keystone 是OpenStack的组件之一,用于为OpenStack家族中的其它组件成员提供统一的认证服务,包括身份验证、令牌的发放和校验、服务列表、用户权限的定义等等。云环境中所有的服务之间的授权和认证都需要经过 keystone. 因此 keystone 是云平台中第一个即需要安装的服务。
学习 Keystone,需要理解下面这些概念:
User 指代任何使用 OpenStack 的实体,可以是真正的用户,其他系统或者服务。
当 User 请求访问 OpenStack 时,Keystone 会对其进行验证。Horizon 在 Identity->Users 管理 User
admin:openstack平台的超级管理员,负责openstack服务的管理和访问权限
demo: 常规(非管理)任务应该使用无特权的项目和用户,所有要创建 demo 项目和 demo 用户除了 admin 和 demo,OpenStack 也为 nova、cinder、glance、neutron 服务创建了相应的User。 admin 也可以管理这些 User。
Authentication 是 Keystone 验证 User 身份的过程。User 访问 OpenStack 时向 Keystone 提交用户名和密码形式的 Credentials,Keystone 验证通过后会给 User 签发一个 Token 作为后续访问的 Credential。
(2)Service 会通过 Keystone 验证 Token 的有效性
(3)Token 的有效期默认是 24 小时
(2)在 OpenStack 的界面和文档中,Tenant / Project / Account 这几个术语是通用的,但长期看会倾向使用 Project
(3)每个 User(包括 admin)必须挂在 Project 里才能访问该 Project 的资源。 一个User可以属于多个 Project。
(4)admin 相当于 root 用户,具有最高权限
Horizon 在 Identity->Projects 中管理 Project
通过 Manage Members 将 User 添加到 Project
OpenStack 的 Service 包括 Compute (Nova)、Block Storage (Cinder)、Object Storage (Swift)、Image Service (Glance) 、Networking Service (Neutron) 等。每个 Service 都会提供若干个 Endpoint,User 通过 Endpoint 访问资源和执行操作。
Endpoint 是一个网络上可访问的地址,通常是一个 URL。Service 通过 Endpoint 暴露自己的 API。 Keystone 负责管理和维护每个 Service 的 Endpoint。
可以使用下面的命令来查看 Endpoint。
source /root/openrc admin admin
openstack catalog list
1、Service 决定每个 Role 能做什么事情 Service 通过各自的 policy.json 文件对 Role 进行访问控制。 下面是 Nova 服务 /etc/nova/policy.json 中的示例:
上面配置的含义是:对于 create、attach_network 和 attach_volume 操作,任何Role的 User 都可以执行; 但只有 admin 这个 Role 的 User 才能执行 forced_host 操作。
3、openstack系统基本角色有两个:
一个是管理员admin;
一个是租户_member_。
https://docs.openstack.org/ocata/install-guide-rdo/keystone-install.html#
1、使用root用户登录数据库
[root@ren3 ~]# mysql -u root -proot
2、创建keystone数据库
MariaDB [(none)]> create database keystone; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | keystone | | mysql | | performance_schema | +--------------------+ 4 rows in set (0.00 sec)
3、创建keystone用户,并授权
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO ‘keystone‘@‘localhost‘ -> IDENTIFIED BY ‘KEYSTONE_DBPASS‘; Query OK, 0 rows affected (0.01 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO ‘keystone‘@‘%‘ \ -> IDENTIFIED BY ‘KEYSTONE_DBPASS‘; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> select user,host,password from mysql.user; +----------+-----------+-------------------------------------------+ | user | host | password | +----------+-----------+-------------------------------------------+ | root | localhost | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B | | root | 127.0.0.1 | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B | | root | ::1 | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B | | | localhost | | | | ren3 | | | keystone | localhost | *442DFE587A8B6BE1E9538855E8187C1EFB863A73 | | keystone | % | *442DFE587A8B6BE1E9538855E8187C1EFB863A73 | +----------+-----------+-------------------------------------------+ 7 rows in set (0.00 sec)
退出数据库
4、安装keystone软件包
[root@ren3 ~]# yum install openstack-keystone httpd mod_wsgi -y
5、编辑/etc/keystone/keystone.conf文件并完成以下操作:
(1)在[database]部分,配置数据库访问:
[database]
