OpenStack、keystone組件

發(fā)布時(shí)間：2020-08-03 05:11:39 來(lái)源：網(wǎng)絡(luò) 閱讀：3267 作者：xiexiaojun 欄目：數(shù)據(jù)庫(kù)

一、部署OpenStack

1、環(huán)境

OS：CentOS6.5 X86_64

各節(jié)點(diǎn)時(shí)間同步、能基于主機(jī)名通信，清空iptables，關(guān)閉SElinux，禁用WorkManager服務(wù)

各節(jié)點(diǎn)的主機(jī)/etc/hosts文件配置:

cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.10.1 Node1 node1 controller www.node1.com
192.168.10.2 Node2 node2 compute    www.node2.com
192.168.10.3 Node3 node3 network    www.node3.com
192.168.10.4 Node4 node4            www.node4.com

2、配置Controller Node（Node1）的網(wǎng)絡(luò)

1）所有192.168.10.0段的數(shù)據(jù)包的源地址改成172.16.11.210

[root@Node1 ~]# iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j SNAT --to-source 172.16.11.210
[root@Node1 ~]# service iptables save

2）打開內(nèi)核的路由（網(wǎng)卡間轉(zhuǎn)發(fā)）功能

要實(shí)現(xiàn)nat，要將文件/proc/sys/net/ipv4/ip_forward內(nèi)的值改為1，（默認(rèn)是0）

[root@Node1 ~]# vi /etc/sysctl.conf 
[root@Node1 ~]# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
error: "net.bridge.bridge-nf-call-iptables" is an unknown key
error: "net.bridge.bridge-nf-call-arptables" is an unknown key
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296

3）配置yum源

[root@Node1 yum.repos.d]# cat CentOS-OpenStack-icehouse.repo
# CentOS-OpenStack-icehouse.repo
#

[centos-openstack-icehouse]
name=CentOS-$releasever - OpenStack icehouse
baseurl=https://repos.fedorapeople.org/repos/openstack/EOL/openstack-icehouse/epel-6/  
#為什么現(xiàn)在這個(gè)博客很容易吞鏈接啊，一沒(méi)注意鏈接就發(fā)不出來(lái) 
gpgcheck=0
enabled=1

二、Identity（Keystone）組件

1、Identity主要有兩個(gè)功能

用戶管理：認(rèn)證和授權(quán)

認(rèn)證方式有兩種：

token：持有授權(quán)字符串

帳號(hào)和密碼：

服務(wù)目錄：所有可用服務(wù)的信息庫(kù)，包含其API endpoint（訪問(wèn)端口）路徑

OpenStack、keystone組件

2、常用術(shù)語(yǔ)

user：一個(gè)user可以關(guān)聯(lián)至多個(gè)tenant（租戶）

Tenant：租戶，一個(gè)tenant對(duì)應(yīng)一個(gè)project，或一個(gè)組織

Role：角色

Token：令牌

Service：服務(wù)

Endpoint：服務(wù)的訪問(wèn)入口

3、在Controller Node上安裝keystone組件

[root@Node1 ~]# yum install openstack-keystone python-keystoneclient
[root@Node1 ~]# yum install openstack-utils
[root@Node1 yum.repos.d]# rpm -ql openstack-utils
/usr/bin/openstack-config
/usr/bin/openstack-db
/usr/bin/openstack-service
/usr/bin/openstack-status
/usr/share/doc/openstack-utils-2014.1

4、安裝數(shù)據(jù)庫(kù)，授權(quán)keystone能夠遠(yuǎn)程連入mysqld，并初始化數(shù)據(jù)庫(kù)

1）安裝OpenStack優(yōu)化的Mariabd數(shù)據(jù)庫(kù)并初始化

[root@Node1 ~]# yum install mariadb-galera-server -y

修改配置文件/etc/keystone/keystone.conf配置文件:

定義客戶端如何連接到keystone服務(wù)器

默認(rèn)配置：

#connection=mysql://keystone:keystone@localhost/keystone

mysql協(xié)議用戶名密碼主機(jī) 數(shù)據(jù)庫(kù)

