之前介绍了OpenStack Swift的安装部署,采用的都是tempauth认证模式,今天就来介绍一个新的组件,名为Keystone。
1. 简介
本文将详细描述Keystone的安装部署流程,并给出一些简单的使用实例。
Keystone是Openstack框架中的一个重要组成部分,负责身份认证、服务管理、服务规则和服务令牌的功能, 它实现了Openstack的Identity API。Keystone类似一个服务总线,或者说是整个Openstack框架的注册表,其他服务通过Keystone来注册其服务,任何服务之间相互的调用,都需要经过Keystone的身份验证来获得目标服务。Keystone包含两个主要部件:验证与服务目录。
验证部件提供了一套基于令牌的验证服务,主要包含以下几个概念:
租户(Tenant):使用相关服务的一个组织(一个租户可以代表一个客户、账号、公司、组织或项目),必须指定一个相应的租户(Tenant)才可以申请OpenStack服务。在Swift中,一个租户可以拥有一定的存储空间,拥有多个容器,可以理解为一个公司拥有一大块存储空间。
用户(User):表示拥有用户名、密码、邮箱等账号信息的个人,用户能够申请并获得访问资源的授权。用户拥有证书,可以与一个或多个租户关联。经过身份验证后,会为每个关联的租户提供一个特定的令牌。一个用户可以在不同的租户中被分配不同的角色。以Swift为例,我们可以这样理解:租户是一个公司,拥有一大块存储空间,用户是个人,是该公司的员工,能够根据用户的角色访问公司的部分或全部存储空间,当然这个员工可以同时在其他公司兼职,拥有其他公司的存储空间;如果某个公司只有一个员工,即该员工拥有公司的全部存储空间,此时的用户就类似于金山快盘的用户了。
证书(Credentials):为了给用户提供一个令牌,需要用证书来唯一标识一个用户的密码或其它信息。
令牌(Token):一个令牌是一个任意比特的文本,用于与其它OpenStack服务来共享信息,Keystone以此来提供一个Central Location,以验证访问OpenStack服务的用户。一个令牌可以是scoped或unscoped。一个scoped令牌代表为某个租户验证过的用户,而unscoped令牌则仅代表一个用户。令牌的有效期是有限的,可以随时被撤回。
角色(Role):代表特定的租户中的用户操作权限,一个角色是应用于某个租户的使用权限集合,以允许某个指定用户访问或使用特定操作。角色是使用权限的逻辑分组,它使得通用的权限可以简单地分组并绑定到与某个指定租户相关的用户。
服务目录部件(Service Catalog)提供了一套REST API服务端点列表并以此作为决策参考,主要包含以下几个概念:
服务(Service):一个OpenStack服务,例如Nova、Swift、Glance或Keystone。一个服务可以拥有一个或多个端点,用户可以通过它与OpenStack的服务或资源进行交互。
端点(Endpoint):一个可以通过网络访问的地址(例如一个URL),代表了OpenStack服务的API入口。端点也可以分组为模板,每个模板代表一组可用的OpenStack服务,这些服务是跨区域(regions)可用的,例如将多个Swift Proxy Server分别配置为不同的域(regionOne、regionTwo等)。
模板(Template):一个端点集合,代表一组可用的OpenStack服务端点。
2. 安装部署
2.1 准备环境
环境类型
详细信息
机器类型:
PC物理机
操作系统:
Ubuntu-11.10-desktop-64位
用户类型:
root
数据库:
sqlite3
IP地址:
192.168.3.67
2.2 版本说明
如果你使用的是Ubuntu,那么也可以直接通过apt-get来安装Keystone,不过本文介绍的是从git(https://github.com/openstack/keystone)上获取Master分支的最新代码来进行安装部署。请务必确保各处安装的Keystone与python-keystoneclient的版本统一,这在Keystone与其他服务(如Swift)整合使用时尤为重要,可关注后续文档《Keystone与Swift(集群)整合使用说明》,你就会明白其中的道理了。
2.3 安装软件环境
首先,需要安装Keystone所需的软件环境(确保你的机器可以访问互联网),例如git用于获取Keystone代码,sqlite3作为本地数据库。
# apt-get install git python-dev sqlite3 libxml2-dev libxslt1-dev libsasl2-dev libsqlite3-dev libssl-dev libldap2-dev
2.4 安装Keystone
从git上获取最新的Keystone Service代码。
# cd ~
# git clone https://github.com/openstack/keystone.git
安装Keystone的依赖项与主体程序(Keystone会被安装到python的dist-packages中)。
# cd ~/keystone
# pip install -r tools/pip-requires
# pip install -r tools/test-requires(本条命令可不执行)
# python setup.py install
文件~/keystone/tools/pip-requires中(内容如下所示)记录了运行Keystone程序所需的依赖项,setup.py就是根据该文件来检查依赖项并自动下载安装的。其中指明了python-keystoneclient为依赖项,python-keystoneclient作为本地客户端组件,用于访问Keystone。python-keystoneclient与Keystone的版本需要统一,否则可能会出现版本兼容性问题,采用依赖项的方式安装python-keystoneclient,可确保不会出现版本兼容性问题。
