1. 认证服务KeyStone介绍
Keystone(OpenStack Identity Service)是 OpenStack 框架中,负责身份验证、服务规则和服务令牌的功能,它实现了 OpenStack 的 Identity API。Keystone 类似一个服务总线,或者说是整个 Openstack 框架的注册表,其它服务通过 keystone 来注册其服务的 Endpoint(服务访问的 URL),任何服务之间相互 的调用,需要经过Keystone 的身份验证,来获得目标服务的 Endpoint 来找到目标服务。
◎认证服务KeyStone:用户认证、服务目录(注册中心)
用户认证:
User: 用户
Project:项目(早期叫租房)
Token:令牌(访问凭证)
Role:角色
服务目录:
Service:服务(来干啥的?)
Endpoint:端点(服务入口暴露的URL,并且具有
public、private和admin三种权限)
2. 认证服务KeyStone部署
2.1 安装keystone
[root@linux-node1 ~]# yum install -y openstack-keystone httpd mod_wsgi memcached python-memcached #keystone跑在apache上 #mod_wsgi:python的通用cgi接口 #memcached:用来给数据库作缓存,减轻数据库压力
2.2 编辑keystone配置文件:/etc/keystone/keystone.conf
#1.生成token [root@linux-node1 ~]# openssl rand -hex 10 1f39aea29788df94171d 在 [DEFAULT] 部分,定义初始管理令牌的值: [DEFAULT] ... admin_token = 1f39aea29788df94171d 使用前面步骤生成的随机数替换``ADMIN_TOKEN`` 值。 在 [database] 部分,配置数据库访问: [database] ... connection = connection = mysql+pymysql://keystone:keystone@192.168.56.11/keystone 将``KEYSTONE_DBPASS``替换为你为数据库选择的密码。 在``[token]``部分,配置Fernet UUID令牌的提供者。 [token] ... provider = fernet driver = memcache #默认存储为sql,改成memcache [memcache] ... servers = 192.168.56.11:11211 #2.查看keystone配置文件 [root@linux-node1 ~]# grep '^[a-Z]' /etc/keystone/keystone.conf admin_token = 1f39aea29788df94171d connection = mysql+pymysql://keystone:keystone@192.168.56.11/keystone servers = 192.168.56.11:11211 provider = fernet driver = memcache
2.3 初始化身份认证服务的数据库
#1.要使用keystone用户初始化,不然会有权限问题导致失败 [root@linux-node1 ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone #2.检察数据库看是否创建成功,不成功看日志tail /var/log/keystone/keystone.log [root@linux-node1 ~]# mysql -h 192.168.56.11 -ukeystone -pkeystone -e "use keystone;show tables;" +------------------------+ | Tables_in_keystone | +------------------------+ | access_token | | assignment | | config_register | | consumer | | credential | | domain | | endpoint | | endpoint_group | | federated_user | | federation_protocol | | group | ...
2.4 初始化Fernet keys创建证书
#1.初始化Fernet keys [root@linux-node1 ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone #2.查看证书 [root@linux-node1 ~]# ll /etc/keystone total 100 -rw-r----- 1 root keystone 2303 Sep 22 2016 default_catalog.templates drwx------ 2 keystone keystone 22 Mar 31 10:52 fernet-keys -rw-r----- 1 root keystone 73272 Mar 30 23:26 keystone.conf #注意keystone配置文件的属主 -rw-r----- 1 root keystone 2400 Sep 22 2016 keystone-paste.ini -rw-r----- 1 root keystone 1046 Sep 22 2016 logging.conf -rw-r----- 1 keystone keystone 9699 Sep 22 2016 policy.json -rw-r----- 1 keystone keystone 665 Sep 22 2016 sso_callback_template.html [root@linux-node1 ~]# ll /etc/keystone/fernet-keys/ total 8 -rw------- 1 keystone keystone 44 Mar 31 10:52 0 -rw------- 1 keystone keystone 44 Mar 31 10:52 1 [root@linux-node1 fernet-keys]# more 0 CqeXZETdO10sCss0TQ4Vs-7WafAPWM2CgO0botR7MWw= [root@linux-node1 fernet-keys]# more 1 6qgh6-JkGQLGSlSYDBI7dUDAhd0niFUuA633auRbRaM=
2.5 启动keystone
#1.先启动memcached
[root@linux-node1 ~]# systemctl enable memcached
[root@linux-node1 ~]# systemctl start memcached
[root@linux-node1 ~]# lsof -i:11211
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
memcached 3207 memcached 26u IPv4 23376 0t0 TCP localhost:memcache (LISTEN)
...
