本文分享openstack的认证服务组件keystone
--------------- 完美的分割线 ----------------
2.0.keystone认证服务
1)用户与认证:用户权限与用户行为跟踪
User 用户
Tenant 租户
Token 令牌
Role 角色
2)服务目录:提供一个服务目录,包括所有服务项与相关API的端点
Service 服务
Endpoint 端点
2.1.在控制节点创建keystone相关数据库
1)创建keystone数据库并授权
mysql -p123456 -------------------------------- CREATE DATABASE keystone; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone'; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone'; flush privileges; show databases; select user,host from mysql.user; exit --------------------------------
2.2.在控制节点安装keystone相关软件包
1)安装keystone相关软件包
# 配置Apache服务,使用带有“mod_wsgi”的HTTP服务器来相应认证服务请求,端口为5000和35357, 默认情况下,Kestone服务仍然监听这些端口
yum install openstack-keystone httpd mod_wsgi -y
yum install openstack-keystone python-keystoneclient openstack-utils -y
2)快速修改keystone配置
# 下面使用的快速配置方法需要安装Openstack-utils才可以实现
openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:keystone@controller/keystone
openstack-config --set /etc/keystone/keystone.conf token provider fernet
# 注意:keystone不需要连接rabbitmq
# 查看生效的配置
egrep -v "^#|^$" /etc/keystone/keystone.conf
# 其他方式查看生效配置
grep '^[a-z]' /etc/keystone/keystone.conf
# 实例演示:
[root@openstack01 tools]# grep '^[a-z]' /etc/keystone/keystone.conf connection = mysql+pymysql://keystone:keystone@controller/keystone provider = fernet
# keystone不需要启动,通过http服务进行调用
2.3.初始化同步keystone数据库
1)同步keystone数据库(44张)
su -s /bin/sh -c "keystone-manage db_sync" keystone
2)同步完成进行连接测试
# 保证所有需要的表已经建立,否则后面可能无法进行下去
mysql -h192.168.1.81 -ukeystone -pkeystone -e "use keystone;show tables;"
实例演示:
[root@openstack01 ~]# mysql -h192.168.1.81 -ukeystone -pkeystone -e "use keystone;show tables;" +-----------------------------+ | Tables_in_keystone | +-----------------------------+ | access_token | | application_credential | | application_credential_role | | assignment | | config_register | | consumer | | credential | | endpoint | | endpoint_group | | federated_user | | federation_protocol | | group | | id_mapping | | identity_provider | | idp_remote_ids | | implied_role | | limit | | local_user | | mapping | | migrate_version | | nonlocal_user | | password | | policy | | policy_association | | project | | project_endpoint | | project_endpoint_group | | project_tag | | region | | registered_limit | | request_token | | revocation_event | | role | | sensitive_config | | service | | service_provider | | system_assignment | | token | | trust | | trust_role | | user | | user_group_membership | | user_option | | whitelisted_config | +-----------------------------+ [root@openstack01 ~]# mysql -h192.168.1.81 -ukeystone -pkeystone -e "use keystone;show tables;"|wc -l 45
2.4.初始化Fernet令牌库
# Initialize Fernet key repositories:
# 关于Fernet令牌可以参考:https://blog.csdn.net/wllabs/article/details/79064094
# 以下命令无返回信息
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
2.5.配置启动Apache(httpd)
1)修改httpd主配置文件
vim /etc/httpd/conf/httpd.conf +95
----------------------------------
ServerName controller
----------------------------------
# 或者
sed -i "s/#ServerName www.example.com:80/ServerName 192.168.1.81/" /etc/httpd/conf/httpd.conf cat /etc/httpd/conf/httpd.conf |grep ServerName
2)配置虚拟主机
# 创建keystone虚拟主机配置文件的快捷方式,也可以复制过来
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
