安裝keystone認證服務
參考官方網站:https://docs.openstack.org/mitaka/zh_CN/install-guide-rdo/keystone.html
一、keystone認證服務的介紹
keystone的主要功能:認證管理,授權管理和服務目錄
認證:也可以理解成賬號管理,openstack所有的使用者,都是在keystone上註冊的。
授權: glance,nova,neutron,cinder等其他服務都統一使用keystone的賬號管理,就像現在很多網站支援qq/微信登陸是一樣的。
服務目錄:每增加一個服務,都需要在keystone上做註冊登記,使用者通過keystone可以知道由有那些服務,這麼服務的url地址是多少,然後使用者就可以直接訪問這些服務。
二、安裝和配置
1. 先決條件
在配置 OpenStack 身份認證服務前,你必須建立一個數據庫和管理員令牌。
1)用資料庫連線客戶端以 root使用者連線到資料庫伺服器
[root@controller ~]# mysql -u root -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 9 Server version: 10.1.20-MariaDB MariaDB Server Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]>
2)建立 keystone 資料庫
MariaDB [(none)]> CREATE DATABASE keystone; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | keystone | | mysql | | performance_schema | | test | +--------------------+ 5rows in set (0.00 sec)
3)對``keystone``資料庫授予恰當的許可權
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '123456'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '123456'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> exit Bye
4)生成一個隨機值在初始的配置中作為管理員的令牌
[root@controller ~]# openssl rand -hex 10 66631fbefdf1c7a9c36b
2.配置元件
教程使用帶有``mod_wsgi``的Apache HTTP伺服器來服務認證服務請求,埠為5000和35357。預設情況下,Kestone服務仍然監聽這些埠。然而,本教程手動禁用keystone服務。
1)執行以下命令來安裝包
[root@controller ~]# yum install openstack-keystone httpd mod_wsgi -y
2)修改keystone配置檔案/etc/keystone/keystone.conf
在``[DEFAULT]``部分,定義初始管理令牌的值(使用前面步驟生成的隨機數替換``ADMIN_TOKEN`` 值)
在[database]部分,配置資料庫訪問(將``KEYSTONE_DBPASS``替換為你為資料庫選擇的密碼)
在``[token]``部分,配置Fernet UUID令牌的提供者
[root@controller ~]# cp /etc/keystone/keystone.conf{,.bak} [root@controller ~]# grep -Ev '^$|#' /etc/keystone/keystone.conf.bak > /etc/keystone/keystone.conf [root@controller ~]# vim /etc/keystone/keystone.conf [root@controller ~]# cat /etc/keystone/keystone.conf [DEFAULT] admin_token = 66631fbefdf1c7a9c36b #生成一個隨機值在初始的配置中作為管理員的令牌 [assignment] [auth] [cache] [catalog] [cors] [cors.subdomain] [credential] [database] connection = mysql+pymysql://keystone:123456@controller/keystone #配置資料庫訪問 [domain_config] [endpoint_filter] [endpoint_policy] [eventlet_server] [eventlet_server_ssl] [federation] [fernet_tokens] [identity] [identity_mapping] [kvs] [ldap] [matchmaker_redis] [memcache] [oauth1] [os_inherit] [oslo_messaging_amqp] [oslo_messaging_notifications] [oslo_messaging_rabbit] [oslo_middleware] [oslo_policy] [paste_deploy] [policy] [resource] [revoke] [role] [saml] [shadow_users] [signing] [ssl] [token] provider = fernet #配置Fernet UUID令牌的提供者 [tokenless_auth] [trust]
3)自動化配置
以上改配置是手動進vim改的。接下來自動配置相關引數.
