云安全需要考虑的因素
1、数据安全
云提供商需要保护云用户的数据不被窃取或丢失 核心机制:强加密及密钥管理
2、身份和访问管理安全
有效的身份和访问控制
3、虚拟化安全
虚拟机的隔离,安全控制虚拟机之间通信的报告
4、基础设施安全
服务器,存储,网络等核心IT基础设施之间的安全
Keystone作用和工作原理
简介
keystone 是openstack身份管理服务(Identity Service),是openstack中的一个独立的提供安全认证的模块。主要作用:
openstack用户的身份认证,令牌管理,提供访问资源的服务目录,以及基于用户角色的访问控制keystone的基本概念
user:用户 通过keystone访问openstack服务的个人,系统亦或是某个服务 Tenant:租户 可以理解成一个组织或者一个项目,租户是各个服务中的一些可以访问的资源的集合 用户访问租户前,必须和该租户关联,并且指定该用户在该租户的下的角色 role:角色 一个用户所具有的角色,角色不同意味着被赋予的权限不同 在租户的角色中,用户仅可以在当前租户内执行角色规定的权限 service:服务 比如:Nova、Swift、Glance、Cinder等 根据User、Tenant、和Role,一个服务可以确认当前用户时候具有访问其资源的权限 Endpoint:端点 指一个可以用来访问某个具体服务的网络地址,可以理解为服务的访问点 访问一个服务,就必须知道他的Endpoint(一般用一个url地址表示) URL具有三种权限: Public URL:为全局提供的服务端点 Internal URL:提供内部服务之间的访问 Admin URL:给管理员实用 Token:令牌 用户通过Credential获取在某个租户下的令牌,以及令牌的颁发时间和有效时间
keystone主要提供以下服务:
1、身份认证:验证用户的用户名和密码 2、token:验证身份后,提供给用户用于核实身份和请求资源的令牌 3、Catalog:提供一个服务的查询目录,或每个服务的访问Endpoing列表 4、Policy:一种基于规则的身份验证引擎,通过配置文件定义各种动作和用户角色的匹配关系。 通过以上几个服务,Keystone在用户和服务之间架起一座桥梁: 用户从keystone获取令牌以及服务列表 用户访问服务时,发送自己的令牌 相关的服务向keystone求证令牌的合法性
keystone的工作流程:
以创建虚拟机为例
1、身份认证:用户发送自己的凭证到keystone,keystone认证通过后,keystone返回一个token1和服务目录
2、查询tenant:用户通过token1请求keystone查询他所拥有的tenant,keystone验证token1成功后,饭后一个用户的一个tenant列表
3、用户选择一个租户,发送自己的凭证给keystone申请token,通过后返回token2
4、用户选择服务Endpoint并发送token2请求创建虚拟机,keystone验证token2是否有效,是否有权限创建虚拟机后
把请求发送给Nova,创建虚拟机
安装keystone
- 1、创建数据库
mysql -e "CREATE DATABASE keystone;"
mysql -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';"
mysql -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';"
- 2、生成随机token
#openssl rand -hex 10
9776252a40ab6d597ae1
- 3、安装软件包(keystone,http,memcached)
yum -y install openstack-keystone httpd mod_wsgi python-openstackclient memcached python-memcached openstack-utils
- 4、启动memcached并设置开机启动
systemctl enable memcached.service
systemctl restart memcached.service
配置keystone和apache http Server
- 配置keystone
替换admin_token的值(前面步骤生长的随机数)
openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token 9776252a40ab6d597ae1
openstack-config --set /etc/keystone/keystone.conf database connection mysql://keystone:keystone@10.0.0.11/keystone
openstack-config --set /etc/keystone/keystone.conf DEFAULT servers localhost:11211
openstack-config --set /etc/keystone/keystone.conf token provider keystone.token.providers.uuid.Provider
openstack-config --set /etc/keystone/keystone.conf token driver keystone.token.persistence.backends.memcache.Token
openstack-config --set /etc/keystone/keystone.conf revoke driver keystone.contrib.revoke.backends.sql.Revoke
openstack-config --set /etc/keystone/keystone.conf DEFAULT verbose True
初始化keystone数据库
su -s /bin/sh -c "keystone-manage db_sync" keystone
- 配置Apache Http server
httpd.conf
sed -i "s/#ServerName www.example.com:80/ServerName controller/" /etc/httpd/conf/httpd.conf
wsgi-keystone.conf
cat > /etc/httpd/conf.d/wsgi-keystone.conf <<OFF
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /var/www/cgi-bin/keystone/main
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
LogLevel info
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