# keystone dependencies
pam>=0.1.4
WebOb==1.2.3
eventlet
greenlet
PasteDeploy
paste
routes
sqlalchemy>=0.7.8,<=0.7.9
sqlalchemy-migrate>=0.7.2
passlib
lxml
iso8601>=0.1.4
python-keystoneclient>=0.2.1,<0.3
oslo.config>=1.1.0
文件~/keystone/tools/test-requires中(内容如下所示)记录了Keystone动态开发与测试所需的依赖项。这些依赖项不是运行Keystone所必须的,所以可以不安装(即不执行上面的命令:pip install -r tools/test-requires)。
# Optional backend: SQL
pysqlite
# Optional backend: Memcache
python-memcached
# Optional backend: LDAP
python-ldap==2.3.13 # authenticate against an existing LDAP server
# Testing
coverage # computes code coverage percentages
mox # mock object framework
nose # for test discovery and console feedback
nosexcover
openstack.nose_plugin
nosehtmloutput
pylint # static code analysis
pep8==1.3.3 # checks for PEP8 code style compliance
Sphinx>=1.1.2 # required to build documentation
unittest2 # backport of unittest lib in python 2.7
webtest # test wsgi apps without starting an http server
distribute>=0.6.24
# for python-keystoneclient
httplib2 # keystoneclient <0.2.1
requests>=1.0.0 # replaces httplib2 in keystoneclient >=0.2.1
keyring
# swift_auth test dependencies
http://tarballs.openstack.org/swift/swift-master.tar.gz#egg=swift
netifaces
# For translations processing
Babel
需要特别注意的是,安装tools/test-requires依赖项时会自动下载swift-master.tar.gz包并重新安装Swift。因此,如果电脑上已经安装了Swift,就不可以再执行“pip install -r tools/test-requires”命令了(该命令会覆盖掉之前安装的Swift程序)。
如果你不小心覆盖掉了之前安装的Swift程序,也无需担心,执行以下命令,重新安装你的Swift程序即可。(假设Swift的源代码在目录~/swift/swift_1.7.6下,python-swiftclient的源代码在目录~/swift/python-swiftclient_1.2.0下)
# cd ~/swift/swift_1.7.6
# python setup.py develop
# cd ~/swift/python-swiftclient_1.2.0
# python setup.py develop
2.5 配置Keystone
由于是从git上获取的代码,所以我们需要手动将代码中的配置文件复制到系统中正确的目录下。配置文件在~/keystone/etc目录下,共有四个,包括default_catalog.templates、keystone.conf.sample、logging.conf.sample和policy.json。将这四个配置文件复制到/etc/keystone目录下,并重命名(去掉“.sample”)。用户需要注意下文中的红色标注部分。
# mkdir -p /etc/keystone
# cp ~/keystone/etc/* /etc/keystone/
# cp mv /etc/keystone/keystone.conf.sample /etc/keystone/keystone.conf
# cp mv /etc/keystone/logging.conf.sample /etc/keystone/logging.conf
其中keystone.conf是核心配置文件,logging.conf是日志配置文件,default_catalog.templates是目录模版文件,policy.json定义了Identity服务的访问策略。我们需要修改核心配置文件/etc/keystone/keystone.conf。
[DEFAULT]
