[root@linux-node1 ~]# systemctl enable mariadb.service 设置开机自启动
Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.
[root@linux-node1 ~]# systemctl start mariadb.service 启动数据库
[root@linux-node1 ~]# mysql_secure_installation 初始化并设置密码
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] y
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB! 作者: zhige 时间: 2016-12-30 15:18 本帖最后由 zhige 于 2016-12-30 15:21 编辑
Keystone在N版已经是V3版本。在Keystone中主要涉及以下几个概念:
User:使用服务的用户,可以是人,服务或者系统,只要是使用了openstack服务的对象都可以称为用户
project(tenant)租户,可以理解为一个人,项目或者组织拥有的资源的合集。在一个租户中可以拥有很多个用户,这些用户可以根据权限的划分使用租户中的资源
Role:角色,用于分配操作的权限。角色可以被指定给用户,使得该用户获得角色对应的操作权限
Token:认证成功后,keystone会生成一串比特值或者字符串,用来作为访问资源的令牌,token中有可访问资源的范围和有效时间
Keystone V3 API 新特性
Keystone V3 做出了许多变化和改进,我们选取其中较为重要的进行阐述:
将 Tenant 改称为 Project
引入 Domain 的概念
引入 Group 的概念
将 Tenant 改为 Project 并在其上添加 Domain 的概念,这更加符合现实世界和云服务的映射。
V3 利用 Domain 实现真正的多租户(multi-tenancy)架构,Domain 担任 Project 的高层容器。云服务的客户是 Domain 的所有者,他们可以在自己的 Domain 中创建多个 Projects、Users、Groups 和 Roles。通过引入 Domain,云服务客户可以对其拥有的多个 Project 进行统一管理,而不必再向过去那样对每一个 Project 进行单独管理。
Group 是一组 Users 的容器,可以向 Group 中添加用户,并直接给 Group 分配角色,那么在这个 Group 中的所有用户就都拥有了 Group 所拥有的角色权限。通过引入 Group 的概念,Keystone V3 实现了对用户组的管理,达到了同时管理一组用户权限的目的。这与 V2 中直接向 User/Project 指定 Role 不同,使得对云服务进行管理更加便捷。作者: zhige 时间: 2016-12-30 15:22
创建库及用户
在数据库中创建库和用户(这里为了方便会把后面用到cinder,glance ,neutron,等服务的账号一并创建到数据库中
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';
CREATE DATABASE glance;
GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY 'glance';
GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY 'glance';
CREATE DATABASE nova;
GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' IDENTIFIED BY 'nova';
GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' IDENTIFIED BY 'nova';
CREATE DATABASE nova_api;
GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'localhost' IDENTIFIED BY 'nova';
GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'%' IDENTIFIED BY 'nova';
CREATE DATABASE neutron;
GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'neutron';
GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'neutron';
CREATE DATABASE cinder;
GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'localhost' IDENTIFIED BY 'cinder';
GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'%' IDENTIFIED BY 'cinder';
执行过程
[root@linux-node1 ~]# mysql -uroot -p
Enter password: #用初始化时候设置的密码
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';
Query OK, 0 rows affected (0.00 sec)
[root@linux-node1 keystone]# openstack user create --domain default --password-prompt demo
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | f0c69bad72b54e0daef92c2295425932 |
| name | demo |
| password_expires_at | None |
+---------------------+----------------------------------+
[root@linux-node1 keystone]# openstack user list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| b84c1614b79b40278e02bd6ed034cc6f | admin |
| f0c69bad72b54e0daef92c2295425932 | demo |
+----------------------------------+-------+
创建role权限:
[root@linux-node1 keystone]# openstack role create user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | f53267146a6449b797393f7fc5d23e10 |
| name | user |
+-----------+----------------------------------+
[root@linux-node1 keystone]# openstack role list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 9b0ba78cf70048efa8659220a3cebd06 | admin |
| f53267146a6449b797393f7fc5d23e10 | user |
+----------------------------------+-------+
把用户添加到项目中,并赋予权限
[root@linux-node1 keystone]# openstack role add --project demo --user demo user #把demo用户加到demo项目中并赋予user权限
这里我把以后各个服务用户赋予不同role规则:
[root@linux-node1 keystone]# openstack user create --domain default --password-prompt glance
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 8dc6f28207b64e6d845a444a2ba18205 |
| name | glance |
| password_expires_at | None |
+---------------------+----------------------------------+
[root@linux-node1 keystone]# openstack role add --project service --user glance admin
[root@linux-node1 keystone]# openstack user create --domain default --password-prompt nova
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | db596da4ed8f47ab9dc7fa77d3bc8c6c |
| name | nova |
| password_expires_at | None |
+---------------------+----------------------------------+
[root@linux-node1 keystone]# openstack role add --project service --user nova admin
[root@linux-node1 keystone]# openstack user create --domain default --password-prompt neutron
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | c0f9c52898ad4d4f88254a01c458eb27 |
| name | neutron |
| password_expires_at | None |
+---------------------+----------------------------------+
[root@linux-node1 keystone]# openstack role add --project service --user neutron admin
[root@linux-node1 keystone]# openstack user create --domain default --password-prompt cinder
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | e5dbdde24a7340edb8bd3f498f9d28b5 |
| name | cinder |
| password_expires_at | None |
+---------------------+----------------------------------+
[root@linux-node1 keystone]# openstack role add --project service --user cinder admin 作者: zhige 时间: 2016-12-30 15:30
验证keystone