授權(quán)keystone連接mysqld:

mysql> CREATE DATABASE keystone;
mysql> GRANT ALL ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';
Query OK, 0 rows affected (0.00 sec)
mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS';
mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)

keystone-manage初始化數(shù)據(jù)庫(kù)：

[root@Node1 ~]# keystone-manage --help
usage: keystone-manage [db_sync|db_version|pki_setup|ssl_setup|token_flush]

optional arguments:
  -h, --help            show this help message and exit
  --config-dir DIR      Path to a config directory to pull *.conf files from.
                        This file set is sorted, so as to provide a
                        predictable parse order if individual options are
                        over-ridden. The set is parsed after the file(s)
                        specified via previous --config-file, arguments hence
                        over-ridden options in the directory take precedence.
  --config-file PATH    Path to a config file to use. Multiple config files
                        can be specified, with values in later files taking
                        precedence. The default files used are: None
  --debug, -d           Print debugging output (set logging level to DEBUG
                        instead of default WARNING level).
  --log-config-append PATH, --log_config PATH
                        The name of logging configuration file. It does not
                        disable existing loggers, but just appends specified
                        logging configuration to any other existing logging
                        options. Please see the Python logging module
                        documentation for details on logging configuration
                        files.
  --log-date-format DATE_FORMAT
                        Format string for %(asctime)s in log records. Default:
                        None
  --log-dir LOG_DIR, --logdir LOG_DIR
                        (Optional) The base directory used for relative --log-
                        file paths
  --log-file PATH, --logfile PATH
                        (Optional) Name of log file to output to. If no
                        default is set, logging will go to stdout.
  --log-format FORMAT   DEPRECATED. A logging.Formatter log message format
                        string which may use any of the available
                        logging.LogRecord attributes. This option is
                        deprecated. Please use logging_context_format_string
                        and logging_default_format_string instead.
  --nodebug             The inverse of --debug
  --nostandard-threads  The inverse of --standard-threads
  --nouse-syslog        The inverse of --use-syslog
  --nouse-syslog-rfc-format
                        The inverse of --use-syslog-rfc-format
  --noverbose           The inverse of --verbose
  --pydev-debug-host PYDEV_DEBUG_HOST
                        Host to connect to for remote debugger.
  --pydev-debug-port PYDEV_DEBUG_PORT
                        Port to connect to for remote debugger.
  --standard-threads    Do not monkey-patch threading system modules.
  --syslog-log-facility SYSLOG_LOG_FACILITY
                        Syslog facility to receive log lines
  --use-syslog          Use syslog for logging. Existing syslog format is
                        DEPRECATED during I, and then will be changed in J to
                        honor RFC5424
  --use-syslog-rfc-format
                        (Optional) Use syslog rfc5424 format for logging. If
                        enabled, will add APP-NAME (RFC5424) before the MSG
                        part of the syslog message. The old format without
                        APP-NAME is deprecated in I, and will be removed in J.
  --verbose, -v         Print more verbose output (set logging level to INFO
                        instead of default WARNING level).
  --version             show program's version number and exit

Commands:
  {token_flush,db_version,pki_setup,ssl_setup,db_sync}
                        Available commands
    db_sync             Sync the database.
    db_version          Print the current migration version of the database.
    pki_setup           Set up Key pairs and certificates for token signing
                        and verification.
    ssl_setup           Create key pairs and certificates for HTTPS
                        connections.
    token_flush         Flush expired tokens from the backend.

# su -s /bin/sh -c "keystone-manage db_sync" keystone

mysql> use keystone
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+-----------------------+
| Tables_in_keystone    |
+-----------------------+
| assignment            |
| credential            |
| domain                |
| endpoint              |
| group                 |
| migrate_version       |
| policy                |
| project               |
| region                |
| role                  |
| service               |
| token                 |
| trust                 |
| trust_role            |
| user                  |
| user_group_membership |
+-----------------------+
16 rows in set (0.00 sec)

2）編輯/etc/keystone/keystone.conf配置文件

設(shè)置token：

[root@Node1 ~]# ADMIN_TOKEN=$(openssl rand -hex 10)  #隨機(jī)設(shè)置幾個(gè)字符串也是可以的
[root@Node1 ~]# echo $ADMIN_TOKEN
8dc775e8139f48a8de39
[root@Node1 ~]# echo $ADMIN_TOKEN > admin_token.rc   #保存起來(lái)，以便以后用到
[root@Node1 ~]# vi /etc/keystone/keystone.conf  