# A "shared secret" between keystone and other openstack services
# admin_token = ADMIN
# 注意该信息,admin_token参数是用来访问Keystone服务的,即Keystone服务的Token。默认为ADMIN,当然也可以改成别的。客户端可以使用该Token访问Keystone服务、查看信息、创建其他服务等。
# The IP address of the network interface to listen on
# bind_host = 0.0.0.0
# The port number which the public service listens on
# public_port = 5000
# Keystone提供的认证授权服务监听的端口,通常为公网(外网),也可以是内网。
# The port number which the public admin listens on
# admin_port = 35357
# Keystone提供的认证授权、系统管理服务监听的端口,通常为内网。除了认证授权功能外,用户需要访问该端口来进行管理员操作,如创建删除Tenant、User、Role、Service、Endpoint等。
# The port number which the OpenStack Compute service listens on
# compute_port = 8774
# Path to your policy definition containing identity actions
# TODO(dolph): This config method will probably be deprecated during grizzly
# policy_file = policy.json
# Rule to check if no matching policy definition is found
# FIXME(dolph): This should really be defined as [policy] default_rule
# policy_default_rule = admin_required
# === Logging Options ===
# Print debugging output
# verbose = False
# Print more verbose output
# (includes plaintext request logging, potentially including passwords)
# debug = False
# Name of log file to output to. If not set, logging will go to stdout.
# log_file = keystone.log
# The directory to keep log files in (will be prepended to --logfile)
# log_dir = /var/log/keystone
# Use syslog for logging.
# use_syslog = False
# syslog facility to receive log lines
# syslog_log_facility = LOG_USER
# If this option is specified, the logging configuration file specified is
# used and overrides any other logging options specified. Please see the
# Python logging module documentation for details on logging configuration
# files.
# log_config = logging.conf
# A logging.Formatter log message format string which may use any of the
# available logging.LogRecord attributes.
# log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s
# Format string for %(asctime)s in log records.
# log_date_format = %Y-%m-%d %H:%M:%S
# onready allows you to send a notification when the process is ready to serve
# For example, to have it notify using systemd, one could set shell command:
# onready = systemd-notify --ready
# or a module with notify() method:
# onready = keystone.common.systemd
[sql]
# The SQLAlchemy connection string used to connect to the database
# connection = sqlite:///keystone.db
# 此处为数据库参数,默认使用sqlite,并且指定数据库文件的存放位置,keystone.db表示在主目录下创建keystone.db文件,用于存放数据。也可以指定其他存储位置,例如sqlite:var/lib/keystone/keystone.db。
# 当然也可以使用mysql,如mysql://root:123456@192.168.3.67/keystone,其中192.168.3.67为数据库地址,keystone为数据库名称,root为用户名,123456为访问密码。需要事先安装mysql,并且创建名为keystone的数据库,设置用户名密码。
# the timeout before idle sql connections are reaped
# idle_timeout = 200
[identity]
# driver = keystone.identity.backends.sql.Identity
[catalog]
# dynamic, sql-based backend (supports API/CLI-based management commands)
# driver = keystone.catalog.backends.sql.Catalog
# static, file-based backend (does *NOT* support any management commands)
# driver = keystone.catalog.backends.templated.TemplatedCatalog
# template_file = default_catalog.templates
[token]
# driver = keystone.token.backends.kvs.Token
# Amount of time a token should remain valid (in seconds)
# expiration = 86400
[policy]
# driver = keystone.policy.backends.sql.Policy
[ec2]
# driver = keystone.contrib.ec2.backends.kvs.Ec2
[ssl]
#enable = True
#certfile = /etc/keystone/ssl/certs/keystone.pem
#keyfile = /etc/keystone/ssl/private/keystonekey.pem
#ca_certs = /etc/keystone/ssl/certs/ca.pem
#cert_required = True
[signing]
# token_format = PKI
# 此处需要特别注意,新版本中默认Token为PKI,因而需要为此设置PKI认证,较为麻烦,可改为UUID以方便使用,UUID是一个几十位的随机字符串。
token_format = UUID
#certfile = /etc/keystone/ssl/certs/signing_cert.pem
#keyfile = /etc/keystone/ssl/private/signing_key.pem
#ca_certs = /etc/keystone/ssl/certs/ca.pem
#key_size = 1024
#valid_days = 3650
#ca_password = None
[ldap]
# url = ldap://localhost
# user = dc=Manager,dc=example,dc=com
# password = None
# suffix = cn=example,cn=com
# use_dumb_member = False
# allow_subtree_delete = False
# dumb_member = cn=dumb,dc=example,dc=com
# user_tree_dn = ou=Users,dc=example,dc=com
# user_filter =
# user_objectclass = inetOrgPerson
# user_id_attribute = cn
# user_name_attribute = sn
# user_mail_attribute = email
# user_pass_attribute = userPassword
# user_enabled_attribute = enabled
# user_enabled_mask = 0
# user_enabled_default = True
# user_attribute_ignore = tenant_id,tenants
# user_allow_create = True
# user_allow_update = True
# user_allow_delete = True
# tenant_tree_dn = ou=Groups,dc=example,dc=com
# tenant_filter =
# tenant_objectclass = groupOfNames
# tenant_id_attribute = cn
# tenant_member_attribute = member
# tenant_name_attribute = ou
# tenant_desc_attribute = desc
# tenant_enabled_attribute = enabled
# tenant_attribute_ignore =
# tenant_allow_create = True
# tenant_allow_update = True
# tenant_allow_delete = True
# role_tree_dn = ou=Roles,dc=example,dc=com
# role_filter =
# role_objectclass = organizationalRole
# role_id_attribute = cn
# role_name_attribute = ou
# role_member_attribute = roleOccupant
# role_attribute_ignore =
# role_allow_create = True
# role_allow_update = True
# role_allow_delete = True
[filter:debug]
