OpenStack:Keystone 1+X实训
来自CloudWiki
目录
案例实施
在OpenStack框架中,Keystone (OpenStack Identity Service)的功能是负责验证身份、校验服务规则和发布服务令牌的,它实现了OpenStack的 Identity API。Keystone可分解为两个功能,即权限管理和服务目录。权限管理主要用于用户的管理授权。服务目录,类似一个服务总线,或者说是整个OpenStack框架的注册表。认证模块提供API服务、Token令牌机制、服务目录、规则和认证发布等功能。
Keystone运维命令
域(Region)管理
source /etc/keystone/admin-openrc.sh
[root@controller ~]# openstack domain create --description "Default Domain2" default2
+-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Default Domain2 | | enabled | True | | id | 513453be056c4a6aaf55c104ee8f0bed | | name | default2 | +-------------+----------------------------------+
从上面的操作可以看出,创建用户需要用户名称、密码和邮件等信息。具体格式如下:
$openstack user create[--domain <domain>] [--password <password>] [--email <email-address>][--enable | --disable]<name>
其中,参数<name>代表新建用户名。
创建用户
创建一个名称为“alice”账户,密码为“mypassword123”,邮箱为“alice@example.com”。命令如下。
[root@controller ~]# source /etc/keystone/admin-openrc.sh
[root@controller ~]#openstack user create --password mypassword123 --email alice@example.com --domain demo alice
+-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | 118ada7fa91c4e3c898bc5cddfe09502 | | email | alice@example.com | | enabled | True | | id | 5493c659bf6447aebdcda4a42a3f6581 | | name | alice | +-----------+----------------------------------+
从上面的操作可以看出,创建用户需要用户名称、密码和邮件等信息。具体格式如下:
$openstack user create[--domain <domain>] [--password <password>] [--email <email-address>][--enable | --disable]<name>
其中,参数<name>代表新建用户名。
创建项目
一个Project,就是一个项目、团队或组织,当请求OpenStack服务时,必须定义一个项目。例如,查询计算服务正在运行的云主机实例列表。创建一个名为“acme”项目。
[root@controller ~]# openstack project create --domain demo acme
+-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | | | domain_id | baa8393ded2d4226b08f6707b0605c7f | | enabled | True | | id | 6e33c852b46f4594828a77b273d0ad0c | | is_domain | False | | name | acme | | parent_id | baa8393ded2d4226b08f6707b0605c7f | +-------------+----------------------------------+
从上面操作可以看出,创建项目需要项目名等相关信息。具体操作格式如下:
openstack project create [--domain <domain>] [--description<description>][--enable | --disable] <project-name>
其中,参数<project-name>代表新建项目名,参数<description>代表项目描述名。
创建角色
角色限定了用户的操作权限。例如,创建一个角色“compute-user”。
[root@controller ~]# openstack role create computer-user
+-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | 8c2f87bfc4a44ab8a67a03e4ce97d9f9 | | name | computer-user | +-----------+----------------------------------+
从上面操作可以看出,创建角色需要角色名称信息。具体命令格式如下。
$ openstack user create <name>
其中参<name>代表角色名称。
绑定用户和项目权限
添加的用户需要分配一定的权限,这就需要把用户关联绑定到对应的项目和角色。例如,给用户“alice”分配“acme”项目下的“computee-user”角色,命令如下。
[root@controller ~]# openstack role add --user alice --project acme3 computer-user
从上面操作可以看出,绑定用户权限需要用户名称、角色名称和项目名称等信息。具体命令格式如下。
$ openstack role add--user <user> --project <project><role>
其中,参数<user>代表需要绑定的用户名称,参数<role>代表用户绑定的角色名称,参数<project>代表用户绑定的项目名称。
openstack role add --user maxin2 computer-user --domain default3
Keystone基础查询命令
用户列表查询
OpenStack平台所使用的用户可以通过Keystone组件进行查询。查询当前所有用户列表信息,命令如下:
[root@controller ~]# openstack user list