LogLevel info
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
</VirtualHost>
OFF
WSGI
mkdir -p /var/www/cgi-bin/keystone
curl http://git.openstack.org/cgit/openstack/keystone/plain/httpd/keystone.py?h=stable/kilo | tee /var/www/cgi-bin/keystone/main /var/www/cgi-bin/keystone/admin
chown -R keystone:keystone /var/www/cgi-bin/keystone
chmod 755 /var/www/cgi-bin/keystone/*
启动httpd并设置开机启动
systemctl enable httpd.service
systemctl restart httpd.service
systemctl status httpd.service
创建keystone服务和API endpoint
- 设置变量
export OS_TOKEN=9776252a40ab6d597ae1
export OS_URL=http://controller:35357/v2.0
- 创建keystone服务
openstack service create --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | 9bf7353187aa4388af91765718a7bad3 |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
- 创建keystone endpoint
openstack endpoint create \
--publicurl http://controller:5000/v2.0 \
--internalurl http://controller:5000/v2.0 \
--adminurl http://controller:35357/v2.0 \
--region RegionOne \
identity
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| adminurl | http://controller:35357/v2.0 |
| id | a6025f5b403e41e0babc652564678d9e |
| internalurl | http://controller:5000/v2.0 |
| publicurl | http://controller:5000/v2.0 |
| region | RegionOne |
| service_id | 9bf7353187aa4388af91765718a7bad3 |
| service_name | keystone |
| service_type | identity |
+--------------+----------------------------------+
创建projects, users, 和 roles
- 创建admin project
openstack project create --description "Admin Project" admin
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| enabled | True |
| id | 6655a8db1705461384c78137e5e87c17 |
| name | admin |
+-------------+----------------------------------+
- 创建admin user
openstack user create --password-prompt admin
User Password:
Repeat User Password:
+----------+----------------------------------+
| Field | Value |
+----------+----------------------------------+
| email | None |
| enabled | True |
| id | 9ba6768a31c64aa2904845f7c20ef59e |
| name | admin |
| username | admin |
+----------+----------------------------------+
- 创建admin role
openstack role create admin
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | 53e5d390efe84b948ba5718f116b4861 |
| name | admin |
+-------+----------------------------------+
- 将admin角色添加到admin project 和 admin 用户
openstack role add --project admin --user admin admin
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | 53e5d390efe84b948ba5718f116b4861 |
| name | admin |
+-------+----------------------------------+
- 创建service project
This guide uses a service project that contains a unique user for each service that you add to your environment.
openstack project create --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| enabled | True |
| id | aeff31522d2b493cbe8b0e3cdf44b9dd |
| name | service |
+-------------+----------------------------------+
- 创建demo project
Regular (non-admin) tasks should use an unprivileged project and user. As an example,this guide creates the demo project and user.