# ...
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@ren3/keystone
(2)在[token]部分,配置Fernet令牌提供程序:
[token]
# ...
provider = fernet
keystone的配置文件如下:
[root@ren3 ~]# cd /etc/keystone/
[root@ren3 keystone]# ls
default_catalog.templates logging.conf
keystone.conf policy.json
keystone-paste.ini sso_callback_template.html
[root@ren3 keystone]# cp keystone.conf keystone.conf.bak
[root@ren3 keystone]# vim keystone.conf
[DEFAULT] [assignment] [auth] [cache] [catalog] [cors] [cors.subdomain] [credential] [database] connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@ren3/keystone [domain_config] [endpoint_filter] [endpoint_policy] [eventlet_server] [federation] [fernet_tokens] [healthcheck] [identity] [identity_mapping] [kvs] [ldap] [matchmaker_redis] [memcache] [oauth1] [oslo_messaging_amqp] [oslo_messaging_kafka] [oslo_messaging_notifications] [oslo_messaging_rabbit] [oslo_messaging_zmq] [oslo_middleware] [oslo_policy] [paste_deploy] [policy] [profiler] [resource] [revoke] [role] [saml] [security_compliance] [shadow_users] [signing] [token] provider = fernet [tokenless_auth] [trust]
6、同步数据库
注意:数据库初始化时,要允许匿名用户登录(一路Y即可)
[root@ren3 keystone]# su -s /bin/sh -c "keystone-manage db_sync" keystone [root@ren3 keystone]# mysql -u keystone -pKEYSTONE_DBPASS MariaDB [(none)]> use keystone; MariaDB [keystone]> show tables; +------------------------+ | Tables_in_keystone | +------------------------+ | access_token | | assignment | | config_register | | consumer | | credential | | endpoint | | endpoint_group | | federated_user | | federation_protocol | | group | | id_mapping | | identity_provider | | idp_remote_ids | | implied_role | | local_user | | mapping | | migrate_version | | nonlocal_user | | password | | policy | | policy_association | | project | | project_endpoint | | project_endpoint_group | | region | | request_token | | revocation_event | | role | | sensitive_config | | service | | service_provider | | token | | trust | | trust_role | | user | | user_group_membership | | user_option | | whitelisted_config | +------------------------+ 38 rows in set (0.00 sec)
7、初始化Fernet密钥库
[root@ren3 keystone]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@ren3 keystone]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
8、启动身份服务
[root@ren3 ~]# keystone-manage bootstrap --bootstrap-password admin --bootstrap-admin-url http://ren3:35357/v3/ \
--bootstrap-internal-url http://ren3:5000/v3/ \
--bootstrap-public-url http://ren3:5000/v3/ \
--bootstrap-region-id RegionOne
身份服务的管理员用户是admin,密码是admin。
9、配置http服务(keystone的图像化管理界面)
(1)编辑/etc/httpd/conf/httpd.conf文件,并配置ServerName选项来引用控制器节点:
[root@ren3 ~]# vim /etc/httpd/conf/httpd.conf
ServerName ren3
(2)创建到/usr/share/keystone/wsgi-keystone.conf文件的链接
[root@ren3 ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/ [root@ren3 ~]# cd /etc/httpd/conf.d/ [root@ren3 conf.d]# ls autoindex.conf README userdir.conf welcome.conf wsgi-keystone.conf
10、启动http服务
[root@ren3 ~]# systemctl enable httpd.service Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service. [root@ren3 ~]# systemctl start httpd.service [root@ren3 ~]# ss -tnl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 192.168.11.3:5672 *:* LISTEN 0 128 *:25672 *:* LISTEN 0 128 192.168.11.3:3306 *:* LISTEN 0 128 192.168.11.3:11211 *:* LISTEN 0 128 127.0.0.1:11211 *:* LISTEN 0 128 *:4369 *:* LISTEN 0 128 *:22 *:* LISTEN 0 128 *:15672 *:* LISTEN 0 100 127.0.0.1:25 *:* LISTEN 0 128 :::5000 :::* LISTEN 0 128 ::1:11211 :::* LISTEN 0 128 :::80 :::* LISTEN 0 128 :::22 :::* LISTEN 0 100 ::1:25 :::* LISTEN 0 128 :::35357 :::* [root@ren3 ~]# firewall-cmd --list-ports 4369/tcp 5672/tcp 15672/tcp 25672/tcp 3306/tcp 11211/tcp [root@ren3 ~]# firewall-cmd --add-port=80/tcp --permanent success [root@ren3 ~]# firewall-cmd --add-port=35357/tcp --permanent success [root@ren3 ~]# firewall-cmd --add-port=5000/tcp --permanent success [root@ren3 ~]# firewall-cmd --reload success
