keystone简介
Openstack使用keystone来进行身份验证和服务授权,其它所有组件都需要在通信之间进行身份认证并获取可访问资源的权限。
一、作用
1. 用户认证管理:验证用户身份信息的合法性
2. 身份授权服务:提供了其它所有组件的认证授权管理功能,包括创建,更新和删除等,使用MySQL作为后端存储数据库。
3.
二、概念
1. 租户(Project):个人或服务所拥有的资源集合。在一个Project中可以包含多个User,每一个User都会根据权限的划分来使用Project中的资源。
2. 用户(User):拥有账号密码且可以登录Dashboard,在和角色绑定之后可访问授权的资源。
3. 证书(Credentials):确认用户身份的凭证。可以是用户名和密码、用户名和API Key和Token。
4. 令牌(Token):一个字符串表示,作为访问资源的令牌。Token包含了在指定范围和有效时间内可以被访问的资源,具有时效性。
5. 角色(Role):用于划分权限。可以通过给User指定Role,使User获得Role对应的操作权限。Keystone返回给User的Token包含了Role列表,被访问的Services会判断访问它的User和User提供的Token中所包含的Role。
6. Policy:用来控制User对Project中资源(包括Services)的操作权限。对于Keystone service来说,Policy就是一个JSON文件,默认是/etc/keystone/policy.json。
7. Authentication:确定用户身份的过程
8. 服务(Service):Openstack中运行的组件服务
9. Endpoint:通过网络来访问和定位某个Openstack service的地址,通常是一个URL。分为三类:
1. admin url —>管理员用户使用 ,Port:35357
2. internal url —>openstack内部组件间互相通信(内部访问), Port:5000 (组件之间通信基于Restful api)
3. public url —> 其他用户访问地址(全局访问),Port:5000
安装keystone(控制节点,node1)
# 安装keystone
yum -y install openstack-keystone httpd python3-mod_wsgi
---------------------------------------------#初始化数据库,keystore连接mysql用户密码keystone/keystone
mysql -uroot -pmysql << EOF
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'keystone';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'keystone';
EOF
---------------------------------------------#修改配置
crudini --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:keystone\@node1/keystone
crudini --set /etc/keystone/keystone.conf token provider fernet
/bin/sh -c "keystone-manage db_sync" keystone # 初始化数据库,相关日志tail -f /var/log/keystone/keystone.log
---------------------------------------------#初始化 Fernet 密钥库
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone # 相关日志tail -f /var/log/keystone/keystone.log
---------------------------------------------#引导身份服务,设置密码为openstack
keystone-manage bootstrap --bootstrap-password openstack\
--bootstrap-admin-url http://node1:5000/v3/ \
--bootstrap-internal-url http://node1:5000/v3/ \
--bootstrap-public-url http://node1:5000/v3/ \
--bootstrap-region-id RegionOne
---------------------------------------------#配置 Apache HTTP 服务器
sed -i "s/^#ServerName.*/ServerName node1/" /etc/httpd/conf/httpd.conf
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
systemctl enable httpd && systemctl start httpd
---------------------------------------------#设置适当的环境变量来配置管理帐户,密码为上面设置的引导身份密码,node1执行
export OS_USERNAME=admin
export OS_PASSWORD=openstack
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://node1:5000/v3
export OS_IDENTITY_API_VERSION=3
---------------------------------------------#创建域、项目、用户和角色,node1执行
[root@node1 ~]# openstack domain create --description "An Example Domain" example
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | An Example Domain |
| enabled | True |
| id | 701640303418435baa051e2ed2c08527 |
| name | example |
| options | {} |
| tags | [] |
+-------------+----------------------------------+
[root@node1 ~]# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 434bacb9f788401cb0bcabd59819c59a |
| is_domain | False |
| name | service |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
[root@node1 ~]# openstack project create --domain default --description "Demo Project" myproject
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | 33c9d4d47b1c4e7dbd5ac8860184972d |
| is_domain | False |
| name | myproject |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
[root@node1 ~]# openstack user create --domain default --password-prompt myuser # 输入密码myuser1
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | bc0bf440efa548a282d501759d92d4b5 |
| name | myuser |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
[root@node1 ~]# openstack role create myrole
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | None |
| domain_id | None |
| id | bd3bb4d332404f69849f47b9a160e46c |
| name | myrole |
| options | {} |
+-------------+----------------------------------+
[root@node1 ~]# openstack role add --project myproject --user myuser myrole
---------------------------------------------# 验证,node1执行
unset OS_AUTH_URL OS_PASSWORD
openstack --os-auth-url http://node1:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name admin --os-username admin token issue # 输入admin密码openstack
openstack --os-auth-url http://node1:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name myproject --os-username myuser token issue # 输入myuser密码myuser1
---------------------------------------------# 创建认证文件admin-openrc和demo-openrc
cat >> admin-openrc << EOF
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=openstack
export OS_AUTH_URL=http://node1:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
EOF
cat >> demo-openrc << EOF
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=myproject
export OS_USERNAME=myuser
export OS_PASSWORD=myuser1
export OS_AUTH_URL=http://node1:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
EOF
---------------------------------------------#使用脚本并验证
[root@node1 ~]# . admin-openrc
[root@node1 ~]# openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2022-03-01T07:36:16+0000 |
| id | gAAAAABiHb7gdxXbdi8KBagN6ZiAUls9npS_o0ouEiJf1QW-B30Etz5Qpf1UE5agHqSQsSkXcTjDfgMQfjNuWJFMUUeBI__us7qhAdDWXGv5WPY30b0v6nnVTr5ZnlDJwPVzS416bTXjEeS3ev-8pVjK6LT1hjT969IOjzodwRGIPZePQvJgbio |
| project_id | c827c773e36d4149a93196b371cebfd9 |
| user_id | 5a44718261844cbd8a65621b9e3cea8d |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+