openstack-3keystone(认证服务)
OpenStack Identity服务提供单点集成,用于管理身份验证,授权和服务目录。
身份服务通常是用户与之交互的第一个服务。经过身份验证后,最终用户可以使用其身份访问其他OpenStack服务。同样,其他OpenStack服务利用身份服务来确保用户是他们所声称的人,并发现部署中的其他服务。Identity服务还可以与某些外部用户管理系统(例如LDAP)集成。
用户和服务可以使用由Identity服务管理的服务目录来查找其他服务。顾名思义,服务目录是OpenStack部署中可用服务的集合。每个服务可以有一个或多个端点,每个端点可以是以下三种类型之一:admin,internal或public。在生产环境中,出于安全原因,不同的端点类型可能驻留在暴露给不同类型用户的不同网络上。例如,公共API网络可能从Internet上可见,因此客户可以管理他们的云。管理API网络可能仅限于管理云基础架构的组织内的运营商。内部API网络可能仅限于包含OpenStack服务的主机。此外,OpenStack支持多个区域以实现可伸缩性。RegionOne区域。在身份服务中创建的区域,服务和端点一起构成部署的服务目录。部署中的每个OpenStack服务都需要一个服务条目,其中相应的端点存储在Identity服务中。这可以在安装和配置Identity服务之后完成。
Identity服务包含以下组件:
服务器
一个中心化的服务器使用RESTful接口来提供认证和授权服务。
驱动程序
驱动或服务后端被整合进集中式服务器中。它们被用来访问OpenStack外部仓库的身份信息,并且它们可能已经存在于OpenStack被部署在的基础设施(例如,SQL数据库或LDAP服务器)中。
模块
中间件模块运行于使用身份认证服务的OpenStack组件的地址空间中。这些模块拦截服务请求,取出用户凭据,并将它们送入中央是服务器寻求授权。中间件模块和OpenStack组件间的整合使用Python Web服务器网关接口。
安装和配置
先决条件
用数据库连接客户端以 root 用户连接到数据库服务器:
mysql -u root -p
创建 keystone 数据库:
CREATE DATABASE keystone;
对keystone
数据库授予恰当的权限
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystonepass';
安全并配置组件
yum install openstack-keystone httpd mod_wsgi
控制端要安装
yum install -y python2-PyMySQL python-memcached
生成临时 token
openssl rand -hex 10
编辑文件 /etc/keystone/keystone.conf 并完成如下动作
在 [database] 部分,配置数据库访问
[database]
connection = mysql+pymysql://keystone:keystonepass@192.168.10.233/keystone
在[token]
部分,配置Fernet UUID令牌的提供者
[token]
provider = fernet
在[DEFAULT]
部分,配置token
[DEFAULT]
admin_token = 279d54b9f417300c332d
初始化身份认证服务的数据库
su -s /bin/sh -c "keystone-manage db_sync" keystone
初始化Fernet key
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
ll /etc/keystone/fernet-keys/
配置 Apache HTTP 服务器
编辑/etc/httpd/conf/httpd.conf
文件,配置ServerName
选项为控制节点
ServerName 192.168.10.201:80
创建一个链接到/usr/share/keystone/wsgi-keystone.conf
文件
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
cat /etc/httpd/conf.d/wsgi-keystone.conf
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/keystone/keystone.log
CustomLog /var/log/keystone/keystone_access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/keystone/keystone.log
CustomLog /var/log/keystone/keystone_access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
递归更改 /etc/keystone 目录属组
chown -R keystone:keystone /etc/keystone
完成安装
systemctl enable httpd.service
systemctl restart httpd.service
创建域、项目、用户和角色
Identity服务为每个OpenStack服务提供身份验证服务。身份验证服务使用域,项目,用户和 角色的组合
openstack客户端(openstack命令)
yum install python-openstackclient
通过 admin 的 token 设置环境变量进行操作
export OS_TOKEN=279d54b9f417300c332d
export OS_URL=http://192.168.10.233:35357/v3
export OS_IDENTITY_API_VERSION=3
创建默认域
#命令格式为:openstack domain create --description " 描述信息" 域名
[root@controller1 ~]# openstack domain create --description "Default Domain" default
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Default Domain |
| enabled | True |
| id | 0a8f301960df4c76bea868524707efe8 |
| name | default |
+-------------+----------------------------------+
[root@controller1 ~]# openstack domain list
+----------------------------------+---------+---------+----------------+
| ID | Name | Enabled | Description |
+----------------------------------+---------+---------+----------------+
| 0a8f301960df4c76bea868524707efe8 | default | True | Default Domain |
+----------------------------------+---------+---------+----------------+
创建一个 admin 的项目:
#命令格式为 openstack project --domain 域 --description " 描述" 项目名
[root@controller1 ~]# openstack project create --domain default --description "Admin Project" admin
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| domain_id | 0a8f301960df4c76bea868524707efe8 |
| enabled | True |
| id | 14c7c0b953754e0d9f30d4973e3e369d |
| is_domain | False |
| name | admin |
| parent_id | 0a8f301960df4c76bea868524707efe8 |
+-------------+----------------------------------+
[root@controller1 ~]# openstack project list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 14c7c0b953754e0d9f30d4973e3e369d | admin |
+----------------------------------+-------+
创建 admin 用户并设置密码为 admin:
[root@controller1 ~]# openstack user create --domain default --password-prompt admin
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 0a8f301960df4c76bea868524707efe8 |
| enabled | True |
| id | f7e61b8a40b7490694e8082dc6ecf9bc |
| name | admin |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
[root@controller1 ~]# openstack user list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| f7e61b8a40b7490694e8082dc6ecf9bc | admin |
