Openstack组件部署 — Keystone Install & Create service entity and API endpoints

Openstack组件部署 — Keystone Install & Create service entity and API endpoints

目录

前文列表

Openstack组件部署 — Overview和前期环境准备
Openstack组建部署 — Environment of Controller Node
Openstack组件部署 — Keystone功能介绍与认证实现流程

Install and configure

This section describes how to install and configure the OpenStack Identity service, code-named keystone, on the controller node.
For performance, this configuration deploys Fernet tokens and the Apache HTTP server to handle requests.

这一节记录了怎样在Controller Node上安装和配置Openstack的认证服务,代号为Keystone。在性能上,这个配置使用了Fernet Tokens和Apache HTTP服务器去处理请求。

Fernet Tokens:是K版本的更新内容,区别于UUID tokens只能持久化存入数据库,Fernet tokens完全不需要持久化。部署人员可以通过设置keystone.conf中的[token] provider = keystone.token.providers.fernet.Provider来启用Fernet token,这也是我们一会需要配置的参数项。Fernet tokens需要symmetric encryption keys(对称加密密钥),这些keys可以使用keystone-manage fernet_setup建立, 并且使用keystone-manage fernet_rotate周期性地轮换。这些keys必须被在一个multi-node(或者multi-region)部署中的所有Keystone nodes共享,这样就能使一个node生成的tokens可以立即被其他节点验证。

Prerequisites 先决条件

Before you configure the OpenStack Identity service, you must create a database and an administration token.
在配置Openstack认证服务之前,你需要先创建一个keystone数据库和一个用于初始化keystone期间的临时管理token。

Create the database for identity service

这个数据库用于存放Keystone组件(User、Tenant、Roles等)的相关信息。
Step1.进入MySQL

mysql -u root -pfanguiju

Step2.创建数据库keystone

CREATE DATABASE keystone;

Step3.创建keystone数据库用户并授予适当的访问权限
创建keystone数据库用户,使其可以对keystone数据库有完全控制权限。

GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'fanguiju';     #fanguiju为用户keystone的密码
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'fanguiju';

Step4.退出MySQL

MariaDB [(none)]> exit
Bye

生成一个随机数

Generate a random value to use as the administration token during initial configuration
生成一个用于初始化keystone期间的临时管理token

[root@controller Desktop]# openssl rand -hex 10
c44048d3212d3f977643

Install and configure components

Note:This guide uses the Apache HTTP server with mod_wsgi to serve Identity service requests on ports 5000 and 35357. By default, the keystone service still listens on these ports. Therefore, this guide manually disables the keystone service.
注意:该指南使用Apache Http服务器的mod_wsgi(Python Web Server Gateway Interface)动态访问模块来支持认证服务在5000和35357端口上的请求。keystone service默认就会监听这两个端口,所以,该指南手动的禁用keystone service。

WSGI:Python Web服务器网关接口(Python Web Server Gateway Interface,缩写为WSGI),是Python应用程序或框架和Web服务器之间的一种接口,已经被广泛接受, 它已基本达成它的可移植性方面的目标。

Step1.安装openstack-keystoneHTTPmod_wsgi模块

yum install openstack-keystone httpd mod_wsgi -y

Step2.Edit the /etc/keystone/keystone.conf file and complete the following actions:
vim /etc/keystone/keystone.conf

#1. In the [DEFAULT] section, define the value of the initial administration token:
[DEFAULT]
admin_token = c44048d3212d3f977643              #刚刚使用openssl指令生成的随机数

#2. In the [database] section, configure database access:
[database]
connection = mysql+pymysql://keystone:fanguiju@controller.jmilk.com/keystone #数据库连接配置 --> 使用mysql+pymysql协议://访问keystone用户:密码为范桂飓@数据库服务器hostname/访问keystone数据库;必要时可能需要使用IP代替hostname

#3. In the [token] section, configure the Fernet token provider:
[token]
provider = fernet

