|
手动准备租户,用户,角色(Setting up tenants,users,roles – manually) 你必须至少定义一个租户,用户,和与租户关联的角色,以及作为最基本的一套详细的获取其它服务身份验证和用身份服务授权的用户。
这里有一个手动的,使用keystone客户端的不用稿子的步骤,在这节的未尾,一个有稿子的方法是可用的。 首先,创建一个缺省的tenant,在这个例子中,我们把它命名为openstackDemo。 $ keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 tenant-create --name openstackDemo --description "Default Tenant" --enabled true +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Default Tenant | | enabled | true | | id | b5815b046cfe47bb891a7b64119e7f80 | | name | openstackDemo | +-------------+----------------------------------+
创建一个缺省的名称为admin的用户 $ keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 user-create --tenant_id b5815b046cfe47bb891a7b64119e7f80 --nameadmin --pass secretword --enabled true
+-------------------------------------------------------------------------------------------------------------------------+ | Property |Value | +----------------------------------------------------------------------------------------------------------------------------+ | email | None| | enabled | true | | id | a4c2d43f80a549a19864c89d759bb3fe | | name | admin | | password | $6$rounds=40000$MsFWIgIfbAHnhUH8$vvSK9/Uy3P5BTdH0kn.0MH. xFHAR2pWQCpTRLTENPs.3w53jb5BbbkIKHnkTbzWW3xVwqsb3W5e./3EIaNPeP0 | | tenantId | b5815b046cfe47bb891a7b64119e7f80 | +---------- +------------------------------------------------------------------------------------------------------------------------- + 创建一个缺省的角色,名称为:admin以及memberRole $ keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 role-create --name admin +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | id | e3d9d157cc95410ea45d23bbbc2e5c10 | | name | admin | +----------+----------------------------------+ $ keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 role-create --name memberRole +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | id | cffc2edea9c74b4a8779cc0d7a22fc21 | | name | memberRole | +----------+----------------------------------+ 用"user-role-add"命令,在角色openstackDemo里,把admin角色授于admin用户。 $ keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 user-role-add --user a4c2d43f80a549a19864c89d759bb3fe --tenant_id b5815b046cfe47bb891a7b64119e7f80 --role e3d9d157cc95410ea45d23bbbc2e5c10 对于这条命令,没有任何输出。 创建一个服务租户,这个租户包含所有的我们已经表明的服务类别的服务, $ keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 tenant-create --name service --description "Service Tenant" --enabled true
+---------- +------------------------------------------------------------------------------------------------------------------------- + | Property | Value | +---------- +------------------------------------------------------------------------------------------------------------------------- + | email | None | | enabled | true | | id | 54b3776a8707834d983e0b4037b1345c | | name | nova | | password | $6$rounds=40000$kf1ENaCoy7wOfRjx $LKQtsQbBqSBr2ZH7fwToAut0EYYz6M278N16Xg4Va2vTEOFabvTVXCdCP4hA5ikdCQO8Mh1nJvuFMEvGHaht3/ | | tenantId | eb7e0c10a99446cfa14c244374549e9d | +---------- +------------------------------------------------------------------------------------------------------------------------- + 在service租户里,把admin角色授于nova用户。 $ keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 user-role-add --user 54b3776a8707834d983e0b4037b1345c --tenant_id eb7e0c10a99446cfa14c244374549e9d --role e3d9d157cc95410ea45d23bbbc2e5c10 对于这个命令也没有任何信息输出。 在service租户里,创建一个EC2服务的用户。 $ keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206. 130:35357/v2.0 user-create --tenant_id eb7e0c10a99446cfa14c244374549e9d --name ec2 --pass ec2 --enabled true
