笔记为根据老男孩视频+官方文档学习,并记录,如有错漏,心情好的可以指出一下。
视频地址:https://www.bilibili.com/video/BV1LJ411Y7og?p=12
认证服务(keystone)
认证服务主要三个功能,认证管理,授权管理和服务目录
认证管理:提供了个各个组件交互时认证的机制(账号和密码)授权管理:授权其他组件以进行相互交互。服务目录:就是方便其他服务互相访问,会将所有服务的URL进行汇总管理。(可以理解keystone为一个浏览器,服务的URL就是页面的收藏地址;打开浏览器以后你想快速的访问那个网站,只需要打开这个收藏好的地址即可,不需要重复输入地址等等。)
创库授权
[root@controller01 ~]# mysql -uroot -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 10.1.20-MariaDB MariaDB Server
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> create database keystone;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant all privileges on keystone.* to 'keystone'@'localhost' identified by 'kbI2PxpvAYKF0Ob1X2B2';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> grant all privileges on keystone.* to 'keystone'@'%' identified by 'kbI2PxpvAYKF0Ob1X2B2';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| keystone |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.00 sec)
MariaDB [(none)]>
安装keystone软件包
yum install openstack-keystone httpd mod_wsgi
PS:mod_wsgi为apache的扩展模块,apache的很多模块都是以mod为开头;用于apache连接python
修改配置文件
为了方便配置、阅读,提前备份要源keystone的配置文件,并过滤出没有注释的配置给回到配置文件上
root@controller01 ~]# cd /etc/keystone/
[root@controller01 keystone]# ls
default_catalog.templates keystone.conf keystone-paste.ini logging.conf policy.json sso_callback_template.html
[root@controller01 keystone]# cp keystone.conf keystone.conf.bak
[root@controller01 keystone]# grep -Ev '^$|#' keystone.conf.bak
[DEFAULT]
[assignment]
[auth]
[cache]
[catalog]
[cors]
[cors.subdomain]
[credential]
[database]
[domain_config]
[endpoint_filter]
[endpoint_policy]
[eventlet_server]
[eventlet_server_ssl]
[federation]
[fernet_tokens]
[identity]
[identity_mapping]
[kvs]
[ldap]
[matchmaker_redis]
[memcache]
[oauth1]
[os_inherit]
[oslo_messaging_amqp]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_middleware]
[oslo_policy]
[paste_deploy]
[policy]
[resource]
[revoke]
[role]
[saml]
[shadow_users]
[signing]
[ssl]
[token]
[tokenless_auth]
[trust]
[root@controller01 keystone]# grep -Ev '^$|#' keystone.conf.bak >keystone.conf
开始修改配置
1、 在[DEFAULT]部分,定义初始管理令牌的值:
[DEFAULT]
...
admin_token = wYRv9PbPlZZzCV49lr6g
在keystone还没有用户的时候,就使用这个默认的管理员token来进行管理操作。
2、 在 [database] 部分,配置数据库访问:
[database]
...
connection = mysql+pymysql://keystone:kbI2PxpvAYKF0Ob1X2B2@controller01/keystone
#键的名称 mysql的访问协议 keystone的用户和密码 访问的主机 访问的库
因为在配置中有定义了访问的主机为controller,所以一开始配置/etc/hosts解析名的用途就体现出来参考注①
3、 在[token]部分,配置Fernet UUID令牌的提供者。换言之,就是选择生成令牌的方式、方法。
[token]
...
provider = fernet
参考下图来了解keystone的令牌认证方式
图片来源华为官方认证的PPT材料+我学习时的笔记。
生成数据库
查看数据库情况
[root@controller01 keystone]# mysql -uroot -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 5
Server version: 10.1.20-MariaDB MariaDB Server
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> use keystone;
Database changed
MariaDB [keystone]> show tables;
Empty set (0.00 sec)
可见,目前数据库为空。
同步数据库
su -s /bin/sh -c "keystone-manage db_sync" keystone
su全名为Switch User
-s shell 或 --shell=shell 指定要执行的 shell (bash csh tcsh 等),这里指定的是/bin/sh
/bin/sh -c :command 后面跟一个字符串,这个字符串可以是我们平常执行的命令,例如:sh -c "ls -l"等价于直接执行ls -l;
总结,这里的命令,就相当于指定一个环境变量/bin/sh/ 执行keystone-manage db_sync这命令,参数指定为keystone库
- 在执行这个命令的时候,报错了!因为当时配置keystone数据库连接的时候,配置主机名controller,和之前配置的hosts解析的主机名不一致,导致报错
2021-10-14 12:00:25.941 4480 CRITICAL keystone [-] DBConnectionError: (pymysql.err.OperationalError) (2003, "Can't connect to MySQL server on 'controller' ([Errno -2] Name or service not known)")
之后更改主机名以后,再重新执行命令,就成功了。
执行完命令之后,检查一下数据库的表是否正确生成。
[root@controller01 ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
[root@controller01 ~]# mysql -uroot -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 17
Server version: 10.1.20-MariaDB MariaDB Server
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> use keystone;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [keystone]> show tables;
+------------------------+
| Tables_in_keystone |
+------------------------+
| access_token |
| assignment |
| config_register |
| consumer |
| credential |
| domain |
| endpoint |
| endpoint_group |
| federated_user |
| federation_protocol |
| group |
| id_mapping |
| identity_provider |