总览

[root@controller ~]# cat /etc/keystone/keystone.conf | grep -v ^# | grep -v ^$
[DEFAULT]
admin_token = c44048d3212d3f977643
[assignment]
[auth]
[cache]
[catalog]
[cors]
[cors.subdomain]
[credential]
[database]
connection = mysql+pymysql://keystone:fanguiju@controller.jmilk.com/keystone
[domain_config]
[endpoint_filter]
[endpoint_policy]
[eventlet_server]
[eventlet_server_ssl]
[federation]
[fernet_tokens]
[identity]
[identity_mapping]
[kvs]
[ldap]
[matchmaker_redis]
[memcache]
[oauth1]
[os_inherit]
[oslo_messaging_amqp]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_middleware]
[oslo_policy]
[paste_deploy]
[policy]
[resource]
[revoke]
[role]
[saml]
[shadow_users]
[signing]
[ssl]
[token]
provider = fernet
[tokenless_auth]
[trust]

注意:从总览的内容可以看出,在最新的版本中,第一次安装Keystone组件的时候,配置文件中的节点内容都是空的。但如果是使用该指南来安装其他版本Keystone的话,需要注意,我们应该是添加该指南的参数项到配置文件中,而不需要删除原来就已经存在的参数项。

Step3.Populate the Identity service database:

su -s /bin/sh -c "keystone-manage db_sync" keystone      #使用sh执行keystone数据库初始化填充指令

查看数据库表是否创建成功

[root@controller Desktop]# mysql -u keystone -pfanguiju
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 10.1.12-MariaDB MariaDB Server

Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| keystone |
+--------------------+
2 rows in set (0.03 sec)

MariaDB [(none)]> use keystone;
Database changed

MariaDB [keystone]> show tables;
+------------------------+
| Tables_in_keystone     |
+------------------------+
| access_token |
| assignment |
| config_register |
| consumer |
| credential |
| domain |
| endpoint |
| endpoint_group |
| federated_user |
| federation_protocol |
| group |
| id_mapping |
| identity_provider |
| idp_remote_ids |
| implied_role |
| local_user |
| mapping |
| migrate_version |
| password |
| policy |
| policy_association |
| project |
| project_endpoint |
| project_endpoint_group |
| region |
| request_token |
| revocation_event |
| role |
| sensitive_config |
| service |
| service_provider |
| token |
| trust |
| trust_role |
| user |
| user_group_membership |
| whitelisted_config |
+------------------------+
37 rows in set (0.00 sec)

注意:执行此指令之后,忽略所有的deprecation messages。但是如果一直卡在这一步的话,我建议从新查看一下keystone.conf配置文件是否能够成功连接到数据库。

Step4.Initialize Fernet keys:
前文有过描述:Fernet tokens需要symmetric encryption keys,而这个keys就是使用keystone-manage fernet_setup来创建。

keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone

Configure the Apache HTTP server

Step1.Edit the /etc/httpd/conf/httpd.conf file and configure the ServerName option to reference the controller node:
vim /etc/httpd/conf/httpd.conf

#指定Apache HTTP Server的hostname
ServerName controller.jmilk.com

Step2.Create the /etc/httpd/conf.d/wsgi-keystone.conf file with the following content:
开启两个监听端口,并配置两个Virtualhost-Port虚拟主机。
vim /etc/httpd/conf.d/wsgi-keystone.conf

Listen 5000
Listen 35357

<VirtualHost *:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{
    GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{
    GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        Require all granted
    </Directory>
</VirtualHost>

<VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{
    GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{
    GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        Require all granted
    </Directory>
</VirtualHost>

Step3.Start the Apache HTTP service and configure it to start when the system boots:

systemctl start httpd.service
systemctl enable httpd.service

到此为止,Keystone的安装已经完成了

Create the service entity and API endpoints

The Identity service provides a catalog of services and their locations. Each service that you add to your OpenStack environment requires a service entity and several API endpoints in the catalog.
认证服务提供了一个服务目录,需要为每一个加入到Openstack环境中的openstack service的service entity和若干个API endpoints添加到该服务目录中。