a. 安裝自動配置工具
[root@controller ~]# yum install openstack-utils -y
b.設定引數
[root@controller ~]# cp /etc/keystone/keystone.conf{,.bak01} [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token 66631fbefdf1c7a9c36b [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:123456@controller/keystone [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf token provider fernet [root@controller ~]# cat /etc/keystone/keystone.conf [DEFAULT] admin_token = 66631fbefdf1c7a9c36b [assignment] [auth] [cache] [catalog] [cors] [cors.subdomain] [credential] [database] connection = mysql+pymysql://keystone:123456@controller/keystone [domain_config] [endpoint_filter] [endpoint_policy] [eventlet_server] [eventlet_server_ssl] [federation] [fernet_tokens] [identity] [identity_mapping] [kvs] [ldap] [matchmaker_redis] [memcache] [oauth1] [os_inherit] [oslo_messaging_amqp] [oslo_messaging_notifications] [oslo_messaging_rabbit] [oslo_middleware] [oslo_policy] [paste_deploy] [policy] [resource] [revoke] [role] [saml] [shadow_users] [signing] [ssl] [token] provider = fernet [tokenless_auth] [trust]
MD5校驗配置檔案和手動配置的md5一樣,說明自動配置結果一樣
[root@controller ~]# md5sum /etc/keystone//keystone.conf c36f6b2c31cf61b66e43754516b0d57d /etc/keystone//keystone.conf [root@controller ~]# md5sum /etc/keystone//keystone.conf.bak01 c36f6b2c31cf61b66e43754516b0d57d /etc/keystone//keystone.conf.bak01
4)初始化身份認證服務的資料庫
以keystone使用者執行keystone-manage db_sync
[root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
[root@controller ~]# mysql -uroot -p123456 keystone -e "show tables" +------------------------+ | Tables_in_keystone | +------------------------+ | access_token | | assignment | | config_register | | consumer | | credential | | domain | | endpoint | | endpoint_group | | federated_user | | federation_protocol | | group | | id_mapping | | identity_provider | | idp_remote_ids | | implied_role | | local_user | | mapping | | migrate_version | | password | | policy | | policy_association | | project | | project_endpoint | | project_endpoint_group | | region | | request_token | | revocation_event | | role | | sensitive_config | | service | | service_provider | | token | | trust | | trust_role | | user | | user_group_membership | | whitelisted_config | +------------------------+
同步成功!!
5)初始化Fernet keys
[root@controller ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@controller ~]# ll /etc/keystone/ total 104 -rw-r----- 1 root keystone 2303 Feb 1 2017 default_catalog.templates drwx------ 2 keystone keystone 24 Nov 13 17:21 fernet-keys -rw-r----- 1 root keystone 661 Nov 13 17:05 keystone.conf -rw-r----- 1 root root 73101 Nov 13 17:00 keystone.conf.bak -rw-r----- 1 root keystone 2400 Feb 1 2017 keystone-paste.ini -rw-r----- 1 root keystone 1046 Feb 1 2017 logging.conf -rw-r----- 1 keystone keystone 9699 Feb 1 2017 policy.json -rw-r----- 1 keystone keystone 665 Feb 1 2017 sso_callback_template.html
3.配置 Apache HTTP 伺服器
1)編輯``/etc/httpd/conf/httpd.conf`` 檔案,配置``ServerName`` 選項為控制節點
[root@controller ~]# cp /etc/httpd/conf/httpd.conf{,.bak} [root@controller ~]# vim /etc/httpd/conf/httpd.conf [root@controller ~]# grep ServerName /etc/httpd/conf/httpd.conf # ServerName gives the name and port that the server uses to identify itself. ServerName controller
2)用下面的內容建立檔案/etc/httpd/conf.d/wsgi-keystone.conf