11、字符界面登录(配置管理账户)
[root@ren3 ~]# vim openrc
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://ren3:35357/v3
export OS_IDENTITY_API_VERSION=3
[root@ren3 ~]# source openrc #加载系统变量(每次新建会话都需要执行)
身份服务为每个OpenStack服务提供身份验证服务。身份验证服务使用域、项目、用户和角色的组合。
1、创建服务项目:
[root@ren3 ~]# openstack project create --domain default --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | default | | enabled | True | | id | 6f13ef2920d4410b9bf142821db58dcd | | is_domain | False | | name | service | | parent_id | default | +-------------+----------------------------------+
[root@ren3 ~]# openstack project list
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 021baf9164dd4d6798eb4617292ecae3 | demo |
| 640da7a471524d35a3efca2692b9555a | admin |
| 6f13ef2920d4410b9bf142821db58dcd | service |
+----------------------------------+---------+
2、创建demo项目:
[root@ren3 ~]# openstack project create --domain default --description "Demo Project" demo +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Demo Project | | domain_id | default | | enabled | True | | id | 021baf9164dd4d6798eb4617292ecae3 | | is_domain | False | | name | demo | | parent_id | default | +-------------+----------------------------------+
3、创建demo用户:
[root@ren3 ~]# openstack user create --domain default --password-prompt demo User Password: Repeat User Password: +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | default | | enabled | True | | id | eaf9e30c66194b9db31c19adede0b281 | | name | demo | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+ [root@ren3 ~]# openstack user delete demo [root@ren3 ~]# openstack user list +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | 372fccfd264c4edfb600af3f56052ec7 | admin | +----------------------------------+-------+ [root@ren3 ~]# openstack user create --domain default --password=demo demo +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | default | | enabled | True | | id | 37c7c00d574146e8817413b7a091f594 | | name | demo | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+ [root@ren3 ~]# openstack user list +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | 372fccfd264c4edfb600af3f56052ec7 | admin | | 37c7c00d574146e8817413b7a091f594 | demo | +----------------------------------+-------+
4、创建用户角色
[root@ren3 ~]# openstack role create user +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | 7f28e6008a5c40ddbfa13467838d66e0 | | name | user | +-----------+----------------------------------+ [root@ren3 ~]# openstack role list +----------------------------------+----------+ | ID | Name | +----------------------------------+----------+ | 2b150d8548084ea0b25a256b796652ce | admin | | 7f28e6008a5c40ddbfa13467838d66e0 | user | | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | +----------------------------------+----------+
5、将user角色添加到demo项目的demo用户:
[root@ren3 ~]# openstack role add --project demo --user demo user
四、
云计算OpenStack核心组件---keystone身份认证服务(5)
原文:https://www.cnblogs.com/renyz/p/11656638.html