Prerequisites 先决条件

By default, the Identity service database contains no information to support conventional authentication and catalog services. You must use a temporary authentication token that you created in the section called Install and configure to initialize the service entity and API endpoint for the Identity service.
默认的,新建的认证服务数据库并没有包含任何支持authentication catalog services的信息。你必须使用在上文中创建的临时的authentication token——admin_token去初始化service entityAPI endpoint

Step1.创建临时authentication token文件
vim ~/auth_token

#1. Configure the authentication token(OS_TOKEN = keystone.conf中的参数项admin_token的值)
export OS_TOKEN=c44048d3212d3f977643 

#2. Configure the endpoint URL(使用35357号Port)
export OS_URL=http://controller.jmilk.com:35357/v3

#3. Configure the Identity API version
export OS_IDENTITY_API_VERSION=3

加载auth_token文件的环境变量

source ~/auth_token

Create the service entity and API endpoints

Step1.Create the service entity服务实体 for the Identity service:
The Identity service manages a catalog of services in your OpenStack environment. Services use this catalog to determine the other services available in your environment.
认证服务在Openstack中管理着一个服务目录,Openstack services是通过服务目录来定位其他的service。

[root@controller Desktop]# openstack service create --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field | Value | +-------------+----------------------------------+
| description | OpenStack Identity               |
| enabled     | True                             |
| id          | c89a25e54e5b4ca3b277b15ec0d75853 |
| name        | keystone                         |
| type | identity | +-------------+----------------------------------+

ERROR: An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-7e447b64-0ab1-4add-b0f9-ccb29de79156)
这是一个非常常见的错误,尤其对于入门Openstack的小伙伴而言,很多人就卡在这个ERROR上。这里给出一些解决的方案:
1. 一定要检查Keystone的表是否成功创建
2. 确保环境变量正确,尤其是OS_TOKENadmin_token的值是一致的,建议使用Copy,因为常见参数值后面带有空格,导致不一致的情况。
3. 确保Hostname和IP能够成功解析
4. 确保Port:35357已经开启
5. 确保HTTP服务正常运行
6. 查看openstack-keystone服务是否打开,如果是M版本就无所谓了
7. 实在不行,建议重启主机试试(放大招了)

Step2.Create the Identity service API endpoints:
The Identity service manages a catalog of API endpoints associated with the services in your OpenStack environment. Services use this catalog to determine how to communicate with other services in your environment.OpenStack uses three API endpoint variants for each service: admin, internal, and public.

认证服务还管理着一个服务相关的API endpoints目录,Services使用endpoints目录确定怎么与其他Services通信。每一个Openstack service提供了三种形式的API endpoint:admin管理, internal内部, and public外部.

[root@controller Desktop]# openstack endpoint create --region RegionOne identity public http://controller.jmilk.com:5000/v3
+--------------+----------------------------------+
| Field | Value | +--------------+----------------------------------+
| enabled      | True                             |
| id           | 670ccbe782ba4e788c681f532d540177 |
| interface    | public                           |
| region       | RegionOne                        |
| region_id | RegionOne | | service_id   | c89a25e54e5b4ca3b277b15ec0d75853 |
| service_name | keystone | | service_type | identity                         |
| url | http://192.168.1.5:5000/v3 | +--------------+----------------------------------+

[root@controller Desktop]# openstack endpoint create --region RegionOne identity internal http://controller.jmilk.com:5000/v3
+--------------+----------------------------------+
| Field | Value | +--------------+----------------------------------+
| enabled      | True                             |
| id           | c1d4504fc49741f4968d0c28ee66cbbc |
| interface    | internal                         |
| region       | RegionOne                        |
| region_id | RegionOne | | service_id   | c89a25e54e5b4ca3b277b15ec0d75853 |
| service_name | keystone | | service_type | identity                         |
| url | http://192.168.1.5:5000/v3 | +--------------+----------------------------------+