[root@controller ~]# vim /etc/httpd/conf.d/wsgi-keystone.conf [root@controller ~]# cat /etc/httpd/conf.d/wsgi-keystone.conf Listen 5000 Listen 35357 <VirtualHost *:5000> WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined <Directory /usr/bin> Require all granted </Directory> </VirtualHost> <VirtualHost *:35357> WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / /usr/bin/keystone-wsgi-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined <Directory /usr/bin> Require all granted </Directory> </VirtualHost>
3)啟動 Apache HTTP 服務並配置其隨系統啟動
[root@controller ~]# systemctl enable httpd.service Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service. [root@controller ~]# systemctl start httpd.service [root@controller ~]# systemctl status httpd.service ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2020-11-13 17:47:53 CST; 2min 27s ago Docs: man:httpd(8) man:apachectl(8) Main PID: 84628 (httpd) Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec" CGroup: /system.slice/httpd.service ├─84628 /usr/sbin/httpd -DFOREGROUND ├─84629 (wsgi:keystone- -DFOREGROUND ├─84630 (wsgi:keystone- -DFOREGROUND ├─84631 (wsgi:keystone- -DFOREGROUND ├─84632 (wsgi:keystone- -DFOREGROUND ├─84633 (wsgi:keystone- -DFOREGROUND ├─84634 (wsgi:keystone- -DFOREGROUND ├─84635 (wsgi:keystone- -DFOREGROUND ├─84654 (wsgi:keystone- -DFOREGROUND ├─84655 (wsgi:keystone- -DFOREGROUND ├─84656 (wsgi:keystone- -DFOREGROUND ├─84663 /usr/sbin/httpd -DFOREGROUND ├─84664 /usr/sbin/httpd -DFOREGROUND ├─84665 /usr/sbin/httpd -DFOREGROUND ├─84666 /usr/sbin/httpd -DFOREGROUND └─84673 /usr/sbin/httpd -DFOREGROUND Nov 13 17:47:52 controller systemd[1]: Starting The Apache HTTP Server... Nov 13 17:47:53 controller systemd[1]: Started The Apache HTTP Server. [root@controller ~]# netstat -lntup |grep 80 tcp6 0 0 :::80 :::* LISTEN 84628/httpd
3.建立服務實體和API端點
身份認證服務提供服務的目錄和他們的位置。每個新增到OpenStack環境中的服務在目錄中需要一個 service 實體和一些 API endpoints。
預設情況下,身份認證服務資料庫不包含支援傳統認證和目錄服務的資訊。必須使用:doc:keystone-install章節中為身份認證服務建立的臨時身份驗證令牌用來初始化的服務實體和API端點
用``–os-token``引數將認證令牌的值傳遞給:command:openstack 命令。類似的,必須使用``–os-url`` 引數將身份認證服務的 URL傳遞給 openstack 命令或者設定OS_URL環境變數。本節使用環境變數以縮短命令列的長度。
1)先決條件
a.配置認證令牌(這個和前面default下配的一樣)
[root@controller ~]# export OS_TOKEN=66631fbefdf1c7a9c36b
b.配置端點URL
[root@controller ~]# export OS_URL=http://controller:35357/v3
c.配置認證 API 版本
[root@controller ~]# export OS_IDENTITY_API_VERSION=3
2)建立服務實體和API端點
在Openstack環境中,認證服務管理服務目錄。服務使用這個目錄來決定您的環境中可用的服務。
a. 建立服務實體和身份認證服務
[root@controller ~]# openstack service create --name keystone --description "OpenStack Identity" identity +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | OpenStack Identity | | enabled | True | | id | 103d673e61a0453fb454225acad795bb | | name | keystone | | type | identity | +-------------+----------------------------------+
注:OpenStack 是動態生成 ID 的
身份認證服務管理了一個與環境相關的 API 端點的目錄。服務使用這個目錄來決定如何與環境中的其他服務進行通訊。
OpenStack使用三個API端點變種代表每種服務:admin,internal和public。
預設情況下,管理API端點允許修改使用者和租戶而公共和內部APIs不允許這些操作。
在生產環境中,處於安全原因,變種為了服務不同型別的使用者可能駐留在單獨的網路上。對例項而言,公共API網路為了讓顧客管理他們自己的雲在網際網路上是可見的。管理API網路在管理雲基礎設施的組織中操作也是有所限制的。內部API網路可能會被限制在包含OpenStack服務的主機上。此外,OpenStack支援可伸縮性的多區域。為了簡單起見,本節為所有端點變種和預設``RegionOne``區域都使用管理網路。
b. 建立認證服務的 API 端點
public是所有人都可以用的api介面
[root@controller ~]# openstack endpoint create --region RegionOne identity public http://controller:5000/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | ebf67be3ecb84f4bbac1b5be03edaa55 | | interface | public | | region | RegionOne | | region_id | RegionOne | | service_id | 103d673e61a0453fb454225acad795bb | | service_name | keystone | | service_type | identity | | url | http://controller:5000/v3 | +--------------+----------------------------------+
