一、认证服务概览
- OpenStack:term:Identity
service为认证管理,授权管理和服务目录服务管理提供单点整合。其它OpenStack服务将身份认证服务当做通用统一API来使用。此外,提供用户信息但是不在OpenStack项目中的服务(如LDAP服务)可被整合进先前存在的基础设施中。
为了从identity服务中获益,其他的OpenStack服务需要与它合作。当某个OpenStack服务收到来自用户的请求时,该服务询问Identity服务,验证该用户是否有权限进行此次请求 - 身份服务包含这些组件:
- 服务器:一个中心化的服务器使用RESTful 接口来提供认证和授权服务。
驱动:驱动或服务后端被整合进集中式服务器中。它们被用来访问OpenStack外部仓库的身份信息, 并且它们可能已经存在于OpenStack被部署在的基础设施(例如,SQL数据库或LDAP服务器)中。
模块:中间件模块运行于使用身份认证服务的OpenStack组件的地址空间中。这些模块拦截服务请求,取出用户凭据,并将它们送入中央是服务器寻求授权。中间件模块和OpenStack组件间的整合使用Python Web服务器网关接口。
当安装OpenStack身份服务,用户必须将之注册到其OpenStack安装环境的每个服务。身份服务才可以追踪那些OpenStack服务已经安装,以及在网络中定位它们。
二、安装和配置
1.创建数据库
(1)以 root 用户连接到数据库服务器
[root@controller ~]# mysql -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 10
Server version: 10.1.20-MariaDB MariaDB Server
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
(2)创建 keystone 数据库
MariaDB [(none)]> CREATE DATABASE keystone;
Query OK, 1 row affected (0.00 sec)
(3)对keystone数据库授予恰当的权限
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
-> IDENTIFIED BY 'keystone';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> exit
Bye
2.安装软件
[root@controller ~]# yum install openstack-keystone httpd mod_wsgi -y
[root@controller ~]# cd /etc/keystone/
[root@controller keystone]# ls
default_catalog.templates keystone-paste.ini policy.json
keystone.conf logging.conf sso_callback_template.html
3.生成一个随机值在初始的配置中作为管理员的令牌
[root@controller keystone]# openssl rand -hex 10
8de2ba44be7bdf6dde76
4.编辑文件 /etc/keystone/keystone.conf
[root@controller keystone]# vim keystone.conf
定义初始管理令牌的值:
[DEFAULT]
admin_token = 8de2ba44be7bdf6dde76
配置数据库访问
[database]
connection = mysql+pymysql://keystone:keystone@controller/keystone
配置Fernet UUID令牌的提供者
[token]
provider = fernet
5.初始化身份认证服务的数据库:
[root@controller keystone]# su -s /bin/sh -c "keystone-manage db_sync" keystone
6.进入数据库查看
[root@controller keystone]# mysql -p keystone
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 13
Server version: 10.1.20-MariaDB MariaDB Server
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [keystone]> show tables;
+------------------------+
| Tables_in_keystone |
+------------------------+
| access_token |
| assignment |
| config_register |
| consumer |
| credential |
| domain |
| endpoint |
| endpoint_group |
| federated_user |
| federation_protocol |
| group |
| id_mapping |
| identity_provider |
| idp_remote_ids |
| implied_role |
| local_user |
| mapping |
| migrate_version |
| password |
| policy |
| policy_association |
| project |
| project_endpoint |
| project_endpoint_group |
| region |
| request_token |
| revocation_event |
| role |
| sensitive_config |
| service |
| service_provider |
| token |
| trust |
| trust_role |
| user |
| user_group_membership |
| whitelisted_config |
+------------------------+
37 rows in set (0.00 sec)
7.初始化Fernet keys
[root@controller keystone]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@controller keystone]# ls
default_catalog.templates keystone-paste.ini sso_callback_template.html
fernet-keys logging.conf
keystone.conf policy.json
8.查看Fernet keys
[root@controller keystone]# cd fernet-keys/
[root@controller fernet-keys]# ls
0 1
[root@controller fernet-keys]# ll
total 8
-rw------- 1 keystone keystone 44 Jun 23 11:25 0
-rw------- 1 keystone keystone 44 Jun 23 11:25 1
9.配置 Apache HTTP 服务器
(1)编辑/etc/httpd/conf/httpd.conf 文件,配置ServerName 选项为控制节点
[root@controller fernet-keys]# vim /etc/httpd/conf/httpd.conf
ServerName controller
(2)创建文件 /etc/httpd/conf.d/wsgi-keystone.conf
[root@controller fernet-keys]# vim /etc/httpd/conf.d/wsgi-keystone.conf
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
(3)启动 Apache HTTP 服务并设置开机自启动
[root@controller fernet-keys]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@controller fernet-keys]# systemctl start httpd