#admin_token=ADMIN                   #找到這行，并復(fù)制
admin_token=8dc775e8139f48a8de39     #用字符串代替ADMIN

設(shè)置本地PKI:

[root@Node1 ~]# keystone-manage pki_setup --keystone-user keystone --keystone-group keystone

[root@Node1 ~]# chown -R keystone:keystone /etc/keystone/ssl
[root@Node1 ~]# chmod -R o-rwx /etc/keystone/ssl

啟動(dòng)keystone：

[root@Node1 ~]#  service openstack-keystone start
Starting keystone:                                         [  OK  ]
[root@Node1 ~]# chkconfig openstack-keystone on

設(shè)置環(huán)境變量:

[root@Node1 ~]# export OS_SERVICE_TOKEN=$ADMIN_TOKEN   #方便客戶端使用
[root@Node1 ~]# export OS_SERVICE_ENDPOINT=http://192.168.10.1:35357/v2.0

5、keystone客戶端使用

1）創(chuàng)建用戶，角色，租戶

[root@Node1 ~]# keystone --help
/usr/lib64/python2.6/site-packages/Crypto/Util/number.py:57: PowmInsecureWarning: Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.
  _warn("Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.", PowmInsecureWarning)
usage: keystone [--version] [--timeout <seconds>]
                [--os-username <auth-user-name>]
                [--os-password <auth-password>]
                [--os-tenant-name <auth-tenant-name>]
                [--os-tenant-id <tenant-id>] [--os-auth-url <auth-url>]
                [--os-region-name <region-name>]
                [--os-identity-api-version <identity-api-version>]
                [--os-token <service-token>]
                [--os-endpoint <service-endpoint>]
                [--os-cacert <ca-certificate>] [--insecure]
                [--os-cert <certificate>] [--os-key <key>] [--os-cache]
                [--force-new-token] [--stale-duration <seconds>]
                <subcommand> ...

Pending deprecation: Command-line interface to the OpenStack Identity API.
This CLI is pending deprecation in favor of python-openstackclient. For a
Python library, continue using python-keystoneclient.

Positional arguments:
  <subcommand>
    catalog             List service catalog, possibly filtered by service.
    ec2-credentials-create
                        Create EC2-compatible credentials for user per tenant.
    ec2-credentials-delete
                        Delete EC2-compatible credentials.
    ec2-credentials-get
                        Display EC2-compatible credentials.
    ec2-credentials-list
                        List EC2-compatible credentials for a user.
    endpoint-create     Create a new endpoint associated with a service.
    endpoint-delete     Delete a service endpoint.
    endpoint-get        Find endpoint filtered by a specific attribute or
                        service type.
    endpoint-list       List configured service endpoints.
    password-update     Update own password.
    role-create         Create new role.
    role-delete         Delete role.
    role-get            Display role details.
    role-list           List all roles.
    service-create      Add service to Service Catalog.
    service-delete      Delete service from Service Catalog.
    service-get         Display service from Service Catalog.
    service-list        List all services in Service Catalog.
    tenant-create       Create new tenant.
    tenant-delete       Delete tenant.
    tenant-get          Display tenant details.
    tenant-list         List all tenants.
    tenant-update       Update tenant name, description, enabled status.
    token-get           Display the current user token.
    user-create         Create new user
    user-delete         Delete user.
    user-get            Display user details.
    user-list           List users.
    user-password-update
                        Update user password.
    user-role-add       Add role to user.
    user-role-list      List roles granted to a user.
    user-role-remove    Remove role from user.
    user-update         Update user's name, email, and enabled status.
    discover            Discover Keystone servers, supported API versions and
                        extensions.
    bootstrap           Grants a new role to a new user on a new tenant, after
                        creating each.
    bash-completion     Prints all of the commands and options to stdout.
    help                Display help about this program or one of its
                        subcommands.