#2.查看memcached配置文件
[root@linux-node1 ~]# cat /etc/sysconfig/memcached
PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS="-l 127.0.0.1,::1"
#3.配置Apache,编辑/etc/httpd/conf/httpd.conf文件,配置ServerName选项为控制节点:
ServerName 192.168.56.11:80
#4.在Apache配置目录创建文件/etc/httpd/conf.d/wsgi-keystone.conf
[root@linux-node1 ~]# vim /etc/httpd/conf.d/wsgi-keystone.conf
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
#5.启动 Apache HTTP 服务并配置其随系统启动
[root@linux-node1 ~]# systemctl enable httpd.service
[root@linux-node1 ~]# systemctl start httpd.service
[root@linux-node1 ~]# netstat -tunpl|egrep -w "5000|35357"
tcp6 0 0 :::5000 :::* LISTEN 3422/httpd
tcp6 0 0 :::35357 :::* LISTEN 3422/httpd
#6.若有错打开debug,重启keystone再看日志3. 创建域、项目、用户和角色
3.1 连接keystone
#设置环境变量访问keystone #1.配置认证令牌: [root@linux-node1 ~]# export OS_TOKEN=1f39aea29788df94171d #2.配置端点URL: [root@linux-node1 ~]# export OS_URL=http://192.168.56.11:35357/v3 #3.配置认证 API 版本: [root@linux-node1 ~]# export OS_IDENTITY_API_VERSION=3 #警告 因为安全的原因,,除非做必须的认证服务初始化,不要长时间使用临时认证令牌。
3.2 创建用户认证
#身份认证服务为每个OpenStack服务提供认证服务。认证服务使用 T domains, projects (tenants), :term:`users<user>`和 :term:`roles<role>`的组合。 #1.创建默认域default:(没设置之前的环境变量会提示示认证!) [root@linux-node1 ~]# openstack domain create --description "Default Domain" default +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Default Domain | | enabled | True | | id | 7f55c04732914c0aa55f666a100a54cc | | name | default | +-------------+----------------------------------+ #2.创建admin项目:(可以进行管理操作,创建管理的项目、用户和角色,管控所有云主机) [root@linux-node1 ~]# openstack project create --domain default --description "Admin Project" admin +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Admin Project | | domain_id | 7f55c04732914c0aa55f666a100a54cc | | enabled | True | | id | eac1d8e85417450bafe92987e5d56778 | | is_domain | False | | name | admin | | parent_id | 7f55c04732914c0aa55f666a100a54cc | +-------------+----------------------------------+ #3.创建 admin 用户:(密码设成admin) [root@linux-node1 ~]# openstack user create --domain default --password-prompt admin User Password: Repeat User Password: +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | 7f55c04732914c0aa55f666a100a54cc | | enabled | True | | id | 58e2f187bcb94a269f06ce1b4f0a5eb5 | | name | admin | +-----------+----------------------------------+ #4.创建 admin 角色: [root@linux-node1 ~]# openstack role create admin +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | 2fa1b0547af54fe0929aae3d1dce83cf | | name | admin | +-----------+----------------------------------+ #5.添加 admin 角色到 admin 项目和用户上:(把admin用户添加到admin项目里,并授权admin角色) [root@linux-node1 ~]# openstack role add --project admin --user admin admin
3.3 创建域、项目、用户和角色步骤梳理
创建认证
环境变量export OSTOKEN=1f39aea29788df94171d
export OSURL=http://192.168.56.11:35357/v3
export OS_IDENTITYAPIVERSION=3
创建
default域openstack domain create --description "Default Domain" default
创建
admin项目openstack project create --domain default --description "Admin Project" admin
创建
admin用户openstack user create --domain default --password-prompt admin
创建
admin角色openstack role create admin
把admin用户添加到admin项目里,并授权admin角色
openstack role add --project admin --user admin admin
4. 创建demo项目和用户
#1.创建 demo 项目:(添加到default域) [root@linux-node1 ~]# openstack project create --domain default --description "Demo Project" demo +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Demo Project | | domain_id | 7f55c04732914c0aa55f666a100a54cc | | enabled | True | | id | ab47f14a4ccf4f748f84d5100eb30300 | | is_domain | False | | name | demo | | parent_id | 7f55c04732914c0aa55f666a100a54cc | +-------------+----------------------------------+ #2.创建 demo 用户:(密码设为demo) [root@linux-node1 ~]# openstack user create --domain default --password-prompt demo User Password: Repeat User Password: +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | 7f55c04732914c0aa55f666a100a54cc | | enabled | True | | id | d8a1029948b14dd2b5e7c1b6f43766de | | name | demo | +-----------+----------------------------------+ #3.创建 user 角色:(普通用户角色) [root@linux-node1 ~]# openstack role create user +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | 6de47fd18a3e441eb64802c90191ddde | | name | user | +-----------+----------------------------------+ #4.添加 user 角色到 demo 项目和用户:(把demo用户添加到demo项目,并授权user角色) [root@linux-node1 ~]# openstack role add --project demo --user demo user
