OpenStack实战三——认证服务KeyStone部署

1. 认证服务KeyStone介绍

Keystone(OpenStack Identity Service)是 OpenStack 框架中,负责身份验证、服务规则和服务令牌的功能,它实现了 OpenStack 的 Identity API。Keystone 类似一个服务总线,或者说是整个 Openstack 框架的注册表,其它服务通过 keystone 来注册其服务的 Endpoint(服务访问的 URL),任何服务之间相互 的调用,需要经过Keystone 的身份验证,来获得目标服务的 Endpoint 来找到目标服务。

OpenStack实战三——认证服务KeyStone部署


◎认证服务KeyStone:用户认证、服务目录(注册中心)

用户认证:

  • User: 用户

  • Project:项目(早期叫租房)

  • Token:令牌(访问凭证)

  • Role:角色

OpenStack实战三——认证服务KeyStone部署

服务目录:

  • Service:服务(来干啥的?)

  • Endpoint:端点(服务入口暴露的URL,并且具有publicprivateadmin三种权限)

OpenStack实战三——认证服务KeyStone部署

                                           

2. 认证服务KeyStone部署

2.1 安装keystone

[root@linux-node1 ~]# yum install -y openstack-keystone httpd mod_wsgi memcached python-memcached
#keystone跑在apache上
#mod_wsgi:python的通用cgi接口
#memcached:用来给数据库作缓存,减轻数据库压力

2.2 编辑keystone配置文件:/etc/keystone/keystone.conf

#1.生成token
[root@linux-node1 ~]# openssl rand -hex 10
1f39aea29788df94171d

在 [DEFAULT] 部分,定义初始管理令牌的值:
[DEFAULT]
...
admin_token = 1f39aea29788df94171d  
使用前面步骤生成的随机数替换``ADMIN_TOKEN`` 值。

在 [database] 部分,配置数据库访问:

[database]
...
connection = connection = mysql+pymysql://keystone:keystone@192.168.56.11/keystone
将``KEYSTONE_DBPASS``替换为你为数据库选择的密码。

在``[token]``部分,配置Fernet UUID令牌的提供者。

[token]
...
provider = fernet
driver = memcache   #默认存储为sql,改成memcache


[memcache]
...
servers = 192.168.56.11:11211

#2.查看keystone配置文件
[root@linux-node1 ~]# grep '^[a-Z]' /etc/keystone/keystone.conf 
admin_token = 1f39aea29788df94171d
connection = mysql+pymysql://keystone:keystone@192.168.56.11/keystone
servers = 192.168.56.11:11211
provider = fernet
driver = memcache

2.3 初始化身份认证服务的数据库

#1.要使用keystone用户初始化,不然会有权限问题导致失败
[root@linux-node1 ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone

#2.检察数据库看是否创建成功,不成功看日志tail /var/log/keystone/keystone.log
[root@linux-node1 ~]# mysql -h 192.168.56.11 -ukeystone -pkeystone -e "use keystone;show tables;"
+------------------------+
| Tables_in_keystone     |
+------------------------+
| access_token           |
| assignment             |
| config_register        |
| consumer               |
| credential             |
| domain                 |
| endpoint               |
| endpoint_group         |
| federated_user         |
| federation_protocol    |
| group                  |  

...

2.4 初始化Fernet keys创建证书

#1.初始化Fernet keys
[root@linux-node1 ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone

#2.查看证书
[root@linux-node1 ~]# ll /etc/keystone
total 100
-rw-r----- 1 root     keystone  2303 Sep 22  2016 default_catalog.templates
drwx------ 2 keystone keystone    22 Mar 31 10:52 fernet-keys
-rw-r----- 1 root     keystone 73272 Mar 30 23:26 keystone.conf     #注意keystone配置文件的属主
-rw-r----- 1 root     keystone  2400 Sep 22  2016 keystone-paste.ini
-rw-r----- 1 root     keystone  1046 Sep 22  2016 logging.conf
-rw-r----- 1 keystone keystone  9699 Sep 22  2016 policy.json
-rw-r----- 1 keystone keystone   665 Sep 22  2016 sso_callback_template.html


