参考官方网站:https://docs.openstack.org/mitaka/zh_CN/install-guide-rdo/keystone.html
一、keystone认证服务的介绍
keystone的主要功能:认证管理,授权管理和服务目录
认证:也可以理解成账号管理,openstack所有的用户,都是在keystone上注册的。
授权: glance,nova,neutron,cinder等其他服务都统一使用keystone的账号管理,就像现在很多网站支持qq/微信登陆是一样的。
服务目录:每增加一个服务,都需要在keystone上做注册登记,用户通过keystone可以知道由有那些服务,这么服务的url地址是多少,然后用户就可以直接访问这些服务。
二、安装和配置
1. 先决条件
在配置 OpenStack 身份认证服务前,你必须创建一个数据库和管理员令牌。
1)用数据库连接客户端以 root 用户连接到数据库服务器
[root@controller ~]# mysql -u root -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 9 Server version: 10.1.20-MariaDB MariaDB Server Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others. Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement. MariaDB [(none)]>
2)创建 keystone 数据库
MariaDB [(none)]> CREATE DATABASE keystone; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | keystone | | mysql | | performance_schema | | test | +--------------------+ 5 rows in set (0.00 sec)
3)对``keystone``数据库授予恰当的权限
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO ‘keystone‘@‘localhost‘ IDENTIFIED BY ‘123456‘; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO ‘keystone‘@‘%‘ IDENTIFIED BY ‘123456‘; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> exit Bye
4)生成一个随机值在初始的配置中作为管理员的令牌
[root@controller ~]# openssl rand -hex 10 66631fbefdf1c7a9c36b
2. 配置组件
教程使用带有``mod_wsgi``的Apache HTTP服务器来服务认证服务请求,端口为5000和35357。缺省情况下,Kestone服务仍然监听这些端口。然而,本教程手动禁用keystone服务。
1)运行以下命令来安装包
[root@controller ~]# yum install openstack-keystone httpd mod_wsgi -y
2)修改keystone配置文件/etc/keystone/keystone.conf
在``[DEFAULT]``部分,定义初始管理令牌的值(使用前面步骤生成的随机数替换``ADMIN_TOKEN`` 值)
在[database]部分,配置数据库访问(将``KEYSTONE_DBPASS``替换为你为数据库选择的密码)
在``[token]``部分,配置Fernet UUID令牌的提供者
[root@controller ~]# cp /etc/keystone/keystone.conf{,.bak} [root@controller ~]# grep -Ev ‘^$|#‘ /etc/keystone/keystone.conf.bak > /etc/keystone/keystone.conf [root@controller ~]# vim /etc/keystone/keystone.conf [root@controller ~]# cat /etc/keystone/keystone.conf [DEFAULT] admin_token = 66631fbefdf1c7a9c36b #生成一个随机值在初始的配置中作为管理员的令牌 [assignment] [auth] [cache] [catalog] [cors] [cors.subdomain] [credential] [database] connection = mysql+pymysql://keystone:123456@controller/keystone #配置数据库访问 [domain_config] [endpoint_filter] [endpoint_policy] [eventlet_server] [eventlet_server_ssl] [federation] [fernet_tokens] [identity] [identity_mapping] [kvs] [ldap] [matchmaker_redis] [memcache] [oauth1] [os_inherit] [oslo_messaging_amqp] [oslo_messaging_notifications] [oslo_messaging_rabbit] [oslo_middleware] [oslo_policy] [paste_deploy] [policy] [resource] [revoke] [role] [saml] [shadow_users] [signing] [ssl] [token] provider = fernet #配置Fernet UUID令牌的提供者 [tokenless_auth] [trust]
3)自动化配置
以上改配置是手动进vim改的。接下来自动配置相关参数.
