参考资料:官方配置文档(http://docs.openstack.org/mitaka/install-guide-rdo/common/get_started_identity.html)
简介
openstack的组件都是通过HTTP暴露自己的API,你可以通过任意的client去访问这些API,这导致存在很大的安全隐患,所以每当有client向openstack API发送请求的时候,我们都有必要对此做一个认证。因此我们需要在用户每次请求时都需要通过一个服务来给它颁发一张通行证。这个服务就是keystone,而这个通行证就是token。因为token是通过keystone提供的一个数据块来充当有效的账户密码组合,有效期通常是几个小时或者几分钟。所以token要比传统的用户密码认证和修改环境变量更加安全有效。
简版:
详细版:
K版以后使用的都是Fernet Tokens,区别于UUID tokens只能持久化存入数据库,Fernet tokens完全不需要持久化。部署人员可以通过设置keystone.conf中的[token] provider = keystone.token.providers.fernet.Provider来启用Fernet token,这也是我们一会需要配置的参数项。Fernet tokens需要symmetric encryption keys(对称加密密钥),这些keys可以使用keystone-manage fernet_setup建立, 并且使用keystone-manage fernet_rotate周期性地轮换。这些keys必须被在一个multi-node(或者multi-region)部署中的所有Keystone nodes共享,这样就能使一个node生成的tokens可以立即被其他节点验证。
创建数据库
创建一个keystone数据库和一个用于初始化keystone期间的临时管理token,用于存放Keystone组件(User、Tenant、Roles等)的相关信息。
command:
mysql -u root -p123456
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '123456';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '123456';
exit
outPut:
[root@controller my.cnf.d]# mysql -u root -p123456
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 14
Server version: 10.1.12-MariaDB MariaDB Server
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> CREATE DATABASE keystone;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '123456';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '123456';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> exit
Bye
[root@controller my.cnf.d]#
生成token
生成一个用于初始化keystone期间的临时管理token:
[root@controller my.cnf.d]# openssl rand -hex 10
e84dd5a8efe2a3b84ea9
[root@controller my.cnf.d]#
组件安装
1.安装openstack-keystone,httpd和mod_wsgi:
yum install openstack-keystone httpd mod_wsgi -y
2.编辑/etc/keystone/keystone.conf文件
[DEFAULT]
...
admin_token = e84dd5a8efe2a3b84ea9
[database]
...
connection = mysql+pymysql://keystone:123456@controller.example.com/keystone
[token]
...
provider = fernet
总览:
[root@controller my.cnf.d]# cat /etc/keystone/keystone.conf | grep -v ^# | grep -v ^$
[DEFAULT]
admin_token = e84dd5a8efe2a3b84ea9 #刚刚使用openssl指令生成的随机数
[assignment]
[auth]
[cache]
[catalog]
[cors]
[cors.subdomain]
[credential]
[database]
connection = mysql+pymysql://keystone:123456@controller.example.com/keystone #使用keystone账户连接到controller节点的数据库上
[domain_config]
[endpoint_filter]
[endpoint_policy]
[eventlet_server]
[eventlet_server_ssl]
[federation]
[fernet_tokens]
[identity]
[identity_mapping]
[kvs