+---------- +------------------------------------------------------------------------------------------------------------------------- + | Property | Value | +---------- +------------------------------------------------------------------------------------------------------------------------- + | email | None | | enabled | true | | id | 32e7668b8707834d983e0b4037b1345c | | name | ec2 | | password | $6$rounds=40000$kf1ENaCoy7wOfRjx $LKQtsQbBqSBr2ZH7fwToAut0EYYz6M278N16Xg4Va2vTEOFabvTVXCdCP4hA5ikdCQO8Mh1nJvuFMEvGHaht3/ | | tenantId | eb7e0c10a99446cfa14c244374549e9d | +---------- +------------------------------------------------------------------------------------------------------------------------- + 在service租户里,把admin角色授于ec2用户 $ keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 user-role-add --user 32e7668b8707834d983e0b4037b1345c --tenant_id eb7e0c10a99446cfa14c244374549e9d --role e3d9d157cc95410ea45d23bbbc2e5c10 对于这个命令,也没有任何信息输出。
在service租户里,创建一个对象存储服务用户 $ keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206. 130:35357/v2.0 user-create --tenant_id eb7e0c10a99446cfa14c244374549e9d --name swift --pass swiftpass --enabled true +---------- +------------------------------------------------------------------------------------------------------------------------- + | Property | Value | +---------- +------------------------------------------------------------------------------------------------------------------------- + | email | None | | enabled | true | | id | 4346677b8909823e389f0b4037b1246e | | name | swift | | password | $6$rounds=40000$kf1ENaCoy7wOfRjx $LKQtsQbBqSBr2ZH7fwToAut0EYYz6M278N16Xg4Va2vTEOFabvTVXCdCP4hA5ikdCQO8Mh1nJvuFMEvGHaht3/ | | tenantId | eb7e0c10a99446cfa14c244374549e9d | +---------- +------------------------------------------------------------------------------------------------------------------------- + 在service租户里,把admin角色授于swift用户 $ keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 user-role-add --user 4346677b8909823e389f0b4037b1246e --tenant_id eb7e0c10a99446cfa14c244374549e9d --role e3d9d157cc95410ea45d23bbbc2e5c10 这个命令行也没有信息输出 下一步,你为服务创建一个自定义服务 自定义服务(Defining Services) Keystone也起着一个服务目录的作用,这个目录让其它的openstack系统知道为了OpenStack服务的相关的API终端存放在哪里。特别地(in particular),OpenStack Dashboard大量地(heavily)使用一个服务目录,对于openstack dashboard的适当的功能,这必须配置。 对于keystone,这个有两个非正式的定义服务的方法。
在使用一个模板文件是简单的时候,把开发环镜,比如DevStack排除在外,这是不建议的。在服务目录上,通过keystone命令,模板文件无法使得CRUD操作可用。但是,当使用模板目录的时候,你可能使用服务列表命令。一个数据库后台能够提供更好的可靠性(better reliability),可用性(availability),数据冗余性(data redundancy)。这一节描述了使用数据库后台如何生活于keystone服务目录,你的/etc/keystone/keystone.conf文件将包含下列行,如果它被适当的配置去使用数据库后端。 [catalog] driver = keystone.catalog.backends.sql.Catalog
Keystone服务目录的主要入口 对于在目录里的每个服务,你必须执行两个keystone操作:
2.使用 keystone endpoing-create 命令创建一个数据库入口,这个入口描述了客户端的不同类型能够联接到服务,用下面的属性: --region 你分配给已经部署的OpenStack云的已经给出的区域名称(e.g.,RegionOne)。 --service-id 由keystone service-create返回的ID字段。 --publicurl The URL of the public-facing endpoint for the service(e.g., http://192.168.206.130:9292/v1 or http://192.168.206.130:8774/v2/%(tenant_id)s) --internalurl The URL of an internal-facing endpoint for the service. This typically has the same value as publicurl. --adminurl The URL for the admin endpoint for the service. The Keystone and EC2 services use different endpoints for adminurl and publicurl, but for other services these endpoints will be the same.