Optional arguments:
  --version             Shows the client version and exits.
  --timeout <seconds>   Set request timeout (in seconds).
  --os-username <auth-user-name>
                        Name used for authentication with the OpenStack
                        Identity service. Defaults to env[OS_USERNAME].
  --os-password <auth-password>
                        Password used for authentication with the OpenStack
                        Identity service. Defaults to env[OS_PASSWORD].
  --os-tenant-name <auth-tenant-name>
                        Tenant to request authorization on. Defaults to
                        env[OS_TENANT_NAME].
  --os-tenant-id <tenant-id>
                        Tenant to request authorization on. Defaults to
                        env[OS_TENANT_ID].
  --os-auth-url <auth-url>
                        Specify the Identity endpoint to use for
                        authentication. Defaults to env[OS_AUTH_URL].
  --os-region-name <region-name>
                        Specify the region to use. Defaults to
                        env[OS_REGION_NAME].
  --os-identity-api-version <identity-api-version>
                        Specify Identity API version to use. Defaults to
                        env[OS_IDENTITY_API_VERSION] or 2.0.
  --os-token <service-token>
                        Specify an existing token to use instead of retrieving
                        one via authentication (e.g. with username &
                        password). Defaults to env[OS_SERVICE_TOKEN].
  --os-endpoint <service-endpoint>
                        Specify an endpoint to use instead of retrieving one
                        from the service catalog (via authentication).
                        Defaults to env[OS_SERVICE_ENDPOINT].
  --os-cacert <ca-certificate>
                        Specify a CA bundle file to use in verifying a TLS
                        (https) server certificate. Defaults to
                        env[OS_CACERT].
  --insecure            Explicitly allow keystoneclient to perform "insecure"
                        TLS (https) requests. The server's certificate will
                        not be verified against any certificate authorities.
                        This option should be used with caution.
  --os-cert <certificate>
                        Defaults to env[OS_CERT].
  --os-key <key>        Defaults to env[OS_KEY].
  --os-cache            Use the auth token cache. Defaults to env[OS_CACHE].
  --force-new-token     If the keyring is available and in use, token will
                        always be stored and fetched from the keyring until
                        the token has expired. Use this option to request a
                        new token and replace the existing one in the keyring.
  --stale-duration <seconds>
                        Stale duration (in seconds) used to determine whether
                        a token has expired when retrieving it from keyring.
                        This is useful in mitigating process or network
                        delays. Default is 30 seconds.

See "keystone help COMMAND" for help on a specific command.

[root@Node1 ~]# keystone help  user-create 
/usr/lib64/python2.6/site-packages/Crypto/Util/number.py:57: PowmInsecureWarning: Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.
  _warn("Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.", PowmInsecureWarning)
usage: keystone user-create --name <user-name> [--tenant <tenant>]
                            [--pass [<pass>]] [--email <email>]
                            [--enabled <true|false>]