paste.filter_factory = keystone.common.wsgi:Debug.factory
[filter:token_auth]
paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory
[filter:admin_token_auth]
paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory
[filter:xml_body]
paste.filter_factory = keystone.middleware:XmlBodyMiddleware.factory
[filter:json_body]
paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory
[filter:user_crud_extension]
paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory
[filter:crud_extension]
paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory
[filter:ec2_extension]
paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory
[filter:s3_extension]
paste.filter_factory = keystone.contrib.s3:S3Extension.factory
[filter:url_normalize]
paste.filter_factory = keystone.middleware:NormalizingFilter.factory
[filter:stats_monitoring]
paste.filter_factory = keystone.contrib.stats:StatsMiddleware.factory
[filter:stats_reporting]
paste.filter_factory = keystone.contrib.stats:StatsExtension.factory
[app:public_service]
paste.app_factory = keystone.service:public_app_factory
[app:service_v3]
paste.app_factory = keystone.service:v3_app_factory
[app:admin_service]
paste.app_factory = keystone.service:admin_app_factory
[pipeline:public_api]
pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug ec2_extension user_crud_extension public_service
[pipeline:admin_api]
pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension crud_extension admin_service
[pipeline:api_v3]
pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension service_v3
[app:public_version_service]
paste.app_factory = keystone.service:public_version_app_factory
[app:admin_version_service]
paste.app_factory = keystone.service:admin_version_app_factory
[pipeline:public_version_api]
pipeline = stats_monitoring url_normalize xml_body public_version_service
[pipeline:admin_version_api]
pipeline = stats_monitoring url_normalize xml_body admin_version_service
[composite:main]
use = egg:Paste#urlmap
/v2.0 = public_api
/v3 = api_v3
/ = public_version_api
[composite:admin]
use = egg:Paste#urlmap
/v2.0 = admin_api
/v3 = api_v3
/ = admin_version_api
2.6 查看Keystone帮助信息
在终端执行keystone-all --help、keystone-manage --help、keystone --help命令,即可查看Keystone的帮助信息。
执行keystone-all --help命令,查看Keystone服务端程序的帮助信息。
# keystone-all --help
usage: keystone-all [-h] [--version] [--debug] [--nodebug] [--verbose]
[--noverbose] [--use-syslog] [--nouse-syslog]
[--standard-threads] [--nostandard-threads]
[--pydev-debug-port PYDEV_DEBUG_PORT] [--config-file PATH]
[--log-config PATH] [--log-format FORMAT]
[--log-date-format DATE_FORMAT] [--log-file PATH]
[--log-dir LOG_DIR]
[--syslog-log-facility SYSLOG_LOG_FACILITY]
[--pydev-debug-host PYDEV_DEBUG_HOST] [--config-dir DIR]
optional arguments:
-h, --help show this help message and exit
--version show program's version number and exit
--debug, -d Print debugging output (set logging level to DEBUG
instead of default WARNING level).
--nodebug The inverse of --debug
--verbose, -v Print more verbose output (set logging level to INFO
instead of default WARNING level).
--noverbose The inverse of --verbose
--use-syslog Use syslog for logging.
--nouse-syslog The inverse of --use-syslog
--standard-threads
--nostandard-threads The inverse of --standard-threads
--pydev-debug-port PYDEV_DEBUG_PORT
--config-file PATH Path to a config file to use. Multiple config files
can be specified, with values in later files taking
precedence. The default files used are:
['/etc/keystone/keystone.conf']
--log-config PATH If this option is specified, the logging configuration
file specified is used and overrides any other logging
options specified. Please see the Python logging
module documentation for details on logging
configuration files.
--log-format FORMAT A logging.Formatter log message format string which
may use any of the available logging.LogRecord
attributes.
--log-date-format DATE_FORMAT
Format string for %(asctime)s in log records.
--log-file PATH Name of log file to output. If not set, logging will
go to stdout.
--log-dir LOG_DIR The directory in which to store log files. (will be
prepended to --log-file)
--syslog-log-facility SYSLOG_LOG_FACILITY
syslog facility to receive log lines.