a. 安装自动配置工具
[root@controller ~]# yum install openstack-utils -y
b.设置参数
[root@controller ~]# cp /etc/keystone/keystone.conf{,.bak01} [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token 66631fbefdf1c7a9c36b [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:123456@controller/keystone [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf token provider fernet [root@controller ~]# cat /etc/keystone/keystone.conf [DEFAULT] admin_token = 66631fbefdf1c7a9c36b [assignment] [auth] [cache] [catalog] [cors] [cors.subdomain] [credential] [database] connection = mysql+pymysql://keystone:123456@controller/keystone [domain_config] [endpoint_filter] [endpoint_policy] [eventlet_server] [eventlet_server_ssl] [federation] [fernet_tokens] [identity] [identity_mapping] [kvs] [ldap] [matchmaker_redis] [memcache] [oauth1] [os_inherit] [oslo_messaging_amqp] [oslo_messaging_notifications] [oslo_messaging_rabbit] [oslo_middleware] [oslo_policy] [paste_deploy] [policy] [resource] [revoke] [role] [saml] [shadow_users] [signing] [ssl] [token] provider = fernet [tokenless_auth] [trust]
MD5校验配置文件和手动配置的md5一样,说明自动配置结果一样
[root@controller ~]# md5sum /etc/keystone//keystone.conf c36f6b2c31cf61b66e43754516b0d57d /etc/keystone//keystone.conf [root@controller ~]# md5sum /etc/keystone//keystone.conf.bak01 c36f6b2c31cf61b66e43754516b0d57d /etc/keystone//keystone.conf.bak01
4)初始化身份认证服务的数据库
以keystone用户执行keystone-manage db_sync
[root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
[root@controller ~]# mysql -uroot -p123456 keystone -e "show tables" +------------------------+ | Tables_in_keystone | +------------------------+ | access_token | | assignment | | config_register | | consumer | | credential | | domain | | endpoint | | endpoint_group | | federated_user | | federation_protocol | | group | | id_mapping | | identity_provider | | idp_remote_ids | | implied_role | | local_user | | mapping | | migrate_version | | password | | policy | | policy_association | | project | | project_endpoint | | project_endpoint_group | | region | | request_token | | revocation_event | | role | | sensitive_config | | service | | service_provider | | token | | trust | | trust_role | | user | | user_group_membership | | whitelisted_config | +------------------------+
同步成功!!
5)初始化Fernet keys
[root@controller ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@controller ~]# ll /etc/keystone/ total 104 -rw-r----- 1 root keystone 2303 Feb 1 2017 default_catalog.templates drwx------ 2 keystone keystone 24 Nov 13 17:21 fernet-keys -rw-r----- 1 root keystone 661 Nov 13 17:05 keystone.conf -rw-r----- 1 root root 73101 Nov 13 17:00 keystone.conf.bak -rw-r----- 1 root keystone 2400 Feb 1 2017 keystone-paste.ini -rw-r----- 1 root keystone 1046 Feb 1 2017 logging.conf -rw-r----- 1 keystone keystone 9699 Feb 1 2017 policy.json -rw-r----- 1 keystone keystone 665 Feb 1 2017 sso_callback_template.html
3. 配置 Apache HTTP 服务器
1)编辑``/etc/httpd/conf/httpd.conf`` 文件,配置``ServerName`` 选项为控制节点
[root@controller ~]# cp /etc/httpd/conf/httpd.conf{,.bak} [root@controller ~]# vim /etc/httpd/conf/httpd.conf [root@controller ~]# grep ServerName /etc/httpd/conf/httpd.conf # ServerName gives the name and port that the server uses to identify itself. ServerName controller
2)用下面的内容创建文件 /etc/httpd/conf.d/wsgi-keystone.conf