# 或者可以手动编辑创建该文件
cat /usr/share/keystone/wsgi-keystone.conf ------------------------------- [root@openstack01 ~]# cat /usr/share/keystone/wsgi-keystone.conf Listen 5000 <VirtualHost *:5000> WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On LimitRequestBody 114688 <IfVersion >= 2.4> ErrorLogFormat "%{cu}t %M" </IfVersion> ErrorLog /var/log/httpd/keystone.log CustomLog /var/log/httpd/keystone_access.log combined <Directory /usr/bin> <IfVersion >= 2.4> Require all granted </IfVersion> <IfVersion < 2.4> Order allow,deny Allow from all </IfVersion> </Directory> </VirtualHost> Alias /identity /usr/bin/keystone-wsgi-public <Location /identity> SetHandler wsgi-script Options +ExecCGI WSGIProcessGroup keystone-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On </Location> --------------------------------
3)启动httpd并配置开机自启动
systemctl start httpd.service systemctl status httpd.service netstat -anptl|grep httpd systemctl enable httpd.service systemctl list-unit-files |grep httpd.service
# 如果http起不来,需要关闭 selinux 或者安装 yum install openstack-selinux
实例演示:
[root@openstack01 ~]# systemctl start httpd.service [root@openstack01 ~]# systemctl status httpd.service ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since 五 2018-10-26 18:06:20 CST; 98ms ago Docs: man:httpd(8) man:apachectl(8) Main PID: 1978 (httpd) Status: "Processing requests..." CGroup: /system.slice/httpd.service ├─1978 /usr/sbin/httpd -DFOREGROUND ├─1981 (wsgi:keystone- -DFOREGROUND ├─1982 (wsgi:keystone- -DFOREGROUND ├─1983 (wsgi:keystone- -DFOREGROUND ├─1984 (wsgi:keystone- -DFOREGROUND ├─1985 (wsgi:keystone- -DFOREGROUND ├─1986 /usr/sbin/httpd -DFOREGROUND ├─1988 /usr/sbin/httpd -DFOREGROUND └─1989 /usr/sbin/httpd -DFOREGROUND 10月 26 18:06:20 openstack01.zuiyoujie.com systemd[1]: Starting The Apache HTTP Server... 10月 26 18:06:20 openstack01.zuiyoujie.com systemd[1]: Started The Apache HTTP Server. [root@openstack01 ~]# netstat -anptl|grep httpd tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN 1978/httpd tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1978/httpd [root@openstack01 ~]# systemctl enable httpd.service Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service. [root@openstack01 ~]# systemctl list-unit-files |grep httpd.service httpd.service enabled
# 至此,http服务配置完成
2.6.初始化keystone认证服务
1)创建 keystone 用户,初始化的服务实体和API端点
# 在之前的版本(queens之前),引导服务需要2个端口提供服务(用户5000和管理35357),本版本通过同一个端口提供服务
# 创建keystone服务实体和身份认证服务,以下三种类型分别为公共的、内部的、管理的。
# 需要创建一个密码ADMIN_PASS,作为登陆openstack的管理员用户,这里创建为123456
keystone-manage bootstrap --bootstrap-password ADMIN_PASS --bootstrap-admin-url http://controller:5000/v3/ --bootstrap-internal-url http://controller:5000/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne
# 以下为命令实例:
keystone-manage bootstrap --bootstrap-password 123456 --bootstrap-admin-url http://controller:5000/v3/ --bootstrap-internal-url http://controller:5000/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne
# 运行这条命令,会在keystone数据库执增加以下任务,之前的版本需要手动创建:
1)在endpoint表增加3个服务实体的API端点 2)在local_user表中创建admin用户 3)在project表中创建admin和Default项目(默认域) 4)在role表创建3种角色,admin,member和reader 5)在service表中创建identity服务
2)临时配置管理员账户的相关变量进行管理
# 这里的export OS_PASSWORD要使用上面配置的ADMIN_PASS
export OS_PROJECT_DOMAIN_NAME=Default export OS_PROJECT_NAME=admin export OS_USER_DOMAIN_NAME=Default export OS_USERNAME=admin export OS_PASSWORD=123456 export OS_AUTH_URL=http://controller:5000/v3 export OS_IDENTITY_API_VERSION=3
# 查看声明的变量
env |grep OS_
实例演示:
[root@openstack01 ~]# env|grep OS_ OS_USER_DOMAIN_NAME=Default OS_PROJECT_NAME=admin OS_IDENTITY_API_VERSION=3 OS_PASSWORD=123456 OS_AUTH_URL=http://controller:5000/v3 OS_USERNAME=admin OS_PROJECT_DOMAIN_NAME=Default
# 之前的版本采用admin_token来设置初始化的管理用户认证令牌,类似下面的
export OS_TOKEN=c0053993bb39ad3de84a export OS_URL=http://192.168.1.81:35357/v3 export OS_IDENTITY_API_VERSION=3 export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0
附:常用的openstack管理命令,需要应用管理员的环境变量
# 查看keystone实例相关信息
openstack endpoint list openstack project list openstack user list
实例演示:
