c8d4ac0 | ec2 | ec2 | EC2 Compatibility Layer | | b0753c9823ec43bba5f44a431df108f4 | swift | object-store | Object Storage Service | | ec5b17f444ed49a9b5f785eff16be656 | nova | compute | Nova Compute Service | | f3e375536aac48fa8463660bbe91c12a | glance | image | Glance Image Service | \+----------------------------------+----------+--------------+---------------------------+ 为各组件配置服务endpoint 1.keystone keystone endpoint-create --region RegionOne --service-id=0ef9d77e2ca44d2e94a58f98eaea46fc \\ --publicurl=http://10.10.4.47:5000/v2.0 \\ --internalurl=http://192.168.1.2:5000/v2.0 \\ --adminurl=http://10.10.4.47:35357/v2.0 2.nova keystone endpoint-create \\ --region RegionOne \\ --service-id=ec5b17f444ed49a9b5f785eff16be656 \\ --publicurl='http://10.10.4.47:8774/v2/%(tenant\_id)s' \\ --internalurl='http://192.168.1.2:8774/v2/%(tenant\_id)s' \\ --adminurl='http://10.10.4.47:8774/v2/%(tenant\_id)s' 3.volume keystone endpoint-create \\ --region RegionOne \\ --service-id=1ab16c3a56314f81bf6d7ab4c96cf9ba \\ --publicurl='http://10.10.4.47:8776/v1/%(tenant\_id)s' \\ --internalurl='http://192.168.1.2:8776/v1/%(tenant\_id)s' \\ --adminurl='http://10.10.4.47:8776/v1/%(tenant\_id)s' 4.glance keystone endpoint-create \\ --region RegionOne \\ --service-id=f3e375536aac48fa8463660bbe91c12a \\ --publicurl=http://10.10.4.47:9292/v1 \\ --internalurl=http://192.168.1.2:9292/v1 \\ --adminurl=http://10.10.4.47:9292/v1 5.ec2 keystone endpoint-create \\ --region RegionOne \\ --service-id=2e7c422762a24306879dc3459c8d4ac0 \\ --publicurl=http://10.10.4.47:8773/services/Cloud \\ --internalurl=http://192.168.1.2:8773/services/Cloud \\ --adminurl=http://10.10.4.47:8773/services/Admin 6.swift keystone endpoint-create \\ --region RegionOne \\ --service-id=b0753c9823ec43bba5f44a431df108f4 \\ --publicurl 'http://10.10.4.47:8888/v1/AUTH\_%(tenant\_id)s' \\ --adminurl 'http://10.10.4.47:8888/v1' \\ --internalurl 'http://192.168.1.2:8888/v1/AUTH\_%(tenant\_id)s' \+----------------------------------+-----------+----------------------------------------------+-----------------------------------------------+-----------------------------------------+----------------------------------+ | id | region | publicurl | internalurl | adminurl | service\_id | \+----------------------------------+-----------+----------------------------------------------+-----------------------------------------------+-----------------------------------------+----------------------------------+ | 213af135dbf74933a24872b3a2d6c4b8 | RegionOne | http://10.10.4.47:8888/v1/AUTH\_%(tenant\_id)s | http://192.168.1.2:8888/v1/AUTH\_%(tenant\_id)s | http://10.10.4.47:8888/v1 | b0753c9823ec43bba5f44a431df108f4 | | 2e80ec27f90d48648ae6326ca34eeba7 | RegionOne | http://10.10.4.47:8774/v2/%(tenant\_id)s | http://192.168.1.2:8774/v2/%(tenant\_id)s | http://10.10.4.47:8774/v2/%(tenant\_id)s | ec5b17f444ed49a9b5f785eff16be656 | | 6a97f8e4d265421baa757ce262333bf2 | RegionOne | http://10.10.4.47:9292/v1 | http://192.168.1.2:9292/v1 | http://10.10.4.47:9292/v1 | f3e375536aac48fa8463660bbe91c12a | | b4ab7b18688a461dbdb375ade57c7f22 | RegionOne | http://10.10.4.47:8776/v1/%(tenant\_id)s | http://192.168.1.2:8776/v1/%(tenant\_id)s | http://10.10.4.47:8776/v1/%(tenant\_id)s | 1ab16c3a56314f81bf6d7ab4c96cf9ba | | bbd0e9146ccd4a3aa329c2379960efa7 | RegionOne | http://10.10.4.47:5000/v2.0 | http://192.168.1.2:5000/v2.0 | http://10.10.4.47:35357/v2.0 | 0ef9d77e2ca44d2e94a58f98eaea46fc | | fadb5bb02f364e838781179b3909afc2 | RegionOne | http://10.10.4.47:8773/services/Cloud | http://192.168.1.2:8773/services/Cloud | http://10.10.4.47:8773/services/Admin | 2e7c422762a24306879dc3459c8d4ac0 | \+----------------------------------+-----------+----------------------------------------------+-----------------------------------------------+-----------------------------------------+----------------------------------+ 验证 keystone \--os-username=admin --os-password=keystoneadmin --os-auth-url=http://10.10.4.47:35357/v2.0 token-get No handlers could be found for logger "keystoneclient.v2\_0.client" \+----------+----------------------------------+ | Property | Value | \+----------+----------------------------------+ | expires | 2013-03-02T01:25:40Z | | id | 00d71cef161a467ebb3ef3646172906c | | user\_id | 264de00cea3348cda1b968f31b369e92 | \+----------+----------------------------------+ keystone --os-username=admin --os-password=keystoneadmin --os-tenant-name=openstackDemo --os-auth-url=http://10.10.4.47:35357/v2.0 token-get \+-----------+----------------------------------+ | Property | Value | \+-----------+----------------------------------+ | expires | 2013-03-02T01:28:12Z | | id | 16caeb836e75416d9ab2b09d38228022 | | tenant\_id | ac0da7079c8d4bc2b95009175b21fa66 | | user\_id | 264de00cea3348cda1b968f31b369e92 | \+-----------+----------------------------------+ # Openstack安装(2)——glance安装与配 # ## 1.安装 ## nova与glance yum install openstack-glance ## 2.数据库建立与配置 ## mysql -u root –p mysql> CREATE DATABASE glance; mysql> GRANT ALL ON glance.\* TO 'glance'@'%' IDENTIFIED BY '\[YOUR\_GLANCEDB\_PASSWORD\]'; mysql> GRANT ALL ON glance.\* TO 'glance'@'localhost' IDENTIFIED BY '\[YOUR\_GLANCEDB\_PASSWORD\]'; mysql> quit 用户名 glance 密码 glanceadmin # 二、glance配置 # ## 1.配置文件 ## glance-api.conf ## 2.让glance-api服务支持OpenStack Images API的两个版本。 ## enable\_v1\_api=True enable\_v2\_api=True ## 3.官方文档指出,如果要支持V2 API,还需要一些配置。 ## In order to use the v2 API, you must copy the necessary SQL configuration from your glance-registry service to your glance-api configuration file. ## 4.配置认证(keystone) ## /etc/glance/glance-api-paste.ini \[filter:authtoken\] admin\_tenant\_name = service admin\_user = glance admin\_password = glance ## 5.添加keyStone支持 ## /etc/glance/glance-api.conf \[keystone\_authtoken\] auth\_host = 127.0.0.1 auth\_port = 35357 auth\_protocol = http admin\_tenant\_name = service admin\_user = glance admin\_password = glance \[paste\_deploy\] \# Name of the paste configuration file that defines the available pipelines config\_file = /etc/glance/glance-api-paste.ini \# Partial name of a pipeline in your paste configuration file with the \# service name removed. For example, if your paste section name is \# \[pipeline:glance-api-keystone\], you would configure the flavor below \# as 'keystone'. flavor=keystone ## 6.重启服务 ## service openstack-glance-api restart ## 7.配置glance-registry ## 文件/etc/glance/glance-registry.conf \[keystone\_authtoken\] auth\_host = 127.0.0.1 auth\_port = 35357 auth\_protocol = http admin\_tenant\_name = service admin\_user = glance admin\_password = glance \[paste\_deploy\] \# Name of the paste configuration file that defines the available pipelines config\_file = /etc/glance/glance-registry-paste.ini \# Partial name of a pipeline in your paste configuration file with the \# service name removed. For example, if your paste section name is \# \[pipeline:glance-api-keystone\], you would configure the flavor below \# as 'keystone'. flavor=keystone ## 8支持keystone ## 更新文件/etc/glance/glance-registry-paste.ini \# Use this pipeline for keystone auth \[pipeline:glance-registry-keystone\] pipeline = authtoken context registryapp ## 9.数据库 /etc/glance/glance-registry.conf ## sql\_connection = mysql://glance:\[YOUR\_GLANCEDB\_PASSWORD\]@192.168.206.130/glance ## 10.初始化数据库 ## glance-manage db\_sync ## 11.重启动服务 ## service openstack-glance-api restart service openstack-glance-registry restart ## 12.异常处理,查看日志 ## /var/log/glance/registry.log /var/log/glance/api.log ## 13.环境变量 ## export OS\_USERNAME=admin export OS\_TENANT\_NAME=openstackDemo export OS\_PASSWORD=keystoneadmin export OS\_AUTH\_URL=[http://localhost:5000/v2.0/][http_localhost_5000_v2.0] export OS\_REGION\_NAME=RegionOne ## 14.使用 ## glance image-create --name=cirros-0.3.0-x86\_64 --disk-format=qcow2 --container-format=bare < stackimages/cirros.img Added new image with ID: f4addd24-4e8a-46bb-b15d-fae2591f1a35 [OpenStack Keystone Workflow _ Token Scoping]: https://www.ibm.com/developerworks/mydeveloperworks/blogs/e93514d3-c4f0-4aa0-8844-497f370090f5/entry/openstack_keystone_workflow_token_scoping?lang=en [http_localhost_5000_v2.0]: http://localhost:5000/v2.0/
还没有评论,来说两句吧...