[root@controller ~]# vim /etc/httpd/conf.d/wsgi-keystone.conf [root@controller ~]# cat /etc/httpd/conf.d/wsgi-keystone.conf Listen 5000 Listen 35357 <VirtualHost *:5000> WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined <Directory /usr/bin> Require all granted </Directory> </VirtualHost> <VirtualHost *:35357> WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / /usr/bin/keystone-wsgi-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined <Directory /usr/bin> Require all granted </Directory> </VirtualHost>
3)启动 Apache HTTP 服务并配置其随系统启动
[root@controller ~]# systemctl enable httpd.service Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service. [root@controller ~]# systemctl start httpd.service [root@controller ~]# systemctl status httpd.service ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2020-11-13 17:47:53 CST; 2min 27s ago Docs: man:httpd(8) man:apachectl(8) Main PID: 84628 (httpd) Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec" CGroup: /system.slice/httpd.service ├─84628 /usr/sbin/httpd -DFOREGROUND ├─84629 (wsgi:keystone- -DFOREGROUND ├─84630 (wsgi:keystone- -DFOREGROUND ├─84631 (wsgi:keystone- -DFOREGROUND ├─84632 (wsgi:keystone- -DFOREGROUND ├─84633 (wsgi:keystone- -DFOREGROUND ├─84634 (wsgi:keystone- -DFOREGROUND ├─84635 (wsgi:keystone- -DFOREGROUND ├─84654 (wsgi:keystone- -DFOREGROUND ├─84655 (wsgi:keystone- -DFOREGROUND ├─84656 (wsgi:keystone- -DFOREGROUND ├─84663 /usr/sbin/httpd -DFOREGROUND ├─84664 /usr/sbin/httpd -DFOREGROUND ├─84665 /usr/sbin/httpd -DFOREGROUND ├─84666 /usr/sbin/httpd -DFOREGROUND └─84673 /usr/sbin/httpd -DFOREGROUND Nov 13 17:47:52 controller systemd[1]: Starting The Apache HTTP Server... Nov 13 17:47:53 controller systemd[1]: Started The Apache HTTP Server. [root@controller ~]# netstat -lntup |grep 80 tcp6 0 0 :::80 :::* LISTEN 84628/httpd
3. 创建服务实体和API端点
身份认证服务提供服务的目录和他们的位置。每个添加到OpenStack环境中的服务在目录中需要一个 service 实体和一些 API endpoints。
默认情况下,身份认证服务数据库不包含支持传统认证和目录服务的信息。必须使用:doc:keystone-install 章节中为身份认证服务创建的临时身份验证令牌用来初始化的服务实体和API端点
用``–os-token``参数将认证令牌的值传递给:command:openstack 命令。类似的,必须使用``–os-url`` 参数将身份认证服务的 URL传递给 openstack 命令或者设置OS_URL环境变量。本节使用环境变量以缩短命令行的长度。
1)先决条件
a.配置认证令牌(这个和前面default下配的一样)
[root@controller ~]# export OS_TOKEN=66631fbefdf1c7a9c36b
b.配置端点URL
[root@controller ~]# export OS_URL=http://controller:35357/v3
c.配置认证 API 版本
[root@controller ~]# export OS_IDENTITY_API_VERSION=3
2)创建服务实体和API端点
在Openstack环境中,认证服务管理服务目录。服务使用这个目录来决定您的环境中可用的服务。
a. 创建服务实体和身份认证服务
[root@controller ~]# openstack service create --name keystone --description "OpenStack Identity" identity +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | OpenStack Identity | | enabled | True | | id | 103d673e61a0453fb454225acad795bb | | name | keystone | | type | identity | +-------------+----------------------------------+
注:OpenStack 是动态生成 ID 的
身份认证服务管理了一个与环境相关的 API 端点的目录。服务使用这个目录来决定如何与环境中的其他服务进行通信。
OpenStack使用三个API端点变种代表每种服务:admin,internal和public。
默认情况下,管理API端点允许修改用户和租户而公共和内部APIs不允许这些操作。
在生产环境中,处于安全原因,变种为了服务不同类型的用户可能驻留在单独的网络上。对实例而言,公共API网络为了让顾客管理他们自己的云在互联网上是可见的。管理API网络在管理云基础设施的组织中操作也是有所限制的。内部API网络可能会被限制在包含OpenStack服务的主机上。此外,OpenStack支持可伸缩性的多区域。为了简单起见,本节为所有端点变种和默认``RegionOne``区域都使用管理网络。
b. 创建认证服务的 API 端点
public是所有人都可以用的api接口
[root@controller ~]# openstack endpoint create --region RegionOne identity public http://controller:5000/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | ebf67be3ecb84f4bbac1b5be03edaa55 | | interface | public | | region | RegionOne | | region_id | RegionOne | | service_id | 103d673e61a0453fb454225acad795bb | | service_name | keystone | | service_type | identity | | url | http://controller:5000/v3 | +--------------+----------------------------------+
