OpenStack云计算组件Keystone部署及操作使用技巧
1. 简介
Keystone是OpenStack云计算平台的身份认证组件,也是所有OpenStack组件的身份鉴别服务提供者。Keystone基于OAuth2协议来实现身份认证和授权,支持多种身份认证方式,例如用户名/密码、LDAP、OAuth等。
2. 部署Keystone
在部署Keystone之前,需要先安装OpenStack Identity API、MySQL、Apache、Python2.7和一些python包。下面是部署Keystone的详细步骤:
2.1 安装依赖包
$ sudo apt-get update
$ sudo apt-get install python-dev python-pip apache2 libapache2-mod-wsgi memcached openssl
$ sudo apt-get install mysql-server python-mysqldb
$ sudo apt-get install keystone python-openstackclient
2.2 配置数据库
$ mysql -u root -p
mysql> CREATE DATABASE keystone;
mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS';
mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS';
2.3 配置Keystone
$ sudo mv /etc/keystone/keystone.conf /etc/keystone/keystone.conf.backup
$ sudo touch /etc/keystone/keystone.conf
$ sudo sh -c "keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone"
$ sudo sh -c "keystone-manage credential_setup --keystone-user keystone --keystone-group keystone"
$ sudo sh -c "keystone-manage bootstrap --bootstrap-password ADMIN_PASS --bootstrap-admin-url http://controller:35357/v3/ --bootstrap-internal-url http://controller:35357/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne"
2.4 配置Apache
$ sudo mv /etc/apache2/apache2.conf /etc/apache2/apache2.conf.backup
$ sudo touch /etc/apache2/apache2.conf
$ sudo tee /etc/apache2/sites-available/wsgi-keystone.conf <<EOF
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /var/www/cgi-bin/keystone/main
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/apache2/keystone.log
CustomLog /var/log/apache2/keystone_access.log combined
<Directory /var/www/cgi-bin/keystone>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/apache2/keystone.log
CustomLog /var/log/apache2/keystone_access.log combined
<Directory /var/www/cgi-bin/keystone>
Require all granted
</Directory>
</VirtualHost>
EOF
$ sudo ln -s /etc/apache2/sites-available/wsgi-keystone.conf /etc/apache2/sites-enabled
$ sudo ln -s /usr/share/keystone/wsgi.py /var/www/cgi-bin/keystone/main
$ sudo ln -s /usr/share/keystone/wsgi.py /var/www/cgi-bin/keystone/admin
2.5 重启Apache和Keystone服务
$ sudo service apache2 restart
$ sudo service memcached restart
$ sudo service keystone restart
3. 操作使用技巧
3.1 Keystone命令行使用
# 验证Keystone是否正常工作
$ openstack catalog list
# 创建新用户
$ openstack user create --domain default --password-prompt USER_NAME
# 删除用户
$ openstack user delete USER_ID
# 创建新项目
$ openstack project create --domain default --description "PROJECT_DESCRIPTION" PROJECT_NAME
# 删除项目
$ openstack project delete PROJECT_ID
# 创建新角色
$ openstack role create ROLE_NAME
# 删除角色
$ openstack role delete ROLE_ID
# 获取用户列表
$ openstack user list
# 获取项目列表
$ openstack project list
# 获取角色列表
$ openstack role list
# 授权用户到项目和角色
$ openstack role add --project PROJECT_ID --user USER_ID ROLE_NAME
# 撤销用户项目角色授权
$ openstack role remove --project PROJECT_ID --user USER_ID ROLE_NAME
3.2 Keystone API使用示例
# 创建新用户
$ curl -X POST \
-H "Content-Type: application/json" \
-d '{"user": {"name": "user1", "password": "PASSWORD", "default_project_id": "PROJECT_ID", "enabled": true}}' \
"http://<KEYSTONE_IP>:5000/v3/users" -s
# 创建新项目
$ curl -X POST \
-H "Content-Type: application/json" \
-H "X-Auth-Token: TOKEN" \
-d '{"project": {"name": "project1", "description": "PROJECT_DESCRIPTION", "enabled": true}}' \
"http://<KEYSTONE_IP>:5000/v3/projects" -s
# 授权用户到项目和角色
$ curl -X PUT \
-H "Content-Type: application/json" \
-H "X-Auth-Token: TOKEN" \
-d '{"role": {"id": "ROLE_ID"}}' \
"http://<KEYSTONE_IP>:5000/v3/projects/PROJECT_ID/users/USER_ID/roles/ROLE_ID" -s
4. 结论
本文讲述了如何部署和使用OpenStack Identity API(Keystone)来管理身份认证和授权。通过阅读本文,您应该了解如何部署Keystone、使用命令行和API来授权,并可以通过示例和指导了解如何使用。
本站文章如无特殊说明,均为本站原创,如若转载,请注明出处:openstack云计算组件keystone部署及操作使用技巧 - Python技术站