internal是內部使用的api介面
[root@controller ~]# openstack endpoint create --region RegionOne identity internal http://controller:5000/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | e3fa3b805f2b4020b3dc70b0e6aa398e | | interface | internal | | region | RegionOne | | region_id | RegionOne | | service_id | 103d673e61a0453fb454225acad795bb | | service_name | keystone | | service_type | identity | | url | http://controller:5000/v3 | +--------------+----------------------------------+
admin是管理員使用的api介面
[root@controller ~]# openstack endpoint create --region RegionOne identity admin http://controller:35357/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 0f6a4aa5dd5a4010a561dda18181b6f6 | | interface | admin | | region | RegionOne | | region_id | RegionOne | | service_id | 103d673e61a0453fb454225acad795bb | | service_name | keystone | | service_type | identity | | url | http://controller:35357/v3 | +--------------+----------------------------------+
注:每個新增到OpenStack環境中的服務要求一個或多個服務實體和三個認證服務中的API 端點變種
3)建立域、專案、使用者和角色
身份認證服務為每個OpenStack服務提供認證服務。認證服務使用 T domains, projects (tenants), :term:`users<user>`和 :term:`roles<role>`的組合
a.建立域``default``:
[root@controller ~]# openstack domain create --description "Default Domain" default +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Default Domain | | enabled | True | | id | d9ffe8683c84401cbad69ac5a73482a8 | | name | default | +-------------+----------------------------------+
b.建立 admin 專案
[root@controller ~]# openstack project create --domain default --description "Admin Project" admin +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Admin Project | | domain_id | d9ffe8683c84401cbad69ac5a73482a8 | | enabled | True | | id | b5eb87802cca4ada8f71be3483cd959c | | is_domain | False | | name | admin | | parent_id | d9ffe8683c84401cbad69ac5a73482a8 | +-------------+----------------------------------+
c.建立 admin 使用者
[root@controller ~]# openstack user create --domain default --password-prompt admin User Password: Repeat User Password: +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | d9ffe8683c84401cbad69ac5a73482a8 | | enabled | True | | id | ee577a2e6d734b9eb3eb3bb26273b2ee | | name | admin | +-----------+----------------------------------+
d.建立 admin 角色
[root@controller ~]# openstack role create admin
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 119032620c0d42c195d81de366f4341f |
| name | admin |
+-----------+----------------------------------+
e.新增``admin`` 角色到 admin 專案和使用者上
[root@controller ~]# openstack role add --project admin --user admin admin
注:建立的任何角色必須對映到每個OpenStack服務配置檔案目錄下的``policy.json`` 檔案中。預設策略是給予“admin“角色大部分服務的管理訪問許可權
f.建立``service``專案
每個服務包含獨有使用者的service 專案。建立service專案是為了nova,glance使用者都屬於一個專案,到時候把它們放到service專案。
[root@controller ~]# openstack project create --domain default --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | d9ffe8683c84401cbad69ac5a73482a8 | | enabled | True | | id | f32b6a252dfd4e30842393143da57bcf | | is_domain | False | | name | service | | parent_id | d9ffe8683c84401cbad69ac5a73482a8 | +-------------+----------------------------------+
4)驗證keystone
之前設定的環境變數都是臨時的,退出shell就會失效。新增環境變數可以直接應用openstack命令,退出shell,命令失效。