--pydev-debug-host PYDEV_DEBUG_HOST
--config-dir DIR Path to a config directory to pull *.conf files from.
This file set is sorted, so as to provide a
predictable parse order if individual options are
over-ridden. The set is parsed after the file(s), if
any, specified via --config-file, hence over-ridden
options in the directory take precedence.
执行keystone-manage --help命令,查看Keystone管理程序的帮助信息。
# keystone-manage --help
usage: keystone-manage [db_sync|export_legacy_catalog|import_legacy|import_nova_auth|pki_setup]
optional arguments:
-h, --help show this help message and exit
--version show program's version number and exit
--debug, -d Print debugging output (set logging level to DEBUG
instead of default WARNING level).
--nodebug The inverse of --debug
--verbose, -v Print more verbose output (set logging level to INFO
instead of default WARNING level).
--noverbose The inverse of --verbose
--use-syslog Use syslog for logging.
--nouse-syslog The inverse of --use-syslog
--standard-threads
--nostandard-threads The inverse of --standard-threads
--pydev-debug-port PYDEV_DEBUG_PORT
--config-file PATH Path to a config file to use. Multiple config files
can be specified, with values in later files taking
precedence. The default files used are:
['/etc/keystone/keystone.conf']
--log-config PATH If this option is specified, the logging configuration
file specified is used and overrides any other logging
options specified. Please see the Python logging
module documentation for details on logging
configuration files.
--log-format FORMAT A logging.Formatter log message format string which
may use any of the available logging.LogRecord
attributes.
--log-date-format DATE_FORMAT
Format string for %(asctime)s in log records.
--log-file PATH Name of log file to output. If not set, logging will
go to stdout.
--log-dir LOG_DIR The directory in which to store log files. (will be
prepended to --log-file)
--syslog-log-facility SYSLOG_LOG_FACILITY
syslog facility to receive log lines.
--pydev-debug-host PYDEV_DEBUG_HOST
--config-dir DIR Path to a config directory to pull *.conf files from.
This file set is sorted, so as to provide a
predictable parse order if individual options are
over-ridden. The set is parsed after the file(s), if
any, specified via --config-file, hence over-ridden
options in the directory take precedence.
Commands:
{db_sync,export_legacy_catalog,import_legacy,import_nova_auth,pki_setup}
Available commands
db_sync Sync the database.
export_legacy_catalog
Export the service catalog from a legacy database.
import_legacy Import a legacy database.
import_nova_auth Import a dump of nova auth data into keystone.
pki_setup Set up Key pairs and certificates for token signing
and verification.
执行keystone --help命令,查看Keystone客户端程序的帮助信息。
# keystone --help
usage: keystone [--version] [--timeout ]
[--os-username ]
[--os-password ]
[--os-tenant-name ]
[--os-tenant-id ] [--os-auth-url ]
[--os-region-name ]
[--os-identity-api-version ]
[--os-token ]
[--os-endpoint ]
[--os-cacert ] [--insecure]
[--os-cert ] [--os-key ] [--os-cache]
[--force-new-token] [--stale-duration ]
...
Command-line interface to the OpenStack Identity API.
Positional arguments:
catalog
ec2-credentials-create
Create EC2-compatible credentials for user per tenant
ec2-credentials-delete
Delete EC2-compatible credentials
ec2-credentials-get
Display EC2-compatible credentials
ec2-credentials-list
List EC2-compatible credentials for a user
endpoint-create Create a new endpoint associated with a service
endpoint-delete Delete a service endpoint
endpoint-get
endpoint-list List configured service endpoints
password-update Update own password
role-create Create new role
role-delete Delete role
role-get Display role details
role-list List all roles
service-create Add service to Service Catalog
service-delete Delete service from Service Catalog
service-get Display service from Service Catalog
service-list List all services in Service Catalog
tenant-create Create new tenant
tenant-delete Delete tenant
tenant-get Display tenant details
tenant-list List all tenants
tenant-update Update tenant name, description, enabled status
token-get
user-create Create new user
user-delete Delete user
user-get Display user details.
user-list List users
user-password-update
Update user password
user-role-add Add role to user
user-role-list List roles granted to a user
user-role-remove Remove role from user
user-update Update user's name, email, and enabled status
discover Discover Keystone servers, supported API versions and
extensions.
bootstrap Grants a new role to a new user on a new tenant, after
creating each.
bash-completion Prints all of the commands and options to stdout.
help Display help about this program or one of its
subcommands.