[root@linux-node1 ~]# ll /etc/keystone/fernet-keys/
total 8
-rw------- 1 keystone keystone 44 Mar 31 10:52 0
-rw------- 1 keystone keystone 44 Mar 31 10:52 1
[root@linux-node1 fernet-keys]# more 0
CqeXZETdO10sCss0TQ4Vs-7WafAPWM2CgO0botR7MWw=
[root@linux-node1 fernet-keys]# more 1
6qgh6-JkGQLGSlSYDBI7dUDAhd0niFUuA633auRbRaM=

2.5 启动keystone

#1.先启动memcached
[root@linux-node1 ~]# systemctl enable memcached
[root@linux-node1 ~]# systemctl start memcached
[root@linux-node1 ~]# lsof -i:11211
COMMAND    PID      USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
memcached 3207 memcached   26u  IPv4  23376      0t0  TCP localhost:memcache (LISTEN)
...

#2.查看memcached配置文件
[root@linux-node1 ~]# cat /etc/sysconfig/memcached 
PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS="-l 127.0.0.1,::1"

#3.配置Apache,编辑/etc/httpd/conf/httpd.conf文件,配置ServerName选项为控制节点:
ServerName 192.168.56.11:80

#4.在Apache配置目录创建文件/etc/httpd/conf.d/wsgi-keystone.conf
[root@linux-node1 ~]# vim /etc/httpd/conf.d/wsgi-keystone.conf
Listen 5000
Listen 35357

<VirtualHost *:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        Require all granted
    </Directory>
</VirtualHost>

<VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        Require all granted
    </Directory>
</VirtualHost>

#5.启动 Apache HTTP 服务并配置其随系统启动
[root@linux-node1 ~]# systemctl enable httpd.service
[root@linux-node1 ~]# systemctl start httpd.service

[root@linux-node1 ~]# netstat -tunpl|egrep -w "5000|35357"
tcp6       0      0 :::5000                 :::*                    LISTEN      3422/httpd          
tcp6       0      0 :::35357                :::*                    LISTEN      3422/httpd 

#6.若有错打开debug,重启keystone再看日志

                                               

3. 创建域、项目、用户和角色

3.1 连接keystone

#设置环境变量访问keystone   

#1.配置认证令牌:  
[root@linux-node1 ~]# export OS_TOKEN=1f39aea29788df94171d

#2.配置端点URL: 
[root@linux-node1 ~]# export OS_URL=http://192.168.56.11:35357/v3

#3.配置认证 API 版本:
[root@linux-node1 ~]# export OS_IDENTITY_API_VERSION=3

#警告
因为安全的原因,,除非做必须的认证服务初始化,不要长时间使用临时认证令牌。

3.2 创建用户认证

#身份认证服务为每个OpenStack服务提供认证服务。认证服务使用 T domains, projects (tenants), :term:`users<user>`和 :term:`roles<role>`的组合。

#1.创建默认域default:(没设置之前的环境变量会提示示认证!)
[root@linux-node1 ~]# openstack domain create --description "Default Domain" default
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Default Domain                   |
| enabled     | True                             |
| id          | 7f55c04732914c0aa55f666a100a54cc |
| name        | default                          |
+-------------+----------------------------------+

#2.创建admin项目:(可以进行管理操作,创建管理的项目、用户和角色,管控所有云主机)
[root@linux-node1 ~]# openstack project create --domain default   --description "Admin Project" admin
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Admin Project                    |
| domain_id   | 7f55c04732914c0aa55f666a100a54cc |
| enabled     | True                             |
| id          | eac1d8e85417450bafe92987e5d56778 |
| is_domain   | False                            |
| name        | admin                            |
| parent_id   | 7f55c04732914c0aa55f666a100a54cc |
+-------------+----------------------------------+

#3.创建 admin 用户:(密码设成admin)
[root@linux-node1 ~]# openstack user create --domain default   --password-prompt admin
User Password:
Repeat User Password:
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | 7f55c04732914c0aa55f666a100a54cc |
| enabled   | True                             |
| id        | 58e2f187bcb94a269f06ce1b4f0a5eb5 |
| name      | admin                            |
+-----------+----------------------------------+