(4)查看端口80 、35357和5000都已开启
[root@controller fernet-keys]# netstat -antlp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 172.25.43.1:3306 0.0.0.0:* LISTEN 1784/mysqld
tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN 3585/memcached
tcp 0 0 0.0.0.0:4369 0.0.0.0:* LISTEN 1/systemd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 868/sshd
tcp 0 0 0.0.0.0:15672 0.0.0.0:* LISTEN 1945/beam.smp
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 963/master
tcp 0 0 0.0.0.0:25672 0.0.0.0:* LISTEN 1945/beam.smp
tcp 0 0 172.25.43.1:4369 172.25.43.1:48296 TIME_WAIT -
tcp 0 0 127.0.0.1:4369 127.0.0.1:37983 ESTABLISHED 2037/epmd
tcp 0 0 127.0.0.1:37983 127.0.0.1:4369 ESTABLISHED 1945/beam.smp
tcp 0 0 172.25.43.1:22 172.25.43.250:56604 ESTABLISHED 1220/sshd: root@pts
tcp6 0 0 :::11211 :::* LISTEN 3585/memcached
tcp6 0 0 :::80 :::* LISTEN 4317/httpd
tcp6 0 0 :::22 :::* LISTEN 868/sshd
tcp6 0 0 ::1:25 :::* LISTEN 963/master
tcp6 0 0 :::35357 :::* LISTEN 4317/httpd
tcp6 0 0 :::5000 :::* LISTEN 4317/httpd
tcp6 0 0 :::5672 :::* LISTEN 1945/beam.smp
三、创建服务实体和API端点
1.查看文件 /etc/keystone/keystone.conf 前几行,获得admin_token
[root@controller fernet-keys]# head /etc/keystone/keystone.conf
[DEFAULT]
admin_token = 8de2ba44be7bdf6dde76
#
# From keystone
#
2.配置认证令牌
[root@controller keystone]# export OS_TOKEN=8de2ba44be7bdf6dde76
3.配置端点URL:
[root@controller keystone]# export OS_URL=http://controller:35357/v3
4.配置认证 API 版本:
[root@controller keystone]# export OS_IDENTITY_API_VERSION=3
5.创建服务实体和身份认证服务
[root@controller keystone]# openstack service create --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | 6c4e8c786abf4c6799700fba3d9aa65e |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
6.列出openstack的服务
[root@controller keystone]# openstack service list
+----------------------------------+----------+----------+
| ID | Name | Type |
+----------------------------------+----------+----------+
| 6c4e8c786abf4c6799700fba3d9aa65e | keystone | identity |
+----------------------------------+----------+----------+
7.创建认证服务的 API 端点:
[root@controller keystone]# openstack endpoint create --region RegionOne \
> identity public http://controller:5000/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 8eea801c2ef24051b93748b2a2129c46 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 6c4e8c786abf4c6799700fba3d9aa65e |
| service_name | keystone |
| service_type | identity |
| url | http://controller:5000/v3 |
+--------------+----------------------------------+
[root@controller keystone]# openstack endpoint create --region RegionOne \
> identity internal http://controller:5000/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 9da1abce0db84f39b8945699aefc3506 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 6c4e8c786abf4c6799700fba3d9aa65e |
| service_name | keystone |
| service_type | identity |
| url | http://controller:5000/v3 |
+--------------+----------------------------------+
[root@controller keystone]# openstack endpoint create --region RegionOne identity admin http://controller:5000/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 522abb6eec3843b48068c899b72ea575 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 6c4e8c786abf4c6799700fba3d9aa65e |
| service_name | keystone |
| service_type | identity |
| url | http://controller:5000/v3 |
+--------------+----------------------------------+
8.列出openstack的API端点
[root@controller keystone]# openstack endpoint list
+----------+----------+--------------+--------------+---------+-----------+-------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+----------+----------+--------------+--------------+---------+-----------+-------------+
| 522abb6e | RegionOn | keystone | identity | True | admin | http://cont |
| ec3843b4 | e | | | | | roller:5000 |
| 8068c899 | | | | | | /v3 |