Optional arguments:
--version Shows the client version and exits
--timeout Set request timeout (in seconds)
--os-username
Name used for authentication with the OpenStack
Identity service. Defaults to env[OS_USERNAME]
--os-password
Password used for authentication with the OpenStack
Identity service. Defaults to env[OS_PASSWORD]
--os-tenant-name
Tenant to request authorization on. Defaults to
env[OS_TENANT_NAME]
--os-tenant-id
Tenant to request authorization on. Defaults to
env[OS_TENANT_ID]
--os-auth-url
Specify the Identity endpoint to use for
authentication. Defaults to env[OS_AUTH_URL]
--os-region-name
Defaults to env[OS_REGION_NAME]
--os-identity-api-version
Defaults to env[OS_IDENTITY_API_VERSION] or 2.0
--os-token
Specify an existing token to use instead of retrieving
one via authentication (e.g. with username &
password). Defaults to env[OS_SERVICE_TOKEN]
--os-endpoint
Specify an endpoint to use instead of retrieving one
from the service catalog (via authentication).
Defaults to env[OS_SERVICE_ENDPOINT]
--os-cacert
Specify a CA bundle file to use in verifying a TLS
(https) server certificate. Defaults to env[OS_CACERT]
--insecure Explicitly allow keystoneclient to perform "insecure"
TLS (https) requests. The server's certificate will
not be verified against any certificate authorities.
This option should be used with caution.
--os-cert
Defaults to env[OS_CERT]
--os-key Defaults to env[OS_KEY]
--os-cache Use the auth token cache. Defaults to env[OS_CACHE]
--force-new-token If the keyring is available and in use, token will
always be stored and fetched from the keyring until
the token has expired. Use this option to request a
new token and replace the existing one in the keyring.
--stale-duration
Stale duration (in seconds) used to determine whether
a token has expired when retrieving it from keyring.
This is useful in mitigating process or network
delays. Default is 30 seconds.
See "keystone help COMMAND" for help on a specific command.
2.7 同步数据库并运行Keystone
同步数据库schema,Keystone会自动连接数据库,完成Table创建等工作。
# keystone-manage db_sync
然后,sqlite3数据库会创建文件~/keystone.db(视上文中的配置文件而定),我们可以查看数据库中的Table。首先使用sqlite3 ~/keystone.db命令打开数据库,然后使用.table命令查看所有Table,包括Tenant、User、Role、Service、Endpoint等。
# sqlite3 ~/keystone.db
SQLite version 3.7.7 2011-06-23 19:49:22
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> .table
credential migrate_version token
domain policy user
ec2_credential role user_domain_metadata
endpoint service user_tenant_membership
metadata tenant
sqlite>.exit
#
至此,我们已经成功地完成了Keystone服务的安装与配置,完事具备,可以启动Keystone服务了。
# keystone-all
2.8 导入环境变量
为了访问Keystone服务,客户端需要导入环境变量,当然也可以选择在执行访问Keystone的命令时加上相关参数。在本文档所描述的部署环境中,Keystone客户端与服务端处在同一台PC上。导入环境变量的方式有两种:
1. 在终端使用export命令,这种方式使得该环境变量的有效范围仅限于本终端。
# export SERVICE_TOKEN=ADMIN
# export SERVICE_ENDPOINT=http://192.168.3.67:35357/v2.0
这里需要解释一下:
“SERVICE_ENDPOINT”是Keystone的Endpoint,即API入口。其中,“192.168.3.67”为安装Keystone服务的机器的IP,“35357”为Keystone提供的认证授权和系统管理服务监听的端口(通常为内网),用户需要访问该端口来进行管理员操作,如创建删除Tenant、User、Role、Service、Endpoint等,这在《配置Keystone》章节中已进行了说明。
“SERVICE_TOKEN”就是Keystone服务的Token,在《配置Keystone》章节中也已进行了说明。
2. 修改~/.bashrc文件,在文件尾部添加如下内容。(该文件包含当前用户Bash Shell的环境变量信息)
export SERVICE_TOKEN=ADMIN
export SERVICE_ENDPOINT=http://192.168.3.67:35357/v2.0
然后执行如下命令,以使修改生效。一旦生效,终生有效哦亲!