[root@controller ~]# openstack user list +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | ee577a2e6d734b9eb3eb3bb26273b2ee | admin | +----------------------------------+-------+ [root@controller ~]# exit #退出shell logout Connection closing...Socket close. Connection closed by foreign host. Disconnected from remote host(10.0.0.11) at 22:16:24. Type `help' to learn how to use Xshell prompt. [C:\~]$ Connecting to 10.0.0.11:22... Connection established. To escape to local shell, press 'Ctrl+Alt+]'. WARNING! The remote SSH server rejected X11 forwarding request. Last login: Fri Nov 13 21:38:33 2020 from 10.0.0.253 [root@controller ~]# openstack user list Missing parameter(s): Set a username with --os-username, OS_USERNAME, or auth.username Set an authentication URL, with --os-auth-url, OS_AUTH_URL or auth.auth_url Set a scope, such as a project or domain, set a project scope with --os-project-name, OS_PROJECT_NAME or auth.project_name, set a domain scope with --os-domain-name, OS_DOMAIN_NAME or auth.domain_name
[root@controller ~]# openstack --os-auth-url http://controller:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue Password: +------------+-------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-------------------------------------------------------------------------------------------------------------------------+ | expires | 2020-11-13T15:18:36.000000Z | | id | gAAAAABfrpW8xQq1KNa-DxMgoc_TOY-a9sdolL-_IICLXeHLzuqGX9W7gdgDppb37hZeNicdp2VC2LDt_WV1OtEZniVg-Dryqf33tquGEpcgeHN1RbYZu- | | | WL0HXCsa9ZscoaqpZpgaMVu1IVNgvX6_kih01BtFu69q-e5VbpcN9-S4Bh-pOwbfI | | project_id | b5eb87802cca4ada8f71be3483cd959c | | user_id | ee577a2e6d734b9eb3eb3bb26273b2ee | +------------+-------------------------------------------------------------------------------------------------------------------------+
5)建立keystone環境變數指令碼
之前使用環境變數和命令選項的組合通過``openstack``客戶端與身份認證服務互動。為了提升客戶端操作的效率,OpenStack支援簡單的客戶端環境變數指令碼即OpenRC 檔案。
[root@controller ~]# cat>> admin-openrc << EOF > > export OS_PROJECT_DOMAIN_NAME=default > > export OS_USER_DOMAIN_NAME=default > > export OS_PROJECT_NAME=admin > > export OS_USERNAME=admin > > export OS_PASSWORD=123456 > > export OS_AUTH_URL=http://controller:35357/v3 > > export OS_IDENTITY_API_VERSION=3 > > export OS_IMAGE_API_VERSION=2 > > EOF [root@controller ~]# cat admin-openrc export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=123456 export OS_AUTH_URL=http://controller:35357/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 [root@controller ~]# source admin-openrc
#驗證
[root@controller ~]# openstack user list +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | ee577a2e6d734b9eb3eb3bb26273b2ee | admin | +----------------------------------+-------+ [root@controller ~]# openstack token issue +------------+-------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-------------------------------------------------------------------------------------------------------------------------+ | expires | 2020-11-13T15:27:44.000000Z | | id | gAAAAABfrpfgEMPjiEZl6pRtX_QOS80cX4Mpj-JGCwlcDfT13EhyQAhiqeET2N2eUTae1gMfQhukUInyFv5CVfq_35jWj13oaSKdl- | | | pBPgfCah_EDvChjY6obibm91IQ_EKH3wBa2lABgQ-PI3FPOaUgkj6FOZZ5t2ePVOgFKDvOAVMO8z9-Yiw | | project_id | b5eb87802cca4ada8f71be3483cd959c | | user_id | ee577a2e6d734b9eb3eb3bb26273b2ee | +------------+-------------------------------------------------------------------------------------------------------------------------+ [root@controller ~]#
注:能獲取到token,keystone就安裝OK