Matika版OpenStack伪生产环境部署-keystone

身份服务概述

OpenStack认证管理服务提供一个单点集成身份验证、授权和服务目录服务。其他OpenStack服务使用认证服务作为一个通用统一的API。此外,服务提供用户的信息,但不包括在OpenStack(如LDAP服务)可以集成到一个现有的基础设施。为了从认证服务中受益，其他OpenStack服务需要与身份认证服务协同工作。当一个OpenStack服务从用户那里接收一个请求，它检查与身份认证服务用户是否被授权请求。身份服务包含这些组件:

Server

一个集中的服务器使用RESTful接口提供身份验证和授权服务。

Drivers

驱动程序或服务后端集成到集中式服务器。他们是用于访问的身份信息存储库中的外部OpenStack,并且可能已经存在在OpenStack部署的基础设施(例如,SQL数据库或LDAP服务器)。

Modules

中间件模块运行在OpenStack组件的地址空间使用身份认证服务。这些模块拦截服务请求,提取用户凭证,并将它们发送到中央服务器进行授权。中间件模块和OpenStack组件之间的集成使用Python Web Server Gateway Interface。

前期需求

mysql -uroot -pSWPUcs406mariadb -e "CREATE DATABASE keystone;"
mysql -uroot -pSWPUcs406mariadb -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'SWPUcs406dbkeystone';"
mysql -uroot -pSWPUcs406mariadb -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'SWPUcs406dbkeystone';"
mysql -uroot -pSWPUcs406mariadb -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'controller' IDENTIFIED BY 'SWPUcs406dbkeystone';"
mysql -uroot -pSWPUcs406mariadb -e "FLUSH PRIVILEGES;"

安装配置组件

所有Controller节点：

yum install -y openstack-keystone httpd mod_wsgi openstack-utils

编辑 /etc/keystone/keystone.conf文件

openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token SWPUcs406token
openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:SWPUcs406dbkeystone@controller/keystone
openstack-config --set /etc/keystone/keystone.conf token provider fernet
openstack-config --set /etc/keystone/keystone.conf DEFAULT public_bind_host 10.0.0.1X
openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_bind_host 10.0.0.1X

Controller1节点：

su -s /bin/sh -c "keystone-manage db_sync" keystone
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
scp /etc/keystone/fernet-keys controller2:/etc/keystone/fernet-keys/

Controller2节点：

mkdir -p /etc/keystone/fernet-keys
chown -R keystone:keystone /etc/keystone/fernet-keys

所有Controller节点，配置HTTP服务

sed -i "s/#ServerName www.example.com:80/ServerName controller/" /etc/httpd/conf/httpd.conf
cat  > /etc/httpd/conf.d/wsgi-keystone.conf <<OFF
Listen 10.0.0.1x:5000
Listen 10.0.0.1x35357

<VirtualHost 10.0.0.1x:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined

<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>

<VirtualHost 10.0.0.1x:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined

<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
OFF

完成安装

systemctl enable httpd.service
systemctl start httpd.service

创建服务实体和API终端

在Controller1节点：

导入环境变量

export OS_TOKEN=SWPUcs406token
export OS_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3

创建keystone服务

openstack service create --name keystone --description "OpenStack Identity" identity

创建endpoint

openstack endpoint create --region RegionOne identity public http://controller:5000/v3 openstack endpoint create --region RegionOne identity internal http://controller:5000/v3 openstack endpoint create --region RegionOne identity admin http://controller:35357/v3[/code] 
创建default域

openstack domain create --description "Default Domain" default


创建用户角色

openstack role create admin
openstack role create user


创建admin用户

openstack project create --domain default --description "Admin Project" admin
openstack user create --domain default --password-prompt admin SWPUcs406admin
openstack role add --project admin --user admin admin


创建service项目

openstack project create --domain default --description "Service Project" service


创建demo用户

openstack project create --domain default --description "Demo Project" demo
openstack user create --domain default --password-prompt demo  SWPUcs406demo
openstack role add --project demo --user demo user


验证Keystone

删除/etc/keystone/keystone-paste.ini文件中[pipeline:public_api], [pipeline:admin_api], [pipeline:api_v3] 区域下的admin_token_auth

unset OS_TOKEN OS_URL
openstack --os-auth-url http://controller:35357/v3 \
--os-project-domain-name default --os-user-domain-name default \
--os-project-name admin --os-username admin token issue


+------------+-------------------------------------------------------------------------+
| Field      | Value                                                                   |
+------------+-------------------------------------------------------------------------+
| expires    | 2016-05-17T05:53:37.208304Z                                             |
| id         | gAAAAABXOqPRLF4fdxaeLV-1_bXeSknDjVgn91qer1wxlsMaUtsZ9feGjHvewJQQ8HgFKCF |
|            | b0sZnm0MOOk9qUF4jeyPAy2uFZXuuEmL2avStN-cPguXBC09Sm7mosKh1hwdncv3E7oxe8N |
|            | Ge8yD0A2_RHfwV5wWj2uBXQMf2qCcBk7iltsaBfT4                               |
| project_id | 6636db93659e43189b5428151b63f5e8                                        |
| user_id    | 7a63ba1a8fb84014a413f435742f2583                                        |
+------------+-------------------------------------------------------------------------+


openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name default --os-user-domain-name default \
--os-project-name demo --os-username demo token issue


+------------+-------------------------------------------------------------------------+
| Field      | Value                                                                   |
+------------+-------------------------------------------------------------------------+
| expires    | 2016-05-17T05:54:20.743858Z                                             |
| id         | gAAAAABXOqP8laJo3borpBVKlEEIHk1xgkVAIyLKbOrxMUm2CfoxI0ZjbFRfqqRhVX4oZwh |
|            | n6E9dtjj5RxkOFZBM_6wIAK6RUl18g8T6AmDNx0Izv-                             |
|            | ngAdctlB2ZO0FuMJUvJrYjcIjzPPbzuCkFmJJWjVCK3GIOekjrABH7vu5yK_r8SywprFI   |
| project_id | 64da450222c74ffcae213fe29a7ea9a6                                        |
| user_id    | 5da76ac5669c4afd95ce411a75d23461                                        |
+------------+-------------------------------------------------------------------------+


所有Controller节点
admin用户环境变量

cat > admin-openrc << OFF
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=SWPUcs406admin
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
OFF


demo用户环境变量

cat > demo-openrc << OFF
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=SWPUcs406demo
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
OFF


验证

. admin-openrc
openstack token issue


+------------+-------------------------------------------------------------------------+
| Field      | Value                                                                   |
+------------+-------------------------------------------------------------------------+
| expires    | 2016-05-24T10:56:18.447602Z                                             |
| id         | gAAAAABXRCVCpWWTz-W_Oe0Pgvi_97clytWFDlFeuwGWzwZRZ8X0Eir9nxoMDJChcgaDfg4 |
|            | w4EPIlza0nTKZiSSYlkOmp_tw43OuESfxiZ3DRJt1JZDjYayUn59xD80MmMs528QpkdgtNh |
|            | qGZDPeOaaop-Bpun_Qg5JPLj0KN8x-fpyBGRo1kMA                               |
| project_id | 6636db93659e43189b5428151b63f5e8                                        |
| user_id    | 7a63ba1a8fb84014a413f435742f2583                                        |
+------------+-------------------------------------------------------------------------+


参考文章：

http://docs.openstack.org/ha-guide/controller-ha-identity.html

http://docs.openstack.org/mitaka/install-guide-rdo/keystone.html