openstack project create --description "Demo Project" demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| enabled | True |
| id | 453b044bd6704d509423c992880184da |
| name | demo |
+-------------+----------------------------------+
openstack user create --password-prompt demo
User Password:
Repeat User Password:
+----------+----------------------------------+
| Field | Value |
+----------+----------------------------------+
| email | None |
| enabled | True |
| id | 1ec121d596c142d18d81064b17512a32 |
| name | demo |
| username | demo |
+----------+----------------------------------+
openstack role create user
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | 4a3f8fe61d59456e876a92a9c53d0b81 |
| name | user |
+-------+----------------------------------+
openstack role add --project demo --user demo user
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | 4a3f8fe61d59456e876a92a9c53d0b81 |
| name | user |
+-------+----------------------------------+
验证服务
- 取消设置的变量
unset OS_TOKEN OS_URL
- 验证admin token(API 2.0)
openstack --os-auth-url http://controller:35357 \
--os-project-name admin --os-username admin --os-auth-type password \
token issue
Password:
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2015-09-09T11:25:09Z |
| id | 2e06ec10f395438c9d87c93c0a36ef54 |
| project_id | 6655a8db1705461384c78137e5e87c17 |
| user_id | 9ba6768a31c64aa2904845f7c20ef59e |
+------------+----------------------------------+
- 验证admin token(API 3.0)
openstack --os-auth-url http://controller:35357 \
--os-project-domain-id default --os-user-domain-id default \
--os-project-name admin --os-username admin --os-auth-type password \
token issue
Password:
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2015-09-09T11:26:32.326481Z |
| id | 5875fd684d9d4092996a68b45ed65b05 |
| project_id | 6655a8db1705461384c78137e5e87c17 |
| user_id | 9ba6768a31c64aa2904845f7c20ef59e |
+------------+----------------------------------+
- 查看已创建的project
openstack --os-auth-url http://controller:35357 \
--os-project-name admin --os-username admin --os-auth-type password \
project list
Password:
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 453b044bd6704d509423c992880184da | demo |
| 6655a8db1705461384c78137e5e87c17 | admin |
| aeff31522d2b493cbe8b0e3cdf44b9dd | service |
+----------------------------------+---------+
- 查看已创建的用户
openstack --os-auth-url http://controller:35357 \
--os-project-name admin --os-username admin --os-auth-type password \
user list
Password:
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 9ba6768a31c64aa2904845f7c20ef59e | admin |
| 1ec121d596c142d18d81064b17512a32 | demo |
+----------------------------------+-------+
- 查看已创建的角色
openstack --os-auth-url http://controller:35357 \
--os-project-name admin --os-username admin --os-auth-type password \
role list
Password:
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 4a3f8fe61d59456e876a92a9c53d0b81 | user |
| 53e5d390efe84b948ba5718f116b4861 | admin |
+----------------------------------+-------+
- demo身份查看token(API 3.0)
openstack --os-auth-url http://controller:5000 \
--os-project-domain-id default --os-user-domain-id default \
--os-project-name demo --os-username demo --os-auth-type password \
token issue
Password:
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2015-09-09T11:31:21.431270Z |
| id | 83442092b3ad4903ab4395efcb06b585 |
| project_id | 453b044bd6704d509423c992880184da |
| user_id | 1ec121d596c142d18d81064b17512a32 |
+------------+----------------------------------+
- 使用demo用户去查看user list (检验是否有权限)
openstack --os-auth-url http://controller:5000 \
--os-project-domain-id default --os-user-domain-id default \
--os-project-name demo --os-username demo --os-auth-type password \
user list
Password:
ERROR: openstack You are not authorized to perform the requested action: admin_required (HTTP 403) (Request-ID: req-11dbd684-6922-44e9-97f1-2048b2407a74)
创建admin-openrc.sh变量文件
- 创建admin-openrc.sh (替换admin的密码)
cat > admin-openrc.sh << OFF
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_AUTH_URL=http://controller:35357/v3
OFF
- 使用
source admin-openrc.sh
openstack token issue
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2015-09-09T11:36:55.775786Z |
| id | e8edf46d77a94d108c6939ad89f0e098 |
| project_id | 6655a8db1705461384c78137e5e87c17 |
| user_id | 9ba6768a31c64aa2904845f7c20ef59e |
+------------+----------------------------------+
keystone服务小结
项目 | 信息 |
---|---|
服务名称 | keystone |
配置文件 | /etc/keystone/keystone.conf |
日志文件 | /var/log/keystone/keystone.log |
Public URL | http://controller:5000/v2.0 |
nternal URL | http://controller:5000/v2.0 |
Admin URL | http://controller:35357/v2.0 |