#4.创建 admin 角色:
[root@linux-node1 ~]# openstack role create admin
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | 2fa1b0547af54fe0929aae3d1dce83cf |
| name      | admin                            |
+-----------+----------------------------------+

#5.添加 admin 角色到 admin 项目和用户上:(把admin用户添加到admin项目里,并授权admin角色)
[root@linux-node1 ~]# openstack role add --project admin --user admin admin

3.3 创建域、项目、用户和角色步骤梳理

  1. 创建认证环境变量

    export OSTOKEN=1f39aea29788df94171d

    export OSURL=http://192.168.56.11:35357/v3

    export OS_IDENTITYAPIVERSION=3

  2. 创建default域

    openstack domain create --description "Default Domain" default

  3. 创建admin项目

    openstack project create --domain default --description "Admin Project" admin

  4. 创建admin用户

    openstack user create --domain default --password-prompt admin

  5. 创建admin角色

    openstack role create admin

  6. 把admin用户添加到admin项目里,并授权admin角色

    openstack role add --project admin --user admin admin

                                        

4. 创建demo项目和用户

#1.创建 demo 项目:(添加到default域)
[root@linux-node1 ~]# openstack project create --domain default   --description "Demo Project" demo
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Demo Project                     |
| domain_id   | 7f55c04732914c0aa55f666a100a54cc |
| enabled     | True                             |
| id          | ab47f14a4ccf4f748f84d5100eb30300 |
| is_domain   | False                            |
| name        | demo                             |
| parent_id   | 7f55c04732914c0aa55f666a100a54cc |
+-------------+----------------------------------+

#2.创建 demo 用户:(密码设为demo)
[root@linux-node1 ~]# openstack user create --domain default   --password-prompt demo
User Password:
Repeat User Password:
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | 7f55c04732914c0aa55f666a100a54cc |
| enabled   | True                             |
| id        | d8a1029948b14dd2b5e7c1b6f43766de |
| name      | demo                             |
+-----------+----------------------------------+

#3.创建 user 角色:(普通用户角色)
[root@linux-node1 ~]# openstack role create user
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | 6de47fd18a3e441eb64802c90191ddde |
| name      | user                             |
+-----------+----------------------------------+

#4.添加 user 角色到 demo 项目和用户:(把demo用户添加到demo项目,并授权user角色)
[root@linux-node1 ~]# openstack role add --project demo --user demo user

                                        

5. 创建service项目(用于各服务组件用户与keystone作认证)

5.1 创建 service 项目:

[root@linux-node1 ~]# openstack project create --domain default   --description "Service Project" service

5.2 创建各组件服务用户,加入service项目

#1.创建glance用户(密码为glance)添加到service项目,并授予admin权限
[root@linux-node1 ~]# openstack user create --domain default --password-prompt glance
User Password:
Repeat User Password:
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | 7f55c04732914c0aa55f666a100a54cc |
| enabled   | True                             |
| id        | cf866a92b4f045cc89123754323095d9 |
| name      | glance                           |
+-----------+----------------------------------+
[root@linux-node1 ~]# openstack role add --project service --user glance admin

#2.创建nova用户(密码为nova)
[root@linux-node1 ~]# openstack user create --domain default --password-prompt nova
User Password:
Repeat User Password:
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | 7f55c04732914c0aa55f666a100a54cc |
| enabled   | True                             |
| id        | d6eff306d51d4579a9553a28fe237f19 |
| name      | nova                             |
+-----------+----------------------------------+
[root@linux-node1 ~]# openstack role add --project service --user nova admin

#3.创建neutron用户(密码neutron)
[root@linux-node1 ~]# openstack user create --domain default --password-prompt neutron
User Password:
Repeat User Password:
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | 7f55c04732914c0aa55f666a100a54cc |
| enabled   | True                             |
| id        | 81baeba545174ae0b13ae6cef85e09c1 |
| name      | neutron                          |
+-----------+----------------------------------+
[root@linux-node1 ~]# openstack role add --project service --user neutron admin

                                        