# . ~/.bashrc
针对上述环境变量作如下说明:
SERVICE_TOKEN变量表示访问Keystone服务时使用的Token,与配置文件keystone.conf中的信息相对应,默认为ADMIN。
SERVICE_ENDPOINT变量表示Keystone服务的接入口,其中IP地址表明Keystone服务的安装位置,35357为默认访问端口。
于是,客户端就可以使用名为ADMIN的Token,通过给定的访问地址http://192.168.3.67:35357/v2.0来访问Keystone服务了。
3. 使用实例
3.1 初次查看Keystone中的信息
首先,我们分别执行以下命令,通过访问Keystone服务来查看几个重要数据库Table的内容,包括Tenant、User、Role、Service和Endpoint。当然,结果必然是空的,因为我们还没有添加任何Tenant、User、Role、Service以及Endpoint,但结果已经证明Keystone已经在正常工作了。
# keystone tenant-list
# keystone user-list
# keystone role-list
# keystone service-list
# keystone endpoint-list
3.2 手动添加自定义的信息
下面,我们将按照自己的要求来手动添加Tenant、User、Role、Service、Endpoint等信息。
我们将创建名称为adminTenant的Tenant(租户)、名称为admin的User(用户)以及名称为adminRole的Role(角色),并将它们关联起来。最终的结果表现为:一个名叫admin的用户,其拥有名为adminRole的角色身份,并且能够使用名为adminTennant的租户。
1. 创建Tenant,租户名为adminTenant,描述信息为Admin Tenant。请记住该命令生成的Tenant id,下面添加User时需要用到。
# keystone tenant-create --name adminTenant --description "Admin Tenant" --enabled true
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Admin Tenant |
| enabled | True |
| id | 4803098ff0b44f13bb33e7c9665e59d4 |
| name | adminTenant |
+-------------+----------------------------------+
2.创建User,用户名为admin,密码为openstack。请记住该命令生成的User id,下面的关联命令需要用到。
# keystone user-create --tenant_id 4803098ff0b44f13bb33e7c9665e59d4 --name admin --pass openstack --enabled true
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | |
| enabled | True |
| id | c2c40638681041aca9625869c260ba51 |
| name | admin |
| tenantId | 4803098ff0b44f13bb33e7c9665e59d4 |
+----------+----------------------------------+
3. 创建Role,角色名为adminRole。请记住该命令生成的Role id,下面的关联命令需要用到。
# keystone role-create --name adminRole
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| id | 675c497fdf314e74a3f4bd6e1710d45d |
| name | adminRole |
+----------+----------------------------------+
至此,我们已经创建了一个Ttenant,一个Uuser以及一个Rrole,它们的id分别是:
tenant_id:4803098ff0b44f13bb33e7c9665e59d4
user_id:c2c40638681041aca9625869c260ba51
role_id:675c497fdf314e74a3f4bd6e1710d45d
4. 最后,我们要使用上述三个id,并通过下面的命令来将三者关联起来。
# keystone user-role-add --user-id c2c40638681041aca9625869c260ba51 --tenant-id 4803098ff0b44f13bb33e7c9665e59d4 --role-id 675c497fdf314e74a3f4bd6e1710d45d
此时,让我们再使用list命令查看一下Tenant、User、Role、Service和Endpoint的信息。
# keystone tenant-list
+----------------------------------+-------------+---------+
| id | name | enabled |
+----------------------------------+-------------+---------+
| 4803098ff0b44f13bb33e7c9665e59d4 | adminTenant | True |
+----------------------------------+-------------+---------+
# keystone user-list
+----------------------------------+-------+---------+-------+
| id | name | enabled | email |
+----------------------------------+-------+---------+-------+
| c2c40638681041aca9625869c260ba51 | admin | True | |
+----------------------------------+-------+---------+-------+
# keystone role-list
+----------------------------------+-----------+
| id | name |
+----------------------------------+-----------+
| 675c497fdf314e74a3f4bd6e1710d45d | adminRole |
+----------------------------------+-----------+
# keystone service-list
# keystone endpoint-list
3.3 访问Keystone获取Token
上面已经完成了Tenant、User和Role的创建,并将三者关联起来,于是我们就可以使用User的用户名和密码来访问Keystone,获取用于访问Tenant的Token了。我们将使用curl命令来访问Keyston以获取授权,该命令需要给定四个参数,即tenantName(租户名)、username(用户名)、password(用户密码)以及认证授权申请地址(http://192.168.3.67:35357/v2.0/tokens或http://192.168.3.67:5000/v2.0/tokens都可以)。此外,返回信息会以json格式展现。
先尝试使用错误的密码进行访问,结果获取授权失败。返回信息中给出了相关错误提示信息。
# curl -d '{"auth": {"tenantName": "adminTenant", "passwordCredentials":{"username": "admin", "password": "xxx"}}}' -H "Content-type: application/json" http://192.168.3.67:35357/v2.0/tokens | python -mjson.tool
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 219 100 116 100 103 2547 2262 --:--:-- --:--:-- --:--:-- 2577