| b72ea575 | | | | | | |
| 8eea801c | RegionOn | keystone | identity | True | public | http://cont |
| 2ef24051 | e | | | | | roller:5000 |
| b93748b2 | | | | | | /v3 |
| a2129c46 | | | | | | |
| 9da1abce | RegionOn | keystone | identity | True | internal | http://cont |
| 0db84f39 | e | | | | | roller:5000 |
| b8945699 | | | | | | /v3 |
| aefc3506 | | | | | | |
+----------+----------+--------------+--------------+---------+-----------+-------------+
四、创建域、项目、用户和角色
1.创建域default
[root@controller keystone]# openstack domain create --description "Default Domain" default
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Default Domain |
| enabled | True |
| id | 63a9992134eb452da1c8d950231c2b06 |
| name | default |
+-------------+----------------------------------+
2.创建 admin 项目:
[root@controller keystone]# openstack project create --domain default \
> --description "Admin Project" admin
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| domain_id | 63a9992134eb452da1c8d950231c2b06 |
| enabled | True |
| id | d82e8f7c6ce044b98fe70f91943d0bfe |
| is_domain | False |
| name | admin |
| parent_id | 63a9992134eb452da1c8d950231c2b06 |
+-------------+----------------------------------+
3.创建 admin 用户
[root@controller keystone]# openstack user create --domain default --password admin admin
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | 63a9992134eb452da1c8d950231c2b06 |
| enabled | True |
| id | 0cbb9a75ffdd486b9952ccdbf4ca9ac1 |
| name | admin |
+-----------+----------------------------------+
4.创建 admin 角色:
[root@controller keystone]# openstack role create admin
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | d5d35d5bc38943acac4dfcb3312fd306 |
| name | admin |
+-----------+----------------------------------+
5.添加admin 角色到 admin 项目和用户上:
[root@controller keystone]# openstack role add --project admin --user admin admin
6.创建service项目:
[root@controller keystone]# openstack project create --domain default \
> --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | 63a9992134eb452da1c8d950231c2b06 |
| enabled | True |
| id | 26f7150da7e5411dab898567658a7d39 |
| is_domain | False |
| name | service |
| parent_id | 63a9992134eb452da1c8d950231c2b06 |
+-------------+----------------------------------+
7.创建demo 项目:
[root@controller keystone]# openstack project create --domain default \
> --description "Demo Project" demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | 63a9992134eb452da1c8d950231c2b06 |
| enabled | True |
| id | 85c5f5f2b0914d2991e1716a4b087fe6 |
| is_domain | False |
| name | demo |
| parent_id | 63a9992134eb452da1c8d950231c2b06 |
+-------------+----------------------------------+
8.创建demo 用户:
[root@controller keystone]# openstack user create --domain default --password demo demo
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | 63a9992134eb452da1c8d950231c2b06 |
| enabled | True |
| id | 45938c03ee4447a28638f4f2e48d58cb |
| name | demo |
+-----------+----------------------------------+
9.创建 user 角色
[root@controller keystone]# openstack role create user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | ebb7d1175a914e728711b72b593e0311 |
| name | user |
+-----------+----------------------------------+
10.添加 user角色到 demo 项目和用户:
[root@controller keystone]# openstack role add --project demo --user demo user
- 验证操作
1.重置OS_TOKEN和OS_URL环境变量
[root@controller keystone]# unset OS_TOKEN OS_URL
2.使用 admin 用户,请求认证令牌
[root@controller keystone]# openstack --os-auth-url http://controller:35357/v3 \
> --os-project-domain-name default --os-user-domain-name default \
> --os-project-name admin --os-username admin token issue
Password:
+------------+-------------------------------------------------------------------------------------+
| Field | Value |