+----------------------------------+-------+
创建 admin 角色:
一个项目里面可以有多个角色,目前角色只能创建在/etc/keystone/policy.json 文件中定义好的角色:
[root@controller1 ~]# openstack role create admin
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 11f7dc0b9df1443ab4a2ed688b10926f |
| name | admin |
+-----------+----------------------------------+
[root@controller1 ~]# openstack role list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 11f7dc0b9df1443ab4a2ed688b10926f | admin |
+----------------------------------+-------+
给 admin 用户授权:
将 admin 用户授予 admin 项目的 admin 角色,即给 admin 项目添加一个用户叫 admin,并
将其添加至 admin 角色,角色是权限的一种集合:
[root@linux-host1 ~]# openstack role add --project admin --user admin admin
创建demo
openstack project create --domain default --description "Demo Project" demo
openstack user create --domain default --password-prompt demo
openstack role create user
openstack role add --project demo --user demo user
openstack project create --domain default \
--description "Service Project" service
服务注册
创建一个 keystone 认证服务:
[root@controller1 ~]# openstack service create --name keystone --description "OpenStackIdentity" identity
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStackIdentity |
| enabled | True |
| id | 88ae0d08128842279750cdc3dfb00cff |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
创建 endpoint
如果创建错误或多创建了,就要全部删除再重新注册,因为你不知道哪一个是对的哪一个是
错的,所以只能全部删除然后重新注册,注册的IP地址写keepalived的VIP,稍后配置haproxy:
如果需要修改endpoint节点IPhttps://www.xiaopeiqing.com/posts/2160.html
mysql>use keystone;
mysql>select id,url from endpoint;
mysql>update endpoint set url=’http://10.0.0.100:8773/services/Cloud’ where id=’c6edf51290e34b84995bccacbc2a2454′;
#公共端点
[root@controller1 ~]# openstack endpoint create --region RegionOne identity public http://192.168.10.233:5000/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | e0ecf07f27494ac1b1fadc11e1162b53 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 88ae0d08128842279750cdc3dfb00cff |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.10.233:5000/v3 |
+--------------+----------------------------------+
#私有端点
[root@controller1 ~]# openstack endpoint create --region RegionOne identity internal http://192.168.10.233:5000/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 6b6ecf1ca488400784b0f9e35f5c4b7e |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 88ae0d08128842279750cdc3dfb00cff |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.10.233:5000/v3 |
+--------------+----------------------------------+
#管理端点
[root@controller1 ~]# openstack endpoint create --region RegionOne identity admin http://192.168.10.233:35357/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 4862d7d814f04fc08b0d5c5073a1209a |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 88ae0d08128842279750cdc3dfb00cff |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.10.233:35357/v3 |
+--------------+----------------------------------+
#查看当前的服务
[root@controller1 ~]# openstack service list
+----------------------------------+----------+----------+
| ID | Name | Type |
+----------------------------------+----------+----------+
| 88ae0d08128842279750cdc3dfb00cff | keystone | identity |
+----------------------------------+----------+----------+
测试 keystone 是否可以做用户验证:
作为admin
用户,请求认证令牌
验证 admin 用户,密码 admin ,新打开一个窗口并进行以下操作:
[root@controller1 ~]# export OS_IDENTITY_API_VERSION=3
[root@controller1 ~]# openstack --os-auth-url http://192.168.10.233:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue
Password:
+------------+-------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-------------------------------------------------------------------------------------------------------------------+
| expires | 2019-09-11T10:47:12+0000 |
| id | gAAAAABdeMKgXQCxYbOjBxz-Gmx8hz4xgeVsftGXaO1cqKXDvRk-HntiSKBmbm24yRiWmaKqWZiJb9BATnSiVeATMpJ8Lx- |
| | 1ZSM57jQOsn5iAqGTj-p_kuZWYE8iwy-r2KYHSEk1l9gitJfJ9QOIF9GpNF4lQQJ0tzDSmvvayBK82ooQP-e5pOY |
| project_id | 14c7c0b953754e0d9f30d4973e3e369d |
| user_id | f7e61b8a40b7490694e8082dc6ecf9bc |
+------------+-------------------------------------------------------------------------------------------------------------------+
创建 OpenStack 客户端环境脚本
创建脚本
Admin 用户脚本内容:
cat admin-ocata.sh
#!/bin/bash
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://192.168.10.233:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
使用脚本
chmod +x admin-ocata.sh
当前 bash admin-ocata.sh
全局 source admin-ocata.sh