+----------------------------------+-------------------+ | ID | Name | +----------------------------------+-------------------+ | 08e8c7f2ae044cda95935cf78d0e679c | demo | | 0befa70f767848e39df8224107b71858 | admin | | 0f980d5fefa6448a9c52f5c0ae5813a5 | ceilometer | | 1bd5ab1614274bf4bf62bd8bdfac32f2 | nova | | 25e931e21026434bb73f5ebd92646671 | heat_domain_admin | | 461e8dbbbada466b8d6fe7998c28f7fd | glance | | 4c6eaa79772b4964abd69972531255a9 | neutron | | 6b7634fa0b9242599d1f349722f103bf | heat | | 869d2359c2234a33a26c2297015a247e | ma | | 9a1d2602b5d8404a95dd96beddda3a7e | alice | | a0300888d321460399936ec438ea7cb4 | admin2 | | c701f9c0e49c4a5ab485328afff0ae1a | aodh | | c9670cb3d60349e69fc019360a61aef4 | cinder | | d8ba3131cb654ddda6a0486e092dd9fe | alice2 | | e57fa54fe8724ab89e619df0ee46153d | swift | | eb8d1506d6a64daf9b3409cb06a048ac | mayue |
可以通过命令查询到具体用户的详细信息,可以查看到用户当前的状态,命令如下:
[root@controller ~]# openstack user show alice --domain default3
+-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | 9321f21a94ef4f85993e92a228892418 | | email | alice@example.com | | enabled | True | | id | 9a1d2602b5d8404a95dd96beddda3a7e | | name | alice | +-----------+----------------------------------+
项目列表查询
通过命令,可以查询所创建的项目“acme”,也可以查询当前OpenStack平台中所有存在项目列表,命令如下:
[root@controller ~]# openstack project list
+----------------------------------+---------+ | ID | Name | +----------------------------------+---------+ | 092544ea278d4ba29e28b405860d9cce | acme2 | | 2039fe0fcd2242269f26b94f2c221145 | acme2 | | 3ca3f1b85edd41ceb75497c6db07d5fa | acme3 | | 5f942ba70fed4d3b912138d89b44f795 | admin2 | | 6e33c852b46f4594828a77b273d0ad0c | acme | | 981bcb2641444b7eabc43f3605032b8e | acme | | c88f5a1b7619420dadb4309743e53f1a | service | | e14b3dabf5594684913f3868669f35af | demo | | f9ff39ba9daa4e5a8fee1fc50e2d2b34 | admin | +----------------------------------+---------+
通过命令可以查询“acme”项目的详细信息内容,命令如下。
[root@controller ~]# openstack project show acme3
+-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | | | domain_id | baa8393ded2d4226b08f6707b0605c7f | | enabled | True | | id | 3ca3f1b85edd41ceb75497c6db07d5fa | | is_domain | False | | name | acme3 | | parent_id | baa8393ded2d4226b08f6707b0605c7f | +-------------+----------------------------------+
角色列表查询
通过命令查询创建的角色“computer-user”,通过Keystone组件查询角色列表信息,命令如下:
[root@controller ~]# openstack role list
----------------------------------+------------------+ | ID | Name | +----------------------------------+------------------+ | 398b127b3ac040c58b6629c58b776196 | heat_stack_user | | 4217695f42ba45e59434a3285cab5c07 | heat_stack_owner | | 54dd141975184734b6fc109ac1d2a07b | compute-user | | 5a9eac70b43a42f9ad55dfe44c455e9a | admin | | 6280f11c992f4b94a9d04e349150a14f | user | | 7c31824d545e491f9514b67cc85812ab | ResellerAdmin | | 8c2f87bfc4a44ab8a67a03e4ce97d9f9 | computer-user | | d50f03f0cf7b4fbc982feaa931b2b7eb | admin2 | +----------------------------------+------------------+
通过命令查询“compute-user”角色的详细信息,命令如下:
[root@controller ~]# openstack role show compute-user
+-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | 54dd141975184734b6fc109ac1d2a07b | | name | compute-user | +-----------+----------------------------------+
端点地址查询