internal是内部使用的api接口
[root@controller ~]# openstack endpoint create --region RegionOne identity internal http://controller:5000/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | e3fa3b805f2b4020b3dc70b0e6aa398e | | interface | internal | | region | RegionOne | | region_id | RegionOne | | service_id | 103d673e61a0453fb454225acad795bb | | service_name | keystone | | service_type | identity | | url | http://controller:5000/v3 | +--------------+----------------------------------+
admin是管理员使用的api接口
[root@controller ~]# openstack endpoint create --region RegionOne identity admin http://controller:35357/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 0f6a4aa5dd5a4010a561dda18181b6f6 | | interface | admin | | region | RegionOne | | region_id | RegionOne | | service_id | 103d673e61a0453fb454225acad795bb | | service_name | keystone | | service_type | identity | | url | http://controller:35357/v3 | +--------------+----------------------------------+
注:每个添加到OpenStack环境中的服务要求一个或多个服务实体和三个认证服务中的API 端点变种
3)创建域、项目、用户和角色
身份认证服务为每个OpenStack服务提供认证服务。认证服务使用 T domains, projects (tenants), :term:`users<user>`和 :term:`roles<role>`的组合
a. 创建域``default``:
[root@controller ~]# openstack domain create --description "Default Domain" default +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Default Domain | | enabled | True | | id | d9ffe8683c84401cbad69ac5a73482a8 | | name | default | +-------------+----------------------------------+
b.创建 admin 项目
[root@controller ~]# openstack project create --domain default --description "Admin Project" admin +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Admin Project | | domain_id | d9ffe8683c84401cbad69ac5a73482a8 | | enabled | True | | id | b5eb87802cca4ada8f71be3483cd959c | | is_domain | False | | name | admin | | parent_id | d9ffe8683c84401cbad69ac5a73482a8 | +-------------+----------------------------------+
c.创建 admin 用户
[root@controller ~]# openstack user create --domain default --password-prompt admin User Password: Repeat User Password: +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | d9ffe8683c84401cbad69ac5a73482a8 | | enabled | True | | id | ee577a2e6d734b9eb3eb3bb26273b2ee | | name | admin | +-----------+----------------------------------+
d.创建 admin 角色
[root@controller ~]# openstack role create admin
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 119032620c0d42c195d81de366f4341f |
| name | admin |
+-----------+----------------------------------+
e.添加``admin`` 角色到 admin 项目和用户上
[root@controller ~]# openstack role add --project admin --user admin admin
注:创建的任何角色必须映射到每个OpenStack服务配置文件目录下的``policy.json`` 文件中。默认策略是给予“admin“角色大部分服务的管理访问权限
f.创建``service``项目
每个服务包含独有用户的service 项目。创建service项目是为了nova,glance用户都属于一个项目,到时候把它们放到service项目。
[root@controller ~]# openstack project create --domain default --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | d9ffe8683c84401cbad69ac5a73482a8 | | enabled | True | | id | f32b6a252dfd4e30842393143da57bcf | | is_domain | False | | name | service | | parent_id | d9ffe8683c84401cbad69ac5a73482a8 | +-------------+----------------------------------+
4)验证keystone
之前设置的环境变量都是临时的,退出shell就会失效。添加环境变量可以直接应用openstack命令,退出shell,命令失效。
