1. 前言
在生产环境中,使用openstack已经有1年多的时间了,苦于一直没有时间,加上工作带来的懒惰,一直迟迟没有对openstack方面的知识做个总结,趁着年底,把过去一年多在生产环境中所遇到的一些常见运维操作做个总结。需要说明的是,相关的操作,基本都建立在openstack的官方文档和帮助,所以最好的方式莫过于看官方文档,此处只作为抛砖引玉之用,望须知。
2. 关于keystone
keystone是openstack中负责认证授权的服务,主要负责两方面的工作:1. 用户认证授权,2.目录catalog服务。总体而言,keystone承担着openstack中的注册表服务,即所有的用户都需要到keystone中注册其信息,所有openstack的服务,都需要将其catalog信息注册到keystone,以方便组件之间相互调用。
3. keystone开放用户
openstack中最小的资源单位集合是租户,即tenant,tenant是一系列资源的集合,包括计算资源,网络资源和存储资源,tenant一般来说是指公司,部门,或者个人,比如某个公司去申请阿里云,某个部门申请使用内部的openstack私有云资源等等,作为openstack云管理员,为用户开放访问权限,是一项基本的工作。此外tenant会得到一个默认计算的quota,存储的quota以及网络的quota,关于quota的调整,参考后续的博客。如下为创建user的过程,主要分为三个阶段:1.用户创建,2. 租户创建,3. 将用户加入到租户和角色
3.1 创建用户
[root@controller ~]# keystone user-create --name user1 --pass password --email user1@example.com --enabled true+----------+----------------------------------+| Property | Value |+----------+----------------------------------+| email | user1@example.com || enabled | True || id | ce398fc13d224c63b9d90b3cc2b6d464 | #用户的id号| name | user1 || username | user1 |+----------+----------------------------------+查看用户列表:[root@controller ~]# keystone user-list+----------------------------------+---------+---------+---------------------+| id | name | enabled | email |+----------------------------------+---------+---------+---------------------+| bc5e46fc4204497185ae3ca6f8b7affb | admin | True | admin@example.com || ac86694e3053492f921e19aca9c9d646 | cinder | True | cinder@example.com || 0ed4f1c5af2a496a8d56e256d966ef9d | demo | True | demo@example.com || 0922aae9b7bf4f80a7811fd0c7db49c6 | glance | True | glance@example.com || 053262aa44ce430d91465417f045cead | neutron | True | neutron@example.com || b709f56c61114ce78768b34d76d5af90 | nova | True | nova@example.com || ce398fc13d224c63b9d90b3cc2b6d464 | user1 | True | user1@example.com | #刚创建的user,id号,后续需要使用+----------------------------------+---------+---------+---------------------+查看用户具体信息:[root@controller ~]# keystone user-get ce398fc13d224c63b9d90b3cc2b6d464+----------+----------------------------------+| Property | Value |+----------+----------------------------------+| email | user1@example.com || enabled | True || id | ce398fc13d224c63b9d90b3cc2b6d464 || name | user1 || username | user1 |+----------+----------------------------------+
小结: 用户管理相关操作包括:user-create,user-delete,user-update,user-list,user-get即增删改查,以及user-password-update修改用户密码等操作,其他的操作如tenant,role,service和endpoint相类似,举一反三。
3.2 创建租户
[root@controller ~]# keystone tenant-create --name companyA --description "Project For ComputeA" --enabled true +-------------+----------------------------------+| Property | Value |+-------------+----------------------------------+| description | Project For ComputeA || enabled | True || id | 7ff1dfb5a6f349958c3a949248e56236 | #tenant的id号,后续使用使用| name | companyA |+-------------+----------------------------------+查看tenant列表:[root@controller ~]# keystone tenant-list+----------------------------------+----------+---------+| id | name | enabled |+----------------------------------+----------+---------+| 842ab3268a2c47e6a4b0d8774de805ae | admin | True || 7ff1dfb5a6f349958c3a949248e56236 | companyA | True | #刚所创建的tenant| 10d1465c00d049fab88dec1af0f56b1b | demo | True || 3b57a14f7c354a979c9f62b60f31a331 | service | True |+----------------------------------+----------+---------+查看tenant的详细信息:[root@controller ~]# keystone tenant-get 7ff1dfb5a6f349958c3a949248e56236+-------------+----------------------------------+| Property | Value |+-------------+----------------------------------+| description | Project For ComputeA || enabled | True || id | 7ff1dfb5a6f349958c3a949248e56236 || name | companyA |+-------------+----------------------------------+
3.3 用户与租户角色关联
