Keystone
概述
The OpenStack Identity service provides a single point of integration for managing authentication, authorization, and a catalog of services.
The Identity service is typically the first service a user interacts with. Once authenticated, an end user can use their identity to access other OpenStack services. Likewise, other OpenStack services leverage the Identity service to ensure users are who they say they are and discover where other services are within the deployment. The Identity service can also integrate with some external user management systems (such as LDAP).
Users and services can locate other services by using the service catalog, which is managed by the Identity service. As the name implies, a service catalog is a collection of available services in an OpenStack deployment. Each service can have one or many endpoints and each endpoint can be one of three types: admin, internal, or public. In a production environment, different endpoint types might reside on separate networks exposed to different types of users for security reasons. For instance, the public API network might be visible from the Internet so customers can manage their clouds. The admin API network might be restricted to operators within the organization that manages cloud infrastructure. The internal API network might be restricted to the hosts that contain OpenStack services. Also, OpenStack supports multiple regions for scalability. For simplicity, this guide uses the management network for all endpoint types and the default RegionOne region. Together, regions, services, and endpoints created within the Identity service comprise the service catalog for a deployment. Each OpenStack service in your deployment needs a service entry with corresponding endpoints stored in the Identity service. This can all be done after the Identity service has been installed and configured.
The Identity service contains these components:
Server
A centralized server provides authentication and authorization services using a RESTful interface.
Drivers
Drivers or a service back end are integrated to the centralized server. They are used for accessing identity information in repositories external to OpenStack, and may already exist in the infrastructure where OpenStack is deployed (for example, SQL databases or LDAP servers).
Modules
Middleware modules run in the address space of the OpenStack component that is using the Identity service. These modules intercept service requests, extract user credentials, and send them to the centralized server for authorization. The integration between the middleware modules and OpenStack components uses the Python Web Server Gateway Interface.
安装和配置
创建 数据库
1、使用root身份连接数据库
[root@controller ~]# mysql -u root -p0000002、创建keystone数据库
MariaDB [(none)]> CREATE DATABASE keystone;
Query OK, 1 row affected (0.00 sec)3、授予 keystone用户 对 keystone数据库 所有权限
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY '000000';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY '000000';
Query OK, 0 rows affected (0.00 sec)> Tip:
> 删除数据库用户
MariaDB [(none)]> drop user keystonee@'%';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> drop user keystone@'localhost';
Query OK, 0 rows affected (0.00 sec)安装 和 配置组件
1、安装软件包
[root@controller ~]# yum install -y openstack-keystone httpd mod_wsgi2、配置 keystone.conf
> Tips:
> 去除空行,注释并备份原文件
[root@localhost ~]# sed -i.bak '/^$/d;/^#/d' xxx.conf[root@controller ~]# sed -i.bak '/^$/d;/^#/d' /etc/keystone/keystone.conf
[root@controller ~]# vim /etc/keystone/keystone.conf
[database]
# 配置数据库访问
connection = mysql+pymysql://keystone:000000@controller/keystone
[token]
# 配置 Fernet 令牌提供程序
provider = fernet3、同步 keystone 数据库
root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone4、初始化 Fernet 密钥存储库
[root@controller ~]# keystone-manage fernet_setup \
--keystone-user keystone --keystone-group keystone
[root@controller ~]# keystone-manage credential_setup \
--keystone-user keystone --keystone-group keystone5、引导认证服务
[root@controller ~]# keystone-manage bootstrap --bootstrap-password 000000 \
--bootstrap-admin-url http://controller:35357/v3/ \
--bootstrap-internal-url http://controller:5000/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne配置 Apache Http 服务器
1、编辑 httpd.conf,配置 ServerName 选项
[root@controller ~]# vim /etc/httpd/conf/httpd.conf