Create new user

Arguments:
  --name <user-name>    New user name (must be unique).
  --tenant <tenant>, --tenant-id <tenant>
                        New user default tenant.
  --pass [<pass>]       New user password; required for some auth backends.
  --email <email>       New user email address.
  --enabled <true|false>
                        Initial user enabled status. Default is true.
[root@Node1 ~]# keystone user-create --name=admin --pass=admin    #創(chuàng)建用戶和密碼
/usr/lib64/python2.6/site-packages/Crypto/Util/number.py:57: PowmInsecureWarning: Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.
  _warn("Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.", PowmInsecureWarning)   #這個(gè)警告信息是gmp包要5以上的版本
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|  email   |                                  |
| enabled  |               True               |
|    id    | 2156077a9bc644d597f07719fc67ea56 |
|   name   |              admin               |
| username |              admin               |
+----------+----------------------------------+
[root@Node1 ~]# keystone user-list
/usr/lib64/python2.6/site-packages/Crypto/Util/number.py:57: PowmInsecureWarning: Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.
  _warn("Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.", PowmInsecureWarning)
+----------------------------------+-------+---------+-------+
|                id                |  name | enabled | email |
+----------------------------------+-------+---------+-------+
| 2156077a9bc644d597f07719fc67ea56 | admin |   True  |       |
+----------------------------------+-------+---------+-------+
[root@Node1 ~]# keystone role-create --name=admin        #創(chuàng)建角色
/usr/lib64/python2.6/site-packages/Crypto/Util/number.py:57: PowmInsecureWarning: Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.
  _warn("Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.", PowmInsecureWarning)
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|    id    | 908cde894759423780e5787e4e50d7fb |
|   name   |              admin               |
+----------+----------------------------------+
[root@Node1 ~]# keystone role-list
/usr/lib64/python2.6/site-packages/Crypto/Util/number.py:57: PowmInsecureWarning: Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.
  _warn("Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.", PowmInsecureWarning)
+----------------------------------+----------+
|                id                |   name   |
+----------------------------------+----------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |      #默認(rèn)的角色
| 908cde894759423780e5787e4e50d7fb |  admin   |
+----------------------------------+----------+
[root@Node1 ~]# keystone tenant-create --name=admin --description="Admin Tenant"    #創(chuàng)建租戶
/usr/lib64/python2.6/site-packages/Crypto/Util/number.py:57: PowmInsecureWarning: Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.
  _warn("Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.", PowmInsecureWarning)
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |           Admin Tenant           |
|   enabled   |               True               |
|      id     | 63607fac42c94ecbb2490eb01b357586 |
|     name    |              admin               |
+-------------+----------------------------------+
[root@Node1 ~]# keystone user-role-add --user admin --role admin --tenant admin  #將用戶admin添加到admin角色和admin租戶
[root@Node1 ~]# keystone user-role-add --user admin --role _member_ --tenant admin #添加到默認(rèn)的角色
[root@Node1 ~]# keystone user-role-list --user admin --tenant admin
/usr/lib64/python2.6/site-packages/Crypto/Util/number.py:57: PowmInsecureWarning: Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.
  _warn("Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.", PowmInsecureWarning)
+----------------------------------+----------+----------------------------------+----------------------------------+
|                id                |   name   |             user_id              |            tenant_id             |
+----------------------------------+----------+----------------------------------+----------------------------------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | 2156077a9bc644d597f07719fc67ea56 | 63607fac42c94ecbb2490eb01b357586 |
| 908cde894759423780e5787e4e50d7fb |  admin   | 2156077a9bc644d597f07719fc67ea56 | 63607fac42c94ecbb2490eb01b357586 |
+----------------------------------+----------+----------------------------------+----------------------------------+

創(chuàng)建一個(gè)普通用戶：

[root@Node1 ~]# keystone user-create --name demo --pass demo 
/usr/lib64/python2.6/site-packages/Crypto/Util/number.py:57: PowmInsecureWarning: Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.
  _warn("Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.", PowmInsecureWarning)
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|  email   |                                  |
| enabled  |               True               |
|    id    | a3ebced215de4892b9370b4d37eaf9bd |
|   name   |               demo               |
| username |               demo               |
+----------+----------------------------------+

[root@Node1 ~]# keystone tenant-create --name demo
/usr/lib64/python2.6/site-packages/Crypto/Util/number.py:57: PowmInsecureWarning: Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.
  _warn("Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.", PowmInsecureWarning)
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |                                  |
|   enabled   |               True               |
|      id     | 0804069a7a454a9a86d4105dd40bed17 |
|     name    |               demo               |
+-------------+----------------------------------+
[root@Node1 ~]# keystone user-role-add --user demo --role _member_ --tenant demo
[root@Node1 ~]# keystone user-role-list --tenant=demo --user=demo
/usr/lib64/python2.6/site-packages/Crypto/Util/number.py:57: PowmInsecureWarning: Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.
  _warn("Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.", PowmInsecureWarning)
+----------------------------------+----------+----------------------------------+----------------------------------+
|                id                |   name   |             user_id              |            tenant_id             |
+----------------------------------+----------+----------------------------------+----------------------------------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | a3ebced215de4892b9370b4d37eaf9bd | 0804069a7a454a9a86d4105dd40bed17 |
+----------------------------------+----------+----------------------------------+----------------------------------+

設(shè)置一個(gè)服務(wù)租戶：

[root@Node1 ~]# keystone tenant-create --name=service
/usr/lib64/python2.6/site-packages/Crypto/Util/number.py:57: PowmInsecureWarning: Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.
  _warn("Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.", PowmInsecureWarning)
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |                                  |
|   enabled   |               True               |
|      id     | c536e6faa30b4b3f998e14af70f4f7c2 |
|     name    |             service              |
+-------------+----------------------------------+

2）創(chuàng)建服務(wù)和服務(wù)端點(diǎn)（endpoint)

[root@Node1 ~]# keystone help service-create
/usr/lib64/python2.6/site-packages/Crypto/Util/number.py:57: PowmInsecureWarning: Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.
  _warn("Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.", PowmInsecureWarning)
usage: keystone service-create --name <name> --type <type>
                               [--description <service-description>]

Add service to Service Catalog.