[root@openstack01 ~]# openstack endpoint list +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+ | ID | Region | Service Name | Service Type | Enabled | Interface | URL | +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+ | b8dabe6c548e435eb2b1f7efe3b23236 | RegionOne | keystone | identity | True | admin | http://controller:5000/v3/ | | eb72eb6ea51842feb67ba5849beea48c | RegionOne | keystone | identity | True | internal | http://controller:5000/v3/ | | f172f6159ad34fbd8e10e0d42828d8cd | RegionOne | keystone | identity | True | public | http://controller:5000/v3/ | +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+ [root@openstack01 ~]# openstack project list +----------------------------------+-----------+ | ID | Name | +----------------------------------+-----------+ | 3706708374804e2eb4ed056f55d84666 | admin | | 84cc7185f2c8461eb19a14968228b272 | myproject | | b8e318b3c7a844708762169959c34ff8 | service | +----------------------------------+-----------+ [root@openstack01 ~]# openstack user list +----------------------------------+--------+ | ID | Name | +----------------------------------+--------+ | cbb2b3830a8f44bc837230bca27ae563 | myuser | | e5dbfc8b394c41679fd5ce229cdd6ed3 | admin | +----------------------------------+--------+
# 删除endpoint
# 以前的版本单独创建endpoint可能会出错需要删除,新版本已经优化好,只要系统配置没问题,会自动生成一般也不会出错
openstack endpoint delete [ID]
2.7.创建keystone的一般实例
# Create a domain, projects, users, and roles
https://docs.openstack.org/keystone/rocky/install/keystone-users-rdo.html
1)创建一个名为example的keystone域
# 以下命令会在project表中创建名为example的项目
openstack domain create --description "An Example Domain" example
实例演示:
[root@openstack01 ~]# openstack domain create --description "An Example Domain" example +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | An Example Domain | | enabled | True | | id | 17254ea898de477ca4a1f6f3cbc6c5bc | | name | example | | tags | [] | +-------------+----------------------------------+
2)为keystone系统环境创建名为service的项目提供服务
# 用于常规(非管理)任务,需要使用无特权用户
# 以下命令会在project表中创建名为service的项目
openstack project create --domain default --description "Service Project" service
实例演示:
[root@openstack01 ~]# openstack project create --domain default --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | default | | enabled | True | | id | b8e318b3c7a844708762169959c34ff8 | | is_domain | False | | name | service | | parent_id | default | | tags | [] | +-------------+----------------------------------+
3)创建myproject项目和对应的用户及角色
# 作为一般用户(非管理员)的项目,为普通用户提供服务
# 以下命令会在project表中创建名为myproject项目
openstack project create --domain default --description "Demo Project" myproject
实例演示:
[root@openstack01 ~]# openstack project create --domain default --description "Demo Project" myproject +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Demo Project | | domain_id | default | | enabled | True | | id | 84cc7185f2c8461eb19a14968228b272 | | is_domain | False | | name | myproject | | parent_id | default | | tags | [] | +-------------+----------------------------------+
4)在默认域创建myuser用户
# 使用--password选项为直接配置明文密码,使用--password-prompt选项为交互式输入密码
# 以下命令会在local_user表增加myuser用户
openstack user create --domain default --password-prompt myuser # 交互式输入密码 # openstack user create --domain default --password=myuser myuser # 直接创建用户和密码
实例演示:
[root@openstack01 ~]# openstack user create --domain default --password-prompt myuser User Password: Repeat User Password: +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | default | | enabled | True | | id | cbb2b3830a8f44bc837230bca27ae563 | | name | myuser | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+
5)在role表创建myrole角色