[root@controller ~]# openstack user list +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | ee577a2e6d734b9eb3eb3bb26273b2ee | admin | +----------------------------------+-------+ [root@controller ~]# exit #退出shell logout Connection closing...Socket close. Connection closed by foreign host. Disconnected from remote host(10.0.0.11) at 22:16:24. Type `help‘ to learn how to use Xshell prompt. [C:\~]$ Connecting to 10.0.0.11:22... Connection established. To escape to local shell, press ‘Ctrl+Alt+]‘. WARNING! The remote SSH server rejected X11 forwarding request. Last login: Fri Nov 13 21:38:33 2020 from 10.0.0.253 [root@controller ~]# openstack user list Missing parameter(s): Set a username with --os-username, OS_USERNAME, or auth.username Set an authentication URL, with --os-auth-url, OS_AUTH_URL or auth.auth_url Set a scope, such as a project or domain, set a project scope with --os-project-name, OS_PROJECT_NAME or auth.project_name, set a domain scope with --os-domain-name, OS_DOMAIN_NAME or auth.domain_name
[root@controller ~]# openstack --os-auth-url http://controller:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue Password: +------------+-------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-------------------------------------------------------------------------------------------------------------------------+ | expires | 2020-11-13T15:18:36.000000Z | | id | gAAAAABfrpW8xQq1KNa-DxMgoc_TOY-a9sdolL-_IICLXeHLzuqGX9W7gdgDppb37hZeNicdp2VC2LDt_WV1OtEZniVg-Dryqf33tquGEpcgeHN1RbYZu- | | | WL0HXCsa9ZscoaqpZpgaMVu1IVNgvX6_kih01BtFu69q-e5VbpcN9-S4Bh-pOwbfI | | project_id | b5eb87802cca4ada8f71be3483cd959c | | user_id | ee577a2e6d734b9eb3eb3bb26273b2ee | +------------+-------------------------------------------------------------------------------------------------------------------------+
5)创建keystone环境变量脚本
之前使用环境变量和命令选项的组合通过``openstack``客户端与身份认证服务交互。为了提升客户端操作的效率,OpenStack支持简单的客户端环境变量脚本即OpenRC 文件。
[root@controller ~]# cat>> admin-openrc << EOF > > export OS_PROJECT_DOMAIN_NAME=default > > export OS_USER_DOMAIN_NAME=default > > export OS_PROJECT_NAME=admin > > export OS_USERNAME=admin > > export OS_PASSWORD=123456 > > export OS_AUTH_URL=http://controller:35357/v3 > > export OS_IDENTITY_API_VERSION=3 > > export OS_IMAGE_API_VERSION=2 > > EOF [root@controller ~]# cat admin-openrc export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=123456 export OS_AUTH_URL=http://controller:35357/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 [root@controller ~]# source admin-openrc
#验证
[root@controller ~]# openstack user list +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | ee577a2e6d734b9eb3eb3bb26273b2ee | admin | +----------------------------------+-------+ [root@controller ~]# openstack token issue +------------+-------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-------------------------------------------------------------------------------------------------------------------------+ | expires | 2020-11-13T15:27:44.000000Z | | id | gAAAAABfrpfgEMPjiEZl6pRtX_QOS80cX4Mpj-JGCwlcDfT13EhyQAhiqeET2N2eUTae1gMfQhukUInyFv5CVfq_35jWj13oaSKdl- | | | pBPgfCah_EDvChjY6obibm91IQ_EKH3wBa2lABgQ-PI3FPOaUgkj6FOZZ5t2ePVOgFKDvOAVMO8z9-Yiw | | project_id | b5eb87802cca4ada8f71be3483cd959c | | user_id | ee577a2e6d734b9eb3eb3bb26273b2ee | +------------+-------------------------------------------------------------------------------------------------------------------------+ [root@controller ~]#
注:能获取到token,keystone就安装OK
原文:https://www.cnblogs.com/jiawei2527/p/13969837.html