ServerName controller2、创建 wsgi-keystone.conf 链接
[root@controller ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/完成安装
1、启动 http 服务,并设置开机自启
[root@controller ~]# systemctl enable httpd.service
[root@controller ~]# systemctl start httpd.service2、配置管理账户
export OS_USERNAME=admin
export OS_PASSWORD=000000
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3创建 域、项目、用户、角色
1、创建 service 项目
[root@controller ~]# openstack project create --domain default \
--description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 4dd5063ebfc344a0a12734082438fbe0 |
| is_domain | False |
| name | service |
| parent_id | default |
+-------------+----------------------------------+2、创建 普通项目和用户(例如 demo)
- 创建 demo 项目
[root@controller ~]# openstack project create --domain default \
--description "Demo Project" demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | 4f74b708452249e583684682e8254872 |
| is_domain | False |
| name | demo |
| parent_id | default |
+-------------+----------------------------------+- 创建 demo 用户
[root@controller ~]# openstack user create --domain default --password 000000 demo
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 9da7d8fa3eaf414bad4e2bcbabb60494 |
| name | demo |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+- 创建 user 角色
[root@controller ~]# openstack role create user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 1d30cc80e2eb450193340e8fff44b094 |
| name | user |
+-----------+----------------------------------+- 设置 demo 项目 中的 demo用户 角色为 user
[root@controller ~]# openstack role add --project demo --user demo user验证
1、取消 临时变量 OS_AUTH_URL OS_PASSWORD
unset OS_AUTH_URL OS_PASSWORD2、测试 admin用户获取 token
[root@controller ~]# openstack --os-auth-url http://controller:35357/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name admin --os-username admin token issue
Password:
+------------+---------------------------------------------------------------+
| Field | Value |
+------------+---------------------------------------------------------------+
| expires | 2022-07-13T04:15:29+0000 |
| id | gAAAAABizjjRJyEcHq4dPJMFZMjTCOaVFwOX4sumi1ZsKVgvWfxIPtyaRenrX |
| LPKPW1L4nLjeAff1kN2Oa9eTgleTj8TOeoSln9hUUZByEqSlNJFaZC_DUgT5gW|
| AjlXHbUH_6r9IiGRcJBGJTAEU5sEmrW2M_sBAnIXQZ5Tn2n_MY_KWO68lpi8 |
| project_id | cecafb35ed3649819247ea27a77871aa |
| user_id | 6ba1420ce7764421afa3da461b2f47a1 |
+------------+---------------------------------------------------------------+3、测试 demo用户获取 token
[root@controller ~]# openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name demo --os-username demo token issue
Password:
+------------+---------------------------------------------------------------+
| Field | Value |
+------------+---------------------------------------------------------------|
| expires | 2022-07-13T04:21:47+0000 |
| id | gAAAAABizjpLC8BxxoXOGYJah3VU8xMD8aYQm86RjhAOyKI3zAzuc6wMR3v8Hj|
| Atk1n3RIGuNmFWEZSPKQH-zYGAS4ZEzQzvUTAQxeNm4eOG3bLF2iqXc7F1cYIL|
| q6gVKkfGK2avDi7APIoxCFy2F_XtxNlqWMNrxfOyGXpB81rKDBjpEsLMMI |
| project_id | 4f74b708452249e583684682e8254872 |
| user_id | 9da7d8fa3eaf414bad4e2bcbabb60494 |
+------------+---------------------------------------------------------------+创建 OpenStack客户端变量 脚本
创建 脚本
1、创建 admin-openrc
[root@controller ~]# cat admin-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=000000
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=22、创建 demo-openrc
[root@controller ~]# cat demo-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=000000
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2使用 脚本
1、加载 变量
[root@controller ~]# . admin-openrc
or
[root@controller ~]# source admin-openrc2、获取 token
[root@controller ~]# openstack token issue
+------------+---------------------------------------------------------------+
| Field | Value |
+------------+---------------------------------------------------------------+
| expires | 2022-07-13T04:28:33+0000 |
| id | gAAAAABizjjRJyEcHq4dPJMFZMjTCOaVFwOX4sumi1ZsKVgvWfxIPtyaRenrX |
| LPKPW1L4nLjeAff1kN2Oa9eTgleTj8TOeoSln9hUUZByEqSlNJFaZC_DUgT5gW|
| AjlXHbUH_6r9IiGRcJBGJTAEU5sEmrW2M_sBAnIXQZ5Tn2n_MY_KWO68lpi8 |
| project_id | cecafb35ed3649819247ea27a77871aa |
| user_id | 6ba1420ce7764421afa3da461b2f47a1 |
+------------+---------------------------------------------------------------+3、取消变量
# 退出 bash
[root@controller ~]# exit
评论