5. 创建service项目(用于各服务组件用户与keystone作认证)
5.1 创建 service 项目:
[root@linux-node1 ~]# openstack project create --domain default --description "Service Project" service
5.2 创建各组件服务用户,加入service项目
#1.创建glance用户(密码为glance)添加到service项目,并授予admin权限 [root@linux-node1 ~]# openstack user create --domain default --password-prompt glance User Password: Repeat User Password: +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | 7f55c04732914c0aa55f666a100a54cc | | enabled | True | | id | cf866a92b4f045cc89123754323095d9 | | name | glance | +-----------+----------------------------------+ [root@linux-node1 ~]# openstack role add --project service --user glance admin #2.创建nova用户(密码为nova) [root@linux-node1 ~]# openstack user create --domain default --password-prompt nova User Password: Repeat User Password: +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | 7f55c04732914c0aa55f666a100a54cc | | enabled | True | | id | d6eff306d51d4579a9553a28fe237f19 | | name | nova | +-----------+----------------------------------+ [root@linux-node1 ~]# openstack role add --project service --user nova admin #3.创建neutron用户(密码neutron) [root@linux-node1 ~]# openstack user create --domain default --password-prompt neutron User Password: Repeat User Password: +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | 7f55c04732914c0aa55f666a100a54cc | | enabled | True | | id | 81baeba545174ae0b13ae6cef85e09c1 | | name | neutron | +-----------+----------------------------------+ [root@linux-node1 ~]# openstack role add --project service --user neutron admin
6. 创建服务实体和API端点
6.1 创建身份认证identity服务
[root@linux-node1 ~]# openstack service create --name keystone --description "OpenStack Identity" identity +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | OpenStack Identity | | enabled | True | | id | fe954317868a4da096b6ab61712fa686 | | name | keystone | | type | identity | +-------------+----------------------------------+
6.2 创建认证服务的 API 端点
#1.公有public访问点 [root@linux-node1 ~]# openstack endpoint create --region RegionOne identity public http://192.168.56.11:5000/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 280ceb44317d495eb3d786d9abe7a9b4 | | interface | public | | region | RegionOne | | region_id | RegionOne | | service_id | fe954317868a4da096b6ab61712fa686 | | service_name | keystone | | service_type | identity | | url | http://192.168.56.11:5000/v3 | +--------------+----------------------------------+ #2.私有internal访问点 [root@linux-node1 ~]# openstack endpoint create --region RegionOne identity internal http://192.168.56.11:5000/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | b796898945564947b971694d11be7f1d | | interface | internal | | region | RegionOne | | region_id | RegionOne | | service_id | fe954317868a4da096b6ab61712fa686 | | service_name | keystone | | service_type | identity | | url | http://192.168.56.11:5000/v3 | +--------------+----------------------------------+ #3.管理admin访问点,keystone端口为35357,其余服务都为5000 [root@linux-node1 ~]# openstack endpoint create --region RegionOne identity admin http://192.168.56.11:35357/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 56f4ebb8d690434691b27e8ecd22c0b3 | | interface | admin | | region | RegionOne | | region_id | RegionOne | | service_id | fe954317868a4da096b6ab61712fa686 | | service_name | keystone | | service_type | identity | | url | http://192.168.56.11:35357/v3 | +--------------+----------------------------------+
6.3 查看配置
#1.查看域:openstack domain -h [root@linux-node1 ~]# openstack domain list +----------------------------------+---------+---------+----------------+ | ID | Name | Enabled | Description | +----------------------------------+---------+---------+----------------+ | 7f55c04732914c0aa55f666a100a54cc | default | True | Default Domain | +----------------------------------+---------+---------+----------------+ #2.查看项目:openstack service -h [root@linux-node1 ~]# openstack service list +----------------------------------+----------+----------+ | ID | Name | Type | +----------------------------------+----------+----------+ | fe954317868a4da096b6ab61712fa686 | keystone | identity | +----------------------------------+----------+----------+ #3.