{
"error": {
"code": 401,
"message": "The request you have made requires authentication.",
"title": "Not Authorized"
}
}
然后使用正确的密码访问(http://192.168.3.67:35357/v2.0/tokens),结果成功获取授权。返回信息中包含了我们所需的Token,同时也显示了与本次请求相关的Tenant、User以及Role的信息。我们可以看到,Token的id为55e9889a646e467693f2e11b58ccf78d,其授权通过的时间为2013-03-15T12:42:00.096694,其授权过期的时间为2013-03-16T12:42:00Z。
# curl -d '{"auth": {"tenantName": "adminTenant", "passwordCredentials":{"username": "admin", "password": "openstack"}}}' -H "Content-type: application/json" http://192.168.3.67:35357/v2.0/tokens | python -mjson.tool
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 618 100 509 100 109 8811 1886 --:--:-- --:--:-- --:--:-- 8929
{
"access": {
"metadata": {
"is_admin": 0,
"roles": [
"675c497fdf314e74a3f4bd6e1710d45d"
]
},
"serviceCatalog": [],
"token": {
"expires": "2013-03-16T12:42:00Z",
"id": "55e9889a646e467693f2e11b58ccf78d",
"issued_at": "2013-03-15T12:42:00.096694",
"tenant": {
"description": "Admin Tenant",
"enabled": true,
"id": "4803098ff0b44f13bb33e7c9665e59d4",
"name": "adminTenant"
}
},
"user": {
"id": "c2c40638681041aca9625869c260ba51",
"name": "admin",
"roles": [
{
"name": "adminRole"
}
],
"roles_links": [],
"username": "admin"
}
}
}
再试一下认证授权地址http://192.168.3.67:5000/v2.0/tokens,同样成功获取授权。
# curl -d '{"auth": {"tenantName": "adminTenant", "passwordCredentials":{"username": "admin", "password": "openstack"}}}' -H "Content-type: application/json" http://192.168.3.67:5000/v2.0/tokens | python -mjson.tool
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 618 100 509 100 109 9030 1933 --:--:-- --:--:-- --:--:-- 9254
{
"access": {
"metadata": {
"is_admin": 0,
"roles": [
"675c497fdf314e74a3f4bd6e1710d45d"
]
},
"serviceCatalog": [],
"token": {
"expires": "2013-04-05T07:36:56Z",
"id": "bfe30305790c46e2a4b5bfc80060246b",
"issued_at": "2013-04-04T07:36:56.283627",
"tenant": {
"description": "Admin Tenant",
"enabled": true,
"id": "4803098ff0b44f13bb33e7c9665e59d4",
"name": "adminTenant"
}
},
"user": {
"id": "c2c40638681041aca9625869c260ba51",
"name": "admin",
"roles": [
{
"name": "adminRole"
}
],
"roles_links": [],
"username": "admin"
}
}
}
上述使用实例阐述了Keystone的基本操作,并且表明Keystone正确地为我们提供了身份验证与授权服务。以后的文档将延续该主题,介绍Keystone与Swift的联合部署,我们将使用Keystone为Swift提供身份验证与授权服务。
4. 参考链接
4.1 官方链接
Installing Keystone
http://docs.openstack.org/developer/keystone/installing.html
Setting up a Keystone development environment
http://docs.openstack.org/developer/keystone/setup.html
Configuring Keystone
http://docs.openstack.org/developer/keystone/configuration.html
keystone.conf
http://docs.openstack.org/trunk/openstack-compute/install/yum/content/keystone-conf-file.html
Setting up tenants, users, and roles
http://docs.openstack.org/trunk/openstack-compute/install/yum/content/setting-up-tenants-users-and-roles.html
OpenStack/Keystone - GitHub
https://github.com/openstack/keystone
4.2 非官方链接
OpenStack Hands on lab 1: Keystone安装
http://liangbo.me/index.php/2012/03/27/11/
OpenStack安装 - keystone
http://articles.csdn.net/shangwuzhuanqu/OpenStackzhuanqu/jishufenxiangyemia/2012/0820/2808852.html
OpenStack Essex版安装 - keystone
http://blog.csdn.net/nocturne1210/article/details/7877307
OpenStack Keystone的理解
http://blog.csdn.net/xiangmin2587/article/details/8224042
OpenStack Identity(Keystone)身份服务体系结构与中间件
http://blog.sina.com.cn/s/blog_6a9ae9e501014w3p.html
OpenStack Keystone install - border / keystone.conf
https://gist.github.com/border/4070200
OpenStack云第三天
http://www.linuxidc.com/Linux/2012-12/75424.htm