Keystone允许一个URLs去包含指定的参数,这些参数在运行的时候会被用正确的值替代。在这个文档中有一些例子,使用tenant_id参数,当指定了卷和Compute service 终端的时候,。参数既可以用%或$来表示指号,在这个文档中,我们总是使用%记号,由于$被Unix shell作为一个特殊的字符。
创建keystone服务以及服务端点(Create Keystone Service and Service Endpoint) 这里我们定义了服务以及它们的端点 定义身份服务(Identity Service) $ keystone --token 012345SECRET99TOKEN012345 \ --endpoint http://192.168.206.130:35357/v2.0/ \ service-create \--name=keystone \--type=identity \ --description="Keystone Identity Service" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Keystone Identity Service | | id | 15c11a23667e427e91bc31335b45f4bd | | name | keystone | | type | identity | +-------------+----------------------------------+ $ keystone --token 012345SECRET99TOKEN012345 \ --endpoint http://192.168.206.130:35357/v2.0/ \ endpoint-create \ --region RegionOne \ --service_id=15c11a23667e427e91bc31335b45f4bd \ --publicurl=http://192.168.206.130:5000/v2.0 \ --internalurl=http://192.168.206.130:5000/v2.0 \ --adminurl=http://192.168.206.130:35357/v2.0 +-------------+-----------------------------------+ | Property | Value | +-------------+-----------------------------------+ | adminurl | http://192.168.206.130:35357/v2.0 | | id | 11f9c625a3b94a3f8e66bf4e5de2679f | | internalurl | http://192.168.206.130:5000/v2.0 | | publicurl | http://192.168.206.130:5000/v2.0 | | region | RegionOne | | service_id | 15c11a23667e427e91bc31335b45f4bd | +-------------+-----------------------------------+
定义计算服务,该服务对于每个租户都要求一个独立的端点。这里,我们使用前面一节中的service租户。 $ keystone --token 012345SECRET99TOKEN012345 \ --endpoint http://192.168.206.130:35357/v2.0/ \ service-create \ --name=nova \ --type=compute \ --description="Nova Compute Service" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Nova Compute Service | | id | abc0f03c02904c24abdcc3b7910e2eed | | name | nova | | type | compute | +-------------+----------------------------------+ $ keystone --token 012345SECRET99TOKEN012345 \ --endpoint http://192.168.206.130:35357/v2.0/ \ endpoint-create \ --region RegionOne \ --service_id=abc0f03c02904c24abdcc3b7910e2eed \ --publicurl='http://192.168.206.130:8774/v2/%(tenant_id)s' \ --internalurl='http://192.168.206.130:8774/v2/%(tenant_id)s' \ --adminurl='http://192.168.206.130:8774/v2/%(tenant_id)s' +-------------+----------------------------------------------+ | Property | Value | +-------------+----------------------------------------------+ | adminurl | http://192.168.206.130:8774/v2/%(tenant_id)s | | id | 935fd37b6fa74b2f9fba6d907fa95825 | | internalurl | http://192.168.206.130:8774/v2/%(tenant_id)s | | publicurl | http://192.168.206.130:8774/v2/%(tenant_id)s | | region | RegionOne | | service_id | abc0f03c02904c24abdcc3b7910e2eed | +-------------+----------------------------------------------+
定义卷服务,为每个租户,它也需要一个独立的终端。 $ keystone --token 012345SECRET99TOKEN012345 \ --endpoint http://192.168.206.130:35357/v2.0/ \ service-create \ --name=volume \ --type=volume \ --description="Nova Volume Service" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Nova Volume Service | | id | 1ff4ece13c3e48d8a6461faebd9cd38f | | name | volume | | type | volume | +-------------+----------------------------------+
$ keystone --token 012345SECRET99TOKEN012345 \ --endpoint http://192.168.206.130:35357/v2.0/ \ endpoint-create \ --region RegionOne \ --service_id=1ff4ece13c3e48d8a6461faebd9cd38f \ --publicurl='http://192.168.206.130:8776/v1/%(tenant_id)s' \ --internalurl='http://192.168.206.130:8776/v1/%(tenant_id)s' \ --adminurl='http://192.168.206.130:8776/v1/%(tenant_id)s'
+-------------+----------------------------------------------+ | Property | Value | +-------------+----------------------------------------------+ | adminurl | http://192.168.206.130:8776/v1/%(tenant_id)s | | id | 1ff4ece13c3e48d8a6461faebd9cd38f | | internalurl | http://192.168.206.130:8776/v1/%(tenant_id)s | | publicurl | http://192.168.206.130:8776/v1/%(tenant_id)s | | region | RegionOne | | service_id | 8a70cd235c7d4a05b43b2dffb9942cc0 | +-------------+----------------------------------------------+
