安装认证服务 Keystone

Keystone 架构介绍

新建数据库

$ mysql -u root -p

MariaDB 启动不成功:
错误信息:ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2 "No such file or directory")
错误原因:openstack.cnf 配置文件出了问题,我将两台机的 IP 弄反了,自然就绑定不了地址。
解决方法:修改 openstack.cnf 后重启 MariaDB 服务 systemctl restart mariadb

新建 keystone 数据库并赋予 keystone 用户权限:

MariaDB [(none)]> create database keystone;
MariaDB [(none)]> grant all privileges on keystone.* to 'keystone'@'localhost' identified by 'KEYSTONE_DBPASSWORD';
MariaDB [(none)]> grant all privileges on keystone.* to 'keystone'@'%' identified by 'KEYSTONE_DBPASSWORD';

KEYSTONE_DBPASSWORD 替换为希望设置的 keystone 密码。

安装配置组件

# yum install openstack-keystone httpd mod_wsgi

编辑 keystone 配置文件 /etc/keystone/keystone.conf

[database]
# ...
connection = connection = mysql+pymysql://keystone:KEYSTONE_DBPASSWORD@controller/keystone

[token]
# ...
provider = fernet

注释掉这几个字段中其他的设置;
KEYSTONE_DBPASSWORD 要更改成自己设定的密码。

同步数据库:

# su -s /bin/sh -c "keystone-manage db_sync" keystone

数据库同步失败:
错误信息:

Traceback (most recent call last):
    File "/usr/bin/keystone-manage", line 6, in <module>
      from keystone.cmd.manage import main
    File "/opt/stack/keystone/keystone/cmd/manage.py", line 32, in <module>
      from keystone.cmd import cli
    File "/opt/stack/keystone/keystone/cmd/cli.py", line 32, in <module>
      from keystone.common.sql import migration_helpers
    File "/opt/stack/keystone/keystone/common/sql/migration_helpers.py", line 21, in <module>
      from oslo_db.sqlalchemy import migration
    File "/usr/lib/python2.7/site-packages/oslo_db/sqlalchemy/migration.py", line 45, in <module>
      from migrate.versioning import api as versioning_api
    File "/usr/lib/python2.7/site-packages/migrate/versioning/api.py", line 33, in <module>
      from migrate.versioning import (repository, schema, version,
    File "/usr/lib/python2.7/site-packages/migrate/versioning/repository.py", line 13, in <module>
      from migrate.versioning import version, pathed, cfgparse
    File "/usr/lib/python2.7/site-packages/migrate/versioning/version.py", line 10, in <module>
      from migrate.versioning import pathed, script
    File "/usr/lib/python2.7/site-packages/migrate/versioning/script/__init__.py", line 6, in <module>
      from migrate.versioning.script.sql import SqlScript
    File "/usr/lib/python2.7/site-packages/migrate/versioning/script/sql.py", line 7, in <module>
      import sqlparse
    File "/usr/lib/python2.7/site-packages/sqlparse/__init__.py", line 14, in <module>
      from sqlparse import filters
    File "/usr/lib/python2.7/site-packages/sqlparse/filters/__init__.py", line 20, in <module>
      from sqlparse.filters.reindent import ReindentFilter
    File "/usr/lib/python2.7/site-packages/sqlparse/filters/reindent.py", line 10, in <module>
      from sqlparse.utils import offset, indent
  ImportError: cannot import name offset
  

错误原因:同台电脑之前安装过 DevStackpip 包没有更新导致。
解决方案:卸载 sqlparse 再重装。

# pip uninstall sqlparse // 卸载多几次,卸载到组件完全清空为止。
  # pip install sqlparse
  

初始化、启动 keystone 认证服务:

# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
# keystone-manage bootstrap --bootstrap-password ADMIN_PASSWORD --bootstrap-admin-url http://controller:35357/v3/ --bootstrap-internal-url http://controller:5000/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne

ADMIN_PASSWORD 字段需要更改为所需要的密码。

配置 Apache HTTP 伺服器

编辑 /etc/httpd/conf/httpd.conf 文件,将 ServerName 字段改为 hostname
如:

ServerName controller

conf.dwsgi-keystone.conf 建立软链接:

# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d

启动 Apache 服务:

# systemctl enable httpd
# systemctl start httpd

设置环境变量

$ export OS_USERNAME=admin
$ export OS_PASSWORD=ADMIN_PASSWORD
$ export OS_PROJECT_NAME=admin
$ export OS_PROJECT_DOMAIN_NAME=Default
$ export OS_USER_DOMAIN_NAME=Default
$ export OS_AUTH_URL=http://controller:35357/v3
$ export OS_IDENTITY_API_VERSION=3

ADMIN_PASSWORD 字段需要与之前在 keystone-manage bootstrap 命令中设置的一致。

新建服务,项目,用户与角色

新建一个 service 服务项目来为独立用户提供单独的服务:

$ openstack project create --domain default --description "Service Project" service

新建一个 demo 项目给为授权的用户以及项目使用:

$ openstack project create --domain default --description "Demo Project" demo

新建 demo 用户并设置密码 DEMO_PASSWORD

$ openstack user create --domain default --password-prompt demo

新建 user 角色:

$ openstack role create user

添加 user 角色到 demo 项目中的 demo 用户:

$ openstack role add --project demo --user demo user

增强安全性

编辑 /etc/keystone/keystone-parte.ini 文件,将 admin_token_auth[pipeline:public_api], [pipeline:admin_api][pipeline:api_v3] 中移除。

取消临时 OS_AUTH_URLOS_PASSWORD 环境变量。

$ unset OS_AUTH_URL OS_PASSWORD

admin 用户请求验证口令:

$ openstack --os-auth-url http://controller:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue

demo 用户请求验证口令:

$ openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name demo --os-username demo token issue

编写客户端环境脚本

由于 export 方法建立环境变量易消失,在客户机上我们需要更简便的方式导入环境变量,即 openrc 文件。

对于 admin 用户,编写 admin-openrc

export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASSWORD
export OS_PROJECT_NAME=admin
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

ADMIN_PASSWORD 字段需要与之前在 keystone-manage bootstrap 命令中设置的一致。

对于 demo 用户,编写 demo-openrc :

export OS_USERNAME=demo
export OS_PASSWORD=DEMO_PASSWORD
export OS_PROJECT_NAME=demo
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

DEMO_PASSWORD 字段需要与之前在 openstack user create --domain default --password-prompt demo 命令中设置的一致。

使用脚本

使用刚才编写好的 openrc 脚本来建立临时环境变量(以 admin 为例,demo 同理),在 openrc 文件同级目录执行:

$ . admin-openrc

获取用户口令:

$ openstack token issue

总结

也是基本跟着官方教程走就好,但需要注意一些历史遗留的问题。

    分享到:
分类: Cloud Computing

发表评论

电子邮件地址不会被公开。 必填项已用*标注

验证码 *