openstack role create myrole
实例演示:
[root@openstack01 ~]# openstack role create myrole +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | 75ac33f79cc945afa42a18a3dd0ba0ad | | name | myrole | +-----------+----------------------------------+
6)将myrole角色添加到myproject项目中和myuser用户组中
# 以下命令无返回,数据表操作不太明显
openstack role add --project myproject --user myuser myrole
2.8.验证操作keystone是否安装成功
1)去除环境变量
# 关闭临时认证令牌机制,获取 token,验证keystone配置成功
unset OS_AUTH_URL OS_PASSWORD
env |grep OS_
2)作为管理员用户去请求一个认证的token
# 测试是否可以使用admin账户进行登陆认证,请求认证令牌
openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name admin --os-username admin token issue
实例演示:
[root@openstack01 ~]# openstack --os-auth-url http://controller:5000/v3 > --os-project-domain-name Default --os-user-domain-name Default > --os-project-name admin --os-username admin token issue Password: +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2018-10-26T11:48:40+0000 | | id | gAAAAABb0vEIENgBaYEBJZSJX7RDelXdM2sHi_hbfT-FHTjd3z5j5Mt-sssJpW1EXeWVAbMdyBI2t9XNCxG5m1XNm_2k1xWP7WnbOYAp1rl2FZCwz4LL0F-mER_bOW-HnE0rjA6YvP0MzW4HVg0eEE_6zACr0R0NaaVytK_eRsvO_Lhco6vacYY | | project_id | 3706708374804e2eb4ed056f55d84666 | | user_id | e5dbfc8b394c41679fd5ce229cdd6ed3 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
3)使用普通用户获取认证token
# 以下命令使用”myuser“用户的密码和API端口5000,只允许对身份认证服务API的常规(非管理)访问。
openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name myproject --os-username myuser token issue
实例演示:
[root@openstack01 ~]# openstack --os-auth-url http://controller:5000/v3 > --os-project-domain-name Default --os-user-domain-name Default > --os-project-name myproject --os-username myuser token issue Password: +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2018-10-26T11:49:18+0000 | | id | gAAAAABb0vEuxOrgkmLfcZJl8vB6dJyrHFtvxBT1m7qLYzuD-WkOVoQUzE9mTGcrKE6CrZbLU57Nc7mv-50-ggH9pf2qrW5uWQu7MRJcUb3rgpmoYn7EVdv8X0lGK3IiWEPSF48u1b2y7mEmvYb7TGOFO8l87of6L2aaJmdMxp9KgM87_3Mu2-g | | project_id | 84cc7185f2c8461eb19a14968228b272 | | user_id | cbb2b3830a8f44bc837230bca27ae563 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
2.9.创建OpenStack客户端环境脚本
# Create OpenStack client environment scripts
# 上面使用环境变量和命令选项的组合通过“openstack”客户端与身份认证服务交互。
# 为了提升客户端操作的效率,OpenStack支持简单的客户端环境变量脚本即OpenRC 文件,我这里使用自定义的文件名
1)创建admin用户的环境管理脚本
# vim admin-openrc cd /server/tools vim keystone-admin-pass.sh ---------------------------------- export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=123456 export OS_AUTH_URL=http://controller:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 ---------------------------------- env |grep OS_
# 应用:
如果修改dashboard登陆密码忘记了,可以使用admin_token认证机制修改登陆密码
2)创建普通用户myuser的客户端环境变量脚本
vim keystone-myuser-pass.sh ------------------------------- export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=myproject export OS_USERNAME=myuser export OS_PASSWORD=myuser export OS_AUTH_URL=http://controller:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 -------------------------------
3)测试环境管理脚本
# 使用脚本加载相关客户端配置,以便快速使用特定租户和用户运行客户端
source keystone-admin-pass.sh
4)请求认证令牌
openstack token issue
实例演示:
[root@openstack01 tools]# openstack token issue +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2018-10-26T12:13:28+0000 | | id | gAAAAABb0vbYr--LRd1NJ9ZXH68zSR4mIW4hDr6UqqiPmsA7vNEGDcMx8o-6Ihy8o47c5jo5GInOCe9KpKMfbXtdWPz6QkkWzZcFMqwXYS4tUI8DjjamEUBqFwlI10Oxbq7pEIGKVtFdMrOHy3EoLmE1rjY0p4DDm48pt3u8ON807nr0MUa1zIE | | project_id | 3706708374804e2eb4ed056f55d84666 | | user_id | e5dbfc8b394c41679fd5ce229cdd6ed3 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
# 可以看到user_id和上面用命令获取到的是一样的,说明配置成功
# 至此,keystone安装完毕
======== 完毕,呵呵呵呵 ========