定义一个镜象服务 $ keystone --token 012345SECRET99TOKEN012345 \ --endpoint http://192.168.206.130:35357/v2.0/ \ service-create \ --name=glance \ --type=image \ --description="Glance Image Service" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Glance Image Service | | id | 7d5258c490144c8c92505267785327c1 | | name | glance | | type | image | +-------------+----------------------------------+
$ keystone --token 012345SECRET99TOKEN012345 \ --endpoint http://192.168.206.130:35357/v2.0/ \ endpoint-create \ --region RegionOne \ --service_id=7d5258c490144c8c92505267785327c1 \ --publicurl=http://192.168.206.130:9292/v1 \ --internalurl=http://192.168.206.130:9292/v1 \ --adminurl=http://192.168.206.130:9292/v1 +-------------+-----------------------------------+ | Property | Value | +-------------+-----------------------------------+ | adminurl | http://192.168.206.130:9292/v1 | | id | 3c8c0d749f21490b90163bfaed9befe7 | | internalurl | http://192.168.206.130:9292/v1 | | publicurl | http://192.168.206.130:9292/v1 | | region | RegionOne | | service_id | 7d5258c490144c8c92505267785327c1 | +-------------+-----------------------------------+
定义EC2兼容的服务 $ keystone --token 012345SECRET99TOKEN012345 \ --endpoint http://192.168.206.130:35357/v2.0/ \ service-create \ --name=ec2 \ --type=ec2 \ --description="EC2 Compatibility Layer" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | EC2 Compatibility Layer | | id | 181cdad1d1264387bcc411e1c6a6a5fd | | name | ec2 | | type | ec2 | +-------------+----------------------------------+
$ keystone --token 012345SECRET99TOKEN012345 \ --endpoint http://192.168.206.130:35357/v2.0/ \ endpoint-create \ --region RegionOne \ --service_id=181cdad1d1264387bcc411e1c6a6a5fd \ --publicurl=http://192.168.206.130:8773/services/Cloud \ --internalurl=http://192.168.206.130:8773/services/Cloud \ --adminurl=http://192.168.206.130:8773/services/Admin +-------------+--------------------------------------------+ | Property | Value | +-------------+--------------------------------------------+ | adminurl | http://192.168.206.130:8773/services/Cloud | | id | d2a3d7490c61442f9b2c8c8a2083c4b6 | | internalurl | http://192.168.206.130:8773/services/Cloud | | publicurl | http://192.168.206.130:8773/services/Admin | | region | RegionOne | | service_id | 181cdad1d1264387bcc411e1c6a6a5fd | +-------------+--------------------------------------------+
定义对象存储服务 $ keystone --token 012345SECRET99TOKEN012345 \ --endpoint http://192.168.206.130:35357/v2.0/ \ service-create \ --name=swift \ --type=object-store \ --description="Object Storage Service" +-------------+---------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Object Storage Service | | id | 272efad2d1234376cbb911c1e5a5a6ed | | name | swift | | type | object-store | +-------------+----------------------------------+
$ keystone --token 012345SECRET99TOKEN012345 \ --endpoint http://192.168.206.130:35357/v2.0/ \ endpoint-create \ --region RegionOne \ --service_id=272efad2d1234376cbb911c1e5a5a6ed \ --publicurl 'http://192.168.206.130:8888/v1/AUTH_%(tenant_id)s' \ --adminurl 'http://192.168.206.130:8888/v1' \ --internalurl 'http://192.168.206.130:8888/v1/AUTH_%(tenant_id)s' +-------------+---------------------------------------------------+ | Property | Value | +-------------+---------------------------------------------------+ | adminurl | http://192.168.206.130:8888/v1 | | id | e32b3c4780e51332f9c128a8c208a5a4 | | internalurl | http://192.168.206.130:8888/v1/AUTH_%(tenant_id)s | | publicurl | http://192.168.206.130:8888/v1/AUTH_%(tenant_id)s | | region | RegionOne | | service_id | 272efad2d1234376cbb911c1e5a5a6ed | +-------------+---------------------------------------------------+ 
|
|
|
来自: LZS2851 > 《OpenStack》