+------------+-------------------------------------------------------------------------------------+
| expires | 2019-06-23T05:07:46.178888Z |
| id | gAAAAABdDvsSwHMc11NFZakW_28A1rI66j2nzD85MyzHlJD0U1dIbNAnSf2bEM70iFqrlGj0svhJyqxZYoZ |
| | NnXQGAym4Fdl1BWc8OWGnkXssTPER3TTPhtCBXiq1NMbQ24PrgJOPQXokq8adDhDmOgcX4CIM42ta3iB8AU |
| | AanRQ-7lRQ9G4yfbA |
| project_id | d82e8f7c6ce044b98fe70f91943d0bfe |
| user_id | 0cbb9a75ffdd486b9952ccdbf4ca9ac1 |
+------------+-------------------------------------------------------------------------------------+
3.使用demo用户,请求认证令牌:
[root@controller keystone]# openstack --os-auth-url http://controller:5000/v3 \
> --os-project-domain-name default --os-user-domain-name default \
> --os-project-name demo --os-username demo token issue
Password:
+------------+-------------------------------------------------------------------------------------+
| Field | Value |
+------------+-------------------------------------------------------------------------------------+
| expires | 2019-06-23T05:09:51.486069Z |
| id | gAAAAABdDvuPQ76LXMXichIfrSs4yQIk2rd7Azkt4ISJGVq-XIVEXIVBZARRHIw- |
| | ziUqys1wawt7mAUlxQnct71gkzIyS3tXiisKpljJHwTUOUwG8K0eeEkR- |
| | 1mUVLvTfvbQegm1BpsXyNya6sJXZDkv_QWUfyOF9HfZ5j142iKO8F-1vaKDGi0 |
| project_id | 85c5f5f2b0914d2991e1716a4b087fe6 |
| user_id | 45938c03ee4447a28638f4f2e48d58cb |
+------------+-------------------------------------------------------------------------------------+
[root@controller keystone]# cd
- 创建 OpenStack 客户端环境脚本
1.编辑文件 admin-openrc 并添加如下内容:
[root@controller ~]# ls
[root@controller ~]# vim admin-openrc
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
2.编辑文件 demo-openrc并添加如下内容:
[root@controller ~]# vim demo-openrc
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
3.加载admin-openrc文件来身份认证服务的环境变量位置和admin项目和用户证书:
[root@controller ~]# source admin-openrc
[root@controller ~]# openstack user list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 0cbb9a75ffdd486b9952ccdbf4ca9ac1 | admin |
| 45938c03ee4447a28638f4f2e48d58cb | demo |
+----------------------------------+-------+
[root@controller ~]# openstack service list
+----------------------------------+----------+----------+
| ID | Name | Type |
+----------------------------------+----------+----------+
| 6c4e8c786abf4c6799700fba3d9aa65e | keystone | identity |
+----------------------------------+----------+----------+
[root@controller ~]# openstack project list
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 26f7150da7e5411dab898567658a7d39 | service |
| 85c5f5f2b0914d2991e1716a4b087fe6 | demo |
| d82e8f7c6ce044b98fe70f91943d0bfe | admin |
+----------------------------------+---------+
[root@controller ~]# openstack endpoint list
+---------------+-----------+--------------+--------------+---------+-----------+------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+---------------+-----------+--------------+--------------+---------+-----------+------------------+
| 522abb6eec384 | RegionOne | keystone | identity | True | admin | http://controlle |
| 3b48068c899b7 | | | | | | r:5000/v3 |
| 2ea575 | | | | | | |
| 8eea801c2ef24 | RegionOne | keystone | identity | True | public | http://controlle |
| 051b93748b2a2 | | | | | | r:5000/v3 |
| 129c46 | | | | | | |
| 9da1abce0db84 | RegionOne | keystone | identity | True | internal | http://controlle |
| f39b8945699ae | | | | | | r:5000/v3 |
| fc3506 | | | | | | |
+---------------+-----------+--------------+--------------+---------+-----------+------------------+
[root@controller ~]# source demo-openrc
[root@controller ~]# openstack user list
You are not authorized to perform the requested action: identity:list_users (HTTP 403) (Request-ID: req-d8e78e2d-0aaf-4073-923a-1afcab772e57)
注意:我们可以发现用demo用户身份认证服务环境后,查看用户时会报错
来源:https://blog.csdn.net/qq_44236589/article/details/95757915