[root@controller Desktop]# openstack endpoint create --region RegionOne identity admin http://controller.jmilk.com:35357/v3
+--------------+----------------------------------+
| Field | Value | +--------------+----------------------------------+
| enabled      | True                             |
| id           | b0a761a6365941d2a5db215c36883b4f |
| interface    | admin                            |
| region       | RegionOne                        |
| region_id | RegionOne | | service_id   | c89a25e54e5b4ca3b277b15ec0d75853 |
| service_name | keystone | | service_type | identity                         |
| url | http://192.168.1.5:35357/v3 | +--------------+----------------------------------+

版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。

发布者:全栈程序员-用户IM,转载请注明出处:https://javaforall.cn/108974.html原文链接:https://javaforall.cn

【正版授权,激活自己账号】: Jetbrains全家桶Ide使用,1年售后保障,每天仅需1毛

【官方授权 正版激活】: 官方授权 正版激活 支持Jetbrains家族下所有IDE 使用个人JB账号...

(0)


相关推荐

  • pycharm如何缩进多行代码_pycharm整段代码缩进

    pycharm如何缩进多行代码_pycharm整段代码缩进pycharm多行代码缩进、左移在使用pycharm时,经常会需要多行代码同时缩进、左移,pycharm提供了快捷方式1、pycharm使多行代码同时缩进鼠标选中多行代码后,按下Tab键,一次缩进四个字符2、pycharm使多行代码同时左移鼠标选中多行代码后,同时按住shift+Tab键,一次左移四个字符…

  • 隐藏窗口任务栏图标的三种方法

    隐藏窗口任务栏图标的三种方法本文介绍三种方法,可以实现隐藏窗口在任务栏中的图标。其中前两种比较坑爹,不建议使用。转载:原文:https://www.xuebuyuan.com/1338887.html方法1:ModifyStyleEx(WS_EX_APPWINDOW,WS_EX_TOOLWINDOW);为窗口设置WS_EX_TOOLWINDOW属性。会有以下效果:1.窗口图标不在任务栏显…

  • 前工程师讲解:开关电源设计-LLC电源

    前工程师讲解:开关电源设计-LLC电源很多最初接触电源的朋友,都是从开关电源设计来进行入门学习的。期间不仅要查阅大量的资料,还要对这些资料进行筛选和整理,比较耗费时间和精力。为此,小编将一名前工程师的开关电源设计经验进行了整理,希望能帮助大家加快自学的步伐。      原本在本篇文章当中将为大家讲解关于EMI、尖峰电压处理等方面的知识,但是这些知识的整体思路在开关电源的各类拓扑当中都是互通的,所以转而对主拓扑进行介绍。

  • java 分布式计算框架_java分布式系统框架的分类「建议收藏」

    java 分布式计算框架_java分布式系统框架的分类「建议收藏」鲁班学院java架构师成长路线随着电商行业的崛起,越来越多的人为了省事更习惯网购,今天我们就来熟悉Java分布式系统中的Dubbo,Dubbo就是来解决Java分布式系统中间的子系统之间相互调用相互协作的一个框架。在Dubbo之前就有一个Java分布式系统框架RPC(远程过程调用),多个子系统之间需要实现相互调用必须要借助网络来表达调用的语义和传达调用的数据,RPC采用客户机/服务器模式。请求程序…

  • QQ图片制作跳转_我要自己制作头像

    QQ图片制作跳转_我要自己制作头像QQ图片跳转加群QQ群里看到一个好像视频的图片,点开却变成一个加群的链接,直接到了这是QQ里的一种插件,类似QQ群机器人,只不过现在很难能找到了,去年有段时间很火,使用插件生成以后发到群内或者QQ聊天内,可以自定义图片和超链接,点击可以跳转图片只是一个预览而已,因为现在的扣扣发网址会自动加载页面的内容预览出来就是一个图片,这个图片是网站制作人员事先设置好的,类似文档的预览图也就是脸面。比如你你发一个加群的链接到群里,然后系统自动加载网页,顺便脸面图片也显示出来了。你点击图片后当然就跳转到加群

  • SpringBoot使用RestTemplate访问第三方接口

    SpringBoot使用RestTemplate访问第三方接口目录前言介绍使用前言介绍使用

发表回复

您的电子邮箱地址不会被公开。

关注全栈程序员社区公众号