查看角色:openstck role -h [root@linux-node1 ~]# openstack role list +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | 2fa1b0547af54fe0929aae3d1dce83cf | admin | | 6de47fd18a3e441eb64802c90191ddde | user | +----------------------------------+-------+ #4.查看用户:openstack user -h [root@linux-node1 ~]# openstack user list +----------------------------------+---------+ | ID | Name | +----------------------------------+---------+ | 58e2f187bcb94a269f06ce1b4f0a5eb5 | admin | | 81baeba545174ae0b13ae6cef85e09c1 | neutron | | cf866a92b4f045cc89123754323095d9 | glance | | d6eff306d51d4579a9553a28fe237f19 | nova | | d8a1029948b14dd2b5e7c1b6f43766de | demo | +----------------------------------+---------+
7. keystone验证操作
7.1 干掉环境变量
[root@linux-node1 ~]# unset OS_TOKEN OS_URL
7.2 使用 admin 用户,请求认证令牌:
[root@linux-node1 ~]# openstack --os-auth-url http://192.168.56.11:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue Password: +------------+-----------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------+ | expires | 2017-03-31T09:12:10.976948Z | | id | gAAAAABY3g9bvxKWB0P6FTOEUVKqodLs2kUNzRl1sBrZ2zeTLcEBJM8TFBb9BmEf72u68iCkvdqBgMP7UmkMTPD3UaxhqEKHkhj1nD1-CxIVK8WJsDdKG | | | UulsW_J9euz3N3OX6WjeiRZM0B8Fo5LboPzrsBVBTM925l4Nb7mDbhA95Cshm3o2I8 | | project_id | eac1d8e85417450bafe92987e5d56778 | | user_id | 58e2f187bcb94a269f06ce1b4f0a5eb5 | +------------+-----------------------------------------------------------------------------------------------------------------------+
输入admin密码:admin,能分配到token,说明keystone配置没有问题
7.3 测试demo用户
[root@linux-node1 ~]# openstack --os-auth-url http://192.168.56.11:5000/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name demo --os-username demo token issue Password: +------------+-----------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------+ | expires | 2017-03-31T09:15:50.377488Z | | id | gAAAAABY3hA2tLT9enjaZpExQb1eQ4pLxP9gvOCpwXX8iDuOHiv12v-EZqfKyfU2lLogOpmXTCbhLhrDkMRyd1DWgdC9WvkJNq4OFPB9lyTUZWUYyWogh | | | E3wZQr4xNaLYGMuCgCVzSp35tYXh4MyQQ2j5pM0-8mvyT2gda9mo6Jcv9xy7x7O9F4 | | project_id | ab47f14a4ccf4f748f84d5100eb30300 | | user_id | d8a1029948b14dd2b5e7c1b6f43766de | +------------+-----------------------------------------------------------------------------------------------------------------------+
7.4 创建openstack客户端环境脚本
#1.创建admin、demo环境变量脚本 [root@linux-node1 ~]# cat admin-openstack.sh export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=admin export OS_AUTH_URL=http://192.168.56.11:35357/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 [root@linux-node1 ~]# cat demo-openstack.sh export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=demo export OS_USERNAME=demo export OS_PASSWORD=demo export OS_AUTH_URL=http://192.168.56.11:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 #2.获取权限前先执行环境变量脚本,分配token,否则会报401提示没有权限 [root@linux-node1 ~]# source admin-openstack.sh [root@linux-node1 ~]# openstack token issue +------------+-----------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------+ | expires | 2017-03-31T09:25:04.716673Z | | id | gAAAAABY3hJggBe5qlikziUoymwgXnlnH8GvaV_1KlmCVM6kT1fMJWHmfEsIewUp_EyXgo8izbIipoHOhakfdGZG3FT50XPePKu_Vg7XVz_hGG3CSgZvl | | | gmX51Lr7296B9Qq7diwHn5Gshz_fbuOTJk6E9Q5WeSifpDgA-HHa0ahPajwW_15YUQ | | project_id | eac1d8e85417450bafe92987e5d56778 | | user_id | 58e2f187bcb94a269f06ce1b4f0a5eb5 | +------------+-----------------------------------------------------------------------------------------------------------------------+ [root@linux-node1 ~]# source demo-openstack.sh [root@linux-node1 ~]# openstack token issue +------------+-----------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------+ | expires | 2017-03-31T09:25:18.031119Z | | id | gAAAAABY3hJuuSiJ6Nxm1eLcpsSQ-wvzZGE1sw9ISmJd0AjFNssXy23ctfMCLKokKKjuAY9ByiQFtc0UXNhkCCudh8tlmRNXFdSUgBagOj9bJEi- | | | CsCOe5JAISMl8EGzES9d4PFmohDHUZQ8Fe8IZzyr27BVcZXgZUPckKsDP5SVY8gd_ID89PM | | project_id | ab47f14a4ccf4f748f84d5100eb30300 | | user_id | d8a1029948b14dd2b5e7c1b6f43766de | +------------+-----------------------------------------------------------------------------------------------------------------------+
注意: 只要是提示未授权,说明keystone有问题
使用 admin 用户,请求认证令牌:时候为什么报
An unexpected error prevented the server from fulfilling your request. (HTTP 500)
@紫峰 添加两个环境变量,看下keystone日志