Keystone组件管理OpenStack平台中所有服务端点信息,通过命令可以查询平台中所有服务所使用的端点地址信息,命令如下:
[root@controller ~]# openstack endpoint list
+----------+----------+--------------+--------------+---------+-----------+----- --------+ | ID | Region | Service Name | Service Type | Enabled | Interface | URL | +----------+----------+--------------+--------------+---------+-----------+----- --------+ | 0081946f | RegionOn | neutron | network | True | admin | http ://cont | | 15cb4884 | e | | | | | roll er:9696 | | 93312974 | | | | | | | | 44dd0442 | | | | | | | | 07bd8088 | RegionOn | ceilometer | metering | True | internal | http ://cont | | 88764d24 | e | | | | | roll er:8777 | | b50e1514 | | | | | | | | 4e8a6fe8 | | | | | | | | 182a6f4f | RegionOn | neutron | network | True | internal | http ://cont | | 3153441c | e | | | | | roll er:9696 | | 876164c8 | | | | | | | | dd0d9c3b | | | | | | | | 25820787 | RegionOn | keystone | identity | True | admin | http ://cont | | 1d6e456e | e | | | | | roll er:3535 | | a1bb7d62 | | | | | | 7/v3 | | c3caf48d | | | | | | | | 25ce5294 | RegionOn | keystone | identity | True | public | http ://cont | | 7a7942e0 | e | | | | | roll er:5000 | | a43564d3 | | | | | | /v3 | | 445811b1 | | | | | | | | 2e2b0b27 | RegionOn | heat | orchestratio | True | public | http ://cont | | 9b894cfe | e | | n | | | roll er:8004 | | 8cc08921 | | | | | | /v1/ %(tenan | | ddb5e654 | | | | | | t_id )s | | 30190b80 | RegionOn | glance | image | True | public | http ://cont | | 09984fad | e | | | | | roll er:9292 | | a23336af | | | | | | | | 8d9b4d42 | | | | | | | | 3768e82d | RegionOn | neutron | network | True | public | http ://cont | | 1cdb413f | e | | | | | roll er:9696 | | bc51878c | | | | | | | | 851dc70a | | | | | | | | 37b6e7c2 | RegionOn | glance | image | True | admin | http ://cont | | de7146c3 | e | | | | | roll er:9292 | | ab828a82 | | | | | | | | 16bccc30 | | | | | | | | 3d3fb15f | RegionOn | heat-cfn | cloudformati | True | internal | http ://cont | | 11a84bfb | e | | on | | | roll er:8000 | | b3c7b326 | | | | | | /v1 | | 7036547b | | | | | | | | 3da58f94 | RegionOn | heat-cfn | cloudformati | True | admin | http ://cont | | 618844e8 | e | | on | | | roll er:8000 | | b50491ae | | | | | | /v1 | | 0a585a3b | | | | | | | | 432b9c9a | RegionOn | aodh | alarming | True | internal | http ://cont | | 5b784e6f | e | | | | | roll er:8042 | | 9387594b | | | | | | | | d5bc2fba | | | | | | | | 52b82bcc | RegionOn | cinder | volume | True | internal | http ://cont | | 8fcb4845 | e | | | | | roll er:8776 | | 8d8fdc26 | | | | | | /v1/ %(tenan | | e345eb96 | | | | | | t_id )s | | 55d984e4 | RegionOn | aodh | alarming | True | admin | http ://cont | | d86e4b32 | e | | | | | roll er:8042 | | b784b3ab | | | | | | | | a31cb0b1 | | | | | | | | 56437f02 | RegionOn | heat | orchestratio | True | internal | http ://cont | | 8b324b19 | e | | n | | | roll er:8004 | | bea164c2 | | | | | | /v1/ %(tenan | | 3c1a0224 | | | | | | t_id )s | | 58689480 | RegionOn | heat | orchestratio | True | admin | http ://cont | | ad4b4332 | e | | n | | | roll er:8004 | | a3b608ca | | | | | | /v1/ %(tenan | | 16e72134 | | | | | | t_id )s | | 5e647be1 | RegionOn | cinderv2 | volumev2 | True | public | http ://cont | | 75384956 | e | | | | | roll er:8776 | | 9fe8ceee | | | | | | /v2/ %(tenan | | 0a60751b | | | | | | t_id )s | | 80a46b7d | RegionOn | cinderv2 | volumev2 | True | internal | http ://cont | | d8aa417b | e | | | | | roll er:8776 | | 8eaa5bcc | | | | | | /v2/ %(tenan | | 44bcaa69 | | | | | | t_id )s | | 879a7b30 | RegionOn | swift | object-store | True | internal | http ://cont | | 673c4ae9 | e | | | | | roll er:8080 | | 9ea33f39 | | | | | | /v1/ AUTH_%( | | 68ebc3ed | | | | | | tena nt_id)s | | 8a4dd6ab | RegionOn | nova | compute | True | internal | http ://cont | | 28f24f04 | e | | | | | roll er:8774 | | a252db77 | | | | | | /v2. 1/%(ten | | 31e191d4 | | | | | | ant_ id)s | | 8bbd9673 | RegionOn | ceilometer | metering | True | public | http ://cont | | 162f415c | e | | | | | roll er:8777 | | 96e65fc7 | | | | | | | | 5e1cdebb | | | | | | | | 908ed9af | RegionOn | keystone | identity | True | internal | http ://cont | | 43094b2f | e | | | | | roll er:5000 | | 9769abe4 | | | | | | /v3 | | 89a4f2d2 | | | | | | | | 94336af8 | RegionOn | cinder | volume | True | public | http ://cont | | 0e704899 | e | | | | | roll er:8776 | | 955f496b | | | | | | /v1/ %(tenan | | c1499e6b | | | | | | t_id )s | | 9a998f65 | RegionOn | aodh | alarming | True | public | http ://cont | | 20294d32 | e | | | | | roll er:8042 | | 8db13f91 | | | | | | | | fb9fea78 | | | | | | | | 9b67f826 | RegionOn | nova | compute | True | public | http ://cont | | eccb4a2f | e | | | | | roll er:8774 | | a99493d5 | | | | | | /v2. 1/%(ten | | 29bacc6a | | | | | | ant_ id)s | | 9d6c103c | RegionOn | cinderv2 | volumev2 | True | admin | http ://cont | | 916c4dfd | e | | | | | roll er:8776 | | 90b1f36d | | | | | | /v2/ %(tenan | | 7643475b | | | | | | t_id )s | | c8639492 | RegionOn | swift | object-store | True | admin | http ://cont | | a3144feb | e | | | | | roll er:8080 | | a9af1fa0 | | | | | | /v1 | | 24fb57f8 | | | | | | | | c91a6411 | RegionOn | swift | object-store | True | public | http ://cont | | cde14194 | e | | | | | roll er:8080 | | bf14a640 | | | | | | /v1/ AUTH_%( | | e7faadc5 | | | | | | tena nt_id)s | | caf54d77 | RegionOn | heat-cfn | cloudformati | True | public | http ://cont | | 24cb4bf4 | e | | on | | | roll er:8000 | | 8a14f719 | | | | | | /v1 | | a4bfe6ff | | | | | | | | d6f29007 | RegionOn | ceilometer | metering | True | admin | http ://cont | | f85942b4 | e | | | | | roll er:8777 | | 9a3d593c | | | | | | | | f401aba7 | | | | | | | | d7ce3efc | RegionOn | cinder | volume | True | admin | http ://cont | | 55df4714 | e | | | | | roll er:8776 | | b08bd180 | | | | | | /v1/ %(tenan | | bd700985 | | | | | | t_id )s | | f05f8cf4 | RegionOn | glance | image | True | internal | http ://cont | | 12dd47b5 | e | | | | | roll er:9292 | | a5260f95 | | | | | | | | 5217f982 | | | | | | | | fb45df30 | RegionOn | nova | compute | True | admin | http ://cont | | 33374eff | e | | | | | roll er:8774 | | a7dd3399 | | | | | | /v2. 1/%(ten | | e8b7bc01 | | | | | | ant_ id)s | +----------+----------+--------------+--------------+---------+-----------+----- --------+