6. 创建服务实体和API端点

6.1 创建身份认证identity服务

[root@linux-node1 ~]# openstack service create   --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | OpenStack Identity               |
| enabled     | True                             |
| id          | fe954317868a4da096b6ab61712fa686 |
| name        | keystone                         |
| type        | identity                         |
+-------------+----------------------------------+

6.2 创建认证服务的 API 端点

#1.公有public访问点
[root@linux-node1 ~]# openstack endpoint create --region RegionOne identity public http://192.168.56.11:5000/v3
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 280ceb44317d495eb3d786d9abe7a9b4 |
| interface    | public                           |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | fe954317868a4da096b6ab61712fa686 |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://192.168.56.11:5000/v3     |
+--------------+----------------------------------+

#2.私有internal访问点
[root@linux-node1 ~]# openstack endpoint create --region RegionOne identity internal http://192.168.56.11:5000/v3
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | b796898945564947b971694d11be7f1d |
| interface    | internal                         |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | fe954317868a4da096b6ab61712fa686 |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://192.168.56.11:5000/v3     |
+--------------+----------------------------------+

#3.管理admin访问点,keystone端口为35357,其余服务都为5000
[root@linux-node1 ~]# openstack endpoint create --region RegionOne identity admin http://192.168.56.11:35357/v3
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 56f4ebb8d690434691b27e8ecd22c0b3 |
| interface    | admin                            |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | fe954317868a4da096b6ab61712fa686 |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://192.168.56.11:35357/v3    |
+--------------+----------------------------------+

6.3 查看配置

#1.查看域:openstack domain -h
[root@linux-node1 ~]# openstack domain list
+----------------------------------+---------+---------+----------------+
| ID                               | Name    | Enabled | Description    |
+----------------------------------+---------+---------+----------------+
| 7f55c04732914c0aa55f666a100a54cc | default | True    | Default Domain |
+----------------------------------+---------+---------+----------------+

#2.查看项目:openstack service -h
[root@linux-node1 ~]# openstack service list
+----------------------------------+----------+----------+
| ID                               | Name     | Type     |
+----------------------------------+----------+----------+
| fe954317868a4da096b6ab61712fa686 | keystone | identity |
+----------------------------------+----------+----------+

#3.查看角色:openstck role -h
[root@linux-node1 ~]# openstack role list
+----------------------------------+-------+
| ID                               | Name  |
+----------------------------------+-------+
| 2fa1b0547af54fe0929aae3d1dce83cf | admin |
| 6de47fd18a3e441eb64802c90191ddde | user  |
+----------------------------------+-------+

#4.查看用户:openstack user -h
[root@linux-node1 ~]# openstack user list
+----------------------------------+---------+
| ID                               | Name    |
+----------------------------------+---------+
| 58e2f187bcb94a269f06ce1b4f0a5eb5 | admin   |
| 81baeba545174ae0b13ae6cef85e09c1 | neutron |
| cf866a92b4f045cc89123754323095d9 | glance  |
| d6eff306d51d4579a9553a28fe237f19 | nova    |
| d8a1029948b14dd2b5e7c1b6f43766de | demo    |
+----------------------------------+---------+

                                                

7. keystone验证操作

7.1 干掉环境变量

[root@linux-node1 ~]# unset OS_TOKEN OS_URL

7.2 使用 admin 用户,请求认证令牌:

[root@linux-node1 ~]# openstack --os-auth-url http://192.168.56.11:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue
Password: 
+------------+-----------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                 |
+------------+-----------------------------------------------------------------------------------------------------------------------+
| expires    | 2017-03-31T09:12:10.976948Z                                                                                           |
| id         | gAAAAABY3g9bvxKWB0P6FTOEUVKqodLs2kUNzRl1sBrZ2zeTLcEBJM8TFBb9BmEf72u68iCkvdqBgMP7UmkMTPD3UaxhqEKHkhj1nD1-CxIVK8WJsDdKG |
|            | UulsW_J9euz3N3OX6WjeiRZM0B8Fo5LboPzrsBVBTM925l4Nb7mDbhA95Cshm3o2I8                                                    |
| project_id | eac1d8e85417450bafe92987e5d56778                                                                                      |
| user_id    | 58e2f187bcb94a269f06ce1b4f0a5eb5                                                                                      |
+------------+-----------------------------------------------------------------------------------------------------------------------+