查看租户的id号[root@controller ~]# keystone tenant-list+----------------------------------+----------+---------+| id | name | enabled |+----------------------------------+----------+---------+| 842ab3268a2c47e6a4b0d8774de805ae | admin | True || 7ff1dfb5a6f349958c3a949248e56236 | companyA | True | #tenant的id号| 10d1465c00d049fab88dec1af0f56b1b | demo | True || 3b57a14f7c354a979c9f62b60f31a331 | service | True |+----------------------------------+----------+---------+查看角色的id号:[root@controller ~]# keystone role-list+----------------------------------+----------+| id | name |+----------------------------------+----------+| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | #_member_角色的id号| 7b0ceee10fb64960acb2b6f0b9247b4f | admin |+----------------------------------+----------+查看用户的id号:[root@controller ~]# keystone user-role-add --user ce398fc13d224c63b9d90b3cc2b6d464 --role 9fe2ff9ee4384b1894a90878d3e92bab --tenant 7ff1dfb5a6f349958c3a949248e56236查看用户的关联信息:[root@controller ~]# keystone user-role-list --user user1 --tenant companyA+----------------------------------+----------+----------------------------------+----------------------------------+| id | name | user_id | tenant_id |+----------------------------------+----------+----------------------------------+----------------------------------+| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | ce398fc13d224c63b9d90b3cc2b6d464 | 7ff1dfb5a6f349958c3a949248e56236 |+----------------------------------+----------+----------------------------------+----------------------------------+
4. 总结
以上是keystone开放用户的过程,keystone的操作涉及到:user,tenant,role,service和endpoint,每个对象都有相应的增删改查的方法实现,查看keystone的命令即可,如keystone help user-create可以查看到user-create的具体用法。
5. keystone用法附录
[root@controller ~]# keystone -h
usage: keystone [--version] [--timeout <seconds>]
[--os-username <auth-user-name>]
[--os-password <auth-password>]
[--os-tenant-name <auth-tenant-name>]
[--os-tenant-id <tenant-id>] [--os-auth-url <auth-url>]
[--os-region-name <region-name>]
[--os-identity-api-version <identity-api-version>]
[--os-token <service-token>]
[--os-endpoint <service-endpoint>]
[--os-cacert <ca-certificate>] [--insecure]
[--os-cert <certificate>] [--os-key <key>] [--os-cache]
[--force-new-token] [--stale-duration <seconds>]
<subcommand> ...
Pending deprecation: Command-line interface to the OpenStack Identity API.
This CLI is pending deprecation in favor of python-openstackclient. For a
Python library, continue using python-keystoneclient.
Positional arguments:
<subcommand>
catalog List service catalog, possibly filtered by service.
ec2-credentials-create #兼容于亚马逊的EC2
Create EC2-compatible credentials for user per tenant.
ec2-credentials-delete
Delete EC2-compatible credentials.
ec2-credentials-get
Display EC2-compatible credentials.
ec2-credentials-list
List EC2-compatible credentials for a user. #访问端点endpoint管理
endpoint-create Create a new endpoint associated with a service.
endpoint-delete Delete a service endpoint.
endpoint-get Find endpoint filtered by a specific attribute or
service type.
endpoint-list List configured service endpoints.
password-update Update own password.
role-create Create new role. #角色role的管理
role-delete Delete role.
role-get Display role details.
role-list List all roles.
service-create Add service to Service Catalog. #服务service的管理
service-delete Delete service from Service Catalog.
service-get Display service from Service Catalog.
service-list List all services in Service Catalog.
tenant-create Create new tenant. #租户tenant的管理
tenant-delete Delete tenant.
tenant-get Display tenant details.
tenant-list List all tenants.
tenant-update Update tenant name, description, enabled status.
token-get Display the current user token.
user-create Create new user #用户user的管理
user-delete Delete user.
user-get Display user details.
user-list List users.
user-password-update
Update user password.
user-role-add Add role to user. #用户角色和tenant的管理
user-role-list List roles granted to a user.
user-role-remove Remove role from user.
user-update Update user's name, email, and enabled status.
discover Discover Keystone servers, supported API versions and
extensions.
bootstrap Grants a new role to a new user on a new tenant, after
creating each.
bash-completion Prints all of the commands and options to stdout.
help Display help about this program or one of its
subcommands.