Arguments:
  --name <name>         Name of new service (must be unique).
  --type <type>         Service type (one of: identity, compute, network,
                        p_w_picpath, object-store, or other service identifier
                        string).
  --description <service-description>
                        Description of service.
                       
[root@Node1 ~]# keystone service-create --name=keystone --type=identity --description="OpenStack Identity"
/usr/lib64/python2.6/site-packages/Crypto/Util/number.py:57: PowmInsecureWarning: Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.
  _warn("Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.", PowmInsecureWarning)
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |        OpenStack Identity        |
|   enabled   |               True               |
|      id     | 16929dabe6db4044af364ab96867b8b4 |
|     name    |             keystone             |
|     type    |             identity             |
+-------------+----------------------------------+   
[root@Node1 ~]# keystone service-list
/usr/lib64/python2.6/site-packages/Crypto/Util/number.py:57: PowmInsecureWarning: Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.
  _warn("Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.", PowmInsecureWarning)
+----------------------------------+----------+----------+--------------------+
|                id                |   name   |   type   |    description     |
+----------------------------------+----------+----------+--------------------+
| 16929dabe6db4044af364ab96867b8b4 | keystone | identity | OpenStack Identity |
+----------------------------------+----------+----------+--------------------+

[root@Node1 ~]# keystone endpoint-create \
--service-id=$(keystone service-list | awk '/ identity / {print $2}') \
--publicurl=http://controller:5000/v2.0 \            #普通用戶訪問(wèn)端口
--internalurl=http://controller:5000/v2.0 \
--adminurl=http://controller:35357/v2.0             #管理用戶訪問(wèn)端口  
/usr/lib64/python2.6/site-packages/Crypto/Util/number.py:57: PowmInsecureWarning: Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.
  _warn("Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.", PowmInsecureWarning)
/usr/lib64/python2.6/site-packages/Crypto/Util/number.py:57: PowmInsecureWarning: Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.
  _warn("Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.", PowmInsecureWarning)
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
|   adminurl  |  http://192.168.10.1:35357/v2.0  |
|      id     | c10e8a817882456497c6acdb3e94e06b |
| internalurl |  http://192.168.10.1:5000/v2.0   |
|  publicurl  |  http://192.168.10.1:5000/v2.0   |
|    region   |            regionOne             |
|  service_id | 16929dabe6db4044af364ab96867b8b4 |
+-------------+----------------------------------+
[root@Node1 ~]#

使用用戶認(rèn)證：

[root@Node1 ~]# unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT
[root@Node1 ~]# keystone --os-username=admin --os-password=admin --os-auth-url=http://192.168.10.1:35357/v2.0 token-get   #這條命令能執(zhí)行成功說(shuō)明認(rèn)證成功

[root@Node1 ~]# vi .admin-openrc.sh

[root@Node1 ~]# cat .admin-openrc.sh
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_TENANT_NAME=admin
export OS_AUTH_URL=http://192.168.10.1:35357/v2.0
[root@Node1 ~]# . .admin-openrc.sh  
[root@Node1 ~]# keystone user-list
/usr/lib64/python2.6/site-packages/Crypto/Util/number.py:57: PowmInsecureWarning: Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.
  _warn("Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.", PowmInsecureWarning)
+----------------------------------+-------+---------+-------+
|                id                |  name | enabled | email |
+----------------------------------+-------+---------+-------+
| 2156077a9bc644d597f07719fc67ea56 | admin |   True  |       |
| a3ebced215de4892b9370b4d37eaf9bd |  demo |   True  |       |
+----------------------------------+-------+---------+-------+

向AI問(wèn)一下細(xì)節(jié)

OpenStack、keystone組件

猜你喜歡

最新資訊

相關(guān)推薦

相關(guān)標(biāo)簽

OpenStack、keystone組件