输入admin密码:admin,能分配到token,说明keystone配置没有问题

7.3 测试demo用户

[root@linux-node1 ~]# openstack --os-auth-url http://192.168.56.11:5000/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name demo --os-username demo token issue
Password: 
+------------+-----------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                 |
+------------+-----------------------------------------------------------------------------------------------------------------------+
| expires    | 2017-03-31T09:15:50.377488Z                                                                                           |
| id         | gAAAAABY3hA2tLT9enjaZpExQb1eQ4pLxP9gvOCpwXX8iDuOHiv12v-EZqfKyfU2lLogOpmXTCbhLhrDkMRyd1DWgdC9WvkJNq4OFPB9lyTUZWUYyWogh |
|            | E3wZQr4xNaLYGMuCgCVzSp35tYXh4MyQQ2j5pM0-8mvyT2gda9mo6Jcv9xy7x7O9F4                                                    |
| project_id | ab47f14a4ccf4f748f84d5100eb30300                                                                                      |
| user_id    | d8a1029948b14dd2b5e7c1b6f43766de                                                                                      |
+------------+-----------------------------------------------------------------------------------------------------------------------+

7.4 创建openstack客户端环境脚本

#1.创建admin、demo环境变量脚本
[root@linux-node1 ~]# cat admin-openstack.sh 
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://192.168.56.11:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

[root@linux-node1 ~]# cat demo-openstack.sh 
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://192.168.56.11:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

#2.获取权限前先执行环境变量脚本,分配token,否则会报401提示没有权限
[root@linux-node1 ~]# source admin-openstack.sh 
[root@linux-node1 ~]# openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                 |
+------------+-----------------------------------------------------------------------------------------------------------------------+
| expires    | 2017-03-31T09:25:04.716673Z                                                                                           |
| id         | gAAAAABY3hJggBe5qlikziUoymwgXnlnH8GvaV_1KlmCVM6kT1fMJWHmfEsIewUp_EyXgo8izbIipoHOhakfdGZG3FT50XPePKu_Vg7XVz_hGG3CSgZvl |
|            | gmX51Lr7296B9Qq7diwHn5Gshz_fbuOTJk6E9Q5WeSifpDgA-HHa0ahPajwW_15YUQ                                                    |
| project_id | eac1d8e85417450bafe92987e5d56778                                                                                      |
| user_id    | 58e2f187bcb94a269f06ce1b4f0a5eb5                                                                                      |
+------------+-----------------------------------------------------------------------------------------------------------------------+
[root@linux-node1 ~]# source demo-openstack.sh 
[root@linux-node1 ~]# openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                 |
+------------+-----------------------------------------------------------------------------------------------------------------------+
| expires    | 2017-03-31T09:25:18.031119Z                                                                                           |
| id         | gAAAAABY3hJuuSiJ6Nxm1eLcpsSQ-wvzZGE1sw9ISmJd0AjFNssXy23ctfMCLKokKKjuAY9ByiQFtc0UXNhkCCudh8tlmRNXFdSUgBagOj9bJEi-      |
|            | CsCOe5JAISMl8EGzES9d4PFmohDHUZQ8Fe8IZzyr27BVcZXgZUPckKsDP5SVY8gd_ID89PM                                               |
| project_id | ab47f14a4ccf4f748f84d5100eb30300                                                                                      |
| user_id    | d8a1029948b14dd2b5e7c1b6f43766de                                                                                      |
+------------+-----------------------------------------------------------------------------------------------------------------------+

注意: 只要是提示未授权,说明keystone有问题


anzhihe 安志合个人博客,版权所有 丨 如未注明,均为原创 丨 转载请注明转自:https://chegva.com/2018.html | ☆★★每天进步一点点,加油!★★☆ | 

您可能还感兴趣的文章!

2 评论

  1. 使用 admin 用户,请求认证令牌:时候为什么报
    An unexpected error prevented the server from fulfilling your request. (HTTP 500)

发表评论

电子邮件地址不会被公开。 必填项已用*标注