| idp_remote_ids |
| implied_role |
| local_user |
| mapping |
| migrate_version |
| password |
| policy |
| policy_association |
| project |
| project_endpoint |
| project_endpoint_group |
| region |
| request_token |
| revocation_event |
| role |
| sensitive_config |
| service |
| service_provider |
| token |
| trust |
| trust_role |
| user |
| user_group_membership |
| whitelisted_config |
+------------------------+
37 rows in set (0.00 sec)
表已经正确生成。表示命令执行成功。
初始化身份认证服务的数据库
在做初始化前,/etc/keystone/下是没有目录的。
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@controller01 ~]# ll /etc/keystone
total 104
-rw-r----- 1 root keystone 2303 Feb 1 2017 default_catalog.templates
-rw-r----- 1 root keystone 677 Oct 14 13:00 keystone.conf
-rw-r----- 1 root root 73101 Oct 14 11:04 keystone.conf.bak
-rw-r----- 1 root keystone 2400 Feb 1 2017 keystone-paste.ini
-rw-r----- 1 root keystone 1046 Feb 1 2017 logging.conf
-rw-r----- 1 keystone keystone 9699 Feb 1 2017 policy.json
-rw-r----- 1 keystone keystone 665 Feb 1 2017 sso_callback_template.html
[root@controller01 ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@controller01 ~]# !ll
ll /etc/keystone
total 104
-rw-r----- 1 root keystone 2303 Feb 1 2017 default_catalog.templates
drwx------ 2 keystone keystone 24 Oct 14 15:25 fernet-keys #初始化完成后,会生成这个目录
-rw-r----- 1 root keystone 677 Oct 14 13:00 keystone.conf
-rw-r----- 1 root root 73101 Oct 14 11:04 keystone.conf.bak
-rw-r----- 1 root keystone 2400 Feb 1 2017 keystone-paste.ini
-rw-r----- 1 root keystone 1046 Feb 1 2017 logging.conf
-rw-r----- 1 keystone keystone 9699 Feb 1 2017 policy.json
-rw-r----- 1 keystone keystone 665 Feb 1 2017 sso_callback_template.html
配置httpd
- 编辑
/etc/httpd/conf/httpd.conf文件,配置ServerName选项为控制节点:
echo "ServerName controller01" >> /etc/httpd/conf/httpd.conf
用下面的内容创建文件 /etc/httpd/conf.d/wsgi-keystone.conf。
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
启动服务
systemctl enable httpd.service
systemctl start httpd.service
创建服务和注册服务api
前提没有用户,所以需要使用admin_token来创建用户
配置认证令牌,TOKEN的值为keystone配置中定义的
export OS_TOKEN=wYRv9PbPlZZzCV49lr6g
- 配置端点URL
export OS_URL=http://controller01:35357/v3 - 配置认证 API 版本,定义多版本的目的,是为了和历史版本兼容,其实是可以同时使用3个版本v1、v2、v3
export OS_IDENTITY_API_VERSION=3
[root@controller01 ~]# export OS_TOKEN=wYRv9PbPlZZzCV49lr6g
[root@controller01 ~]# export OS_URL=http://controller01:35357/v3
[root@controller01 ~]# export OS_IDENTITY_API_VERSION=3
[root@controller01 ~]# env |grep OS #添加完成后,可以检查一下环境变量里面是否有对应的变量
HOSTNAME=controller01
OS_IDENTITY_API_VERSION=3
OS_TOKEN=wYRv9PbPlZZzCV49lr6g
OS_URL=http://controller01:35357/v3
创建服务实体和身份认证服务:
- 创建服务
[root@controller01 ~]# openstack service create \
> --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | 5ec2d8fd92f147c2bb8520f51c3d800a |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
#--description "OpenStack Identity"为描述,可以根据理解自行调整
- 创建认证服务的 API 端点
有了服务以后,才能创建对应的URL,在这里叫endpoint
PS:需要注意的点,我这里使用的controller01为我一开始配置的解析指定的主机名,如果配置为其他主机名,请使用其他主机名
[root@controller01 ~]# openstack endpoint create --region RegionOne \
> identity public http://controller01:5000/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | c1f58d7efc744e9a8b17e4f5c2dc0c9a |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 5ec2d8fd92f147c2bb8520f51c3d800a |
| service_name | keystone |
| service_type | identity |
| url | http://controller01:5000/v3 |
+--------------+----------------------------------+
[root@controller01 ~]# openstack endpoint create --region RegionOne \
> identity internal http://controller01:5000/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 86a037ae5a1c4154a03b6dadbb91910a |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 5ec2d8fd92f147c2bb8520f51c3d800a |
| service_name | keystone |
| service_type | identity |
| url | http://controller01:5000/v3 |
+--------------+----------------------------------+
[root@controller01 ~]# openstack endpoint create --region RegionOne \
> identity admin http://controller01:35357/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 745d8e46a62d405594154a2a5d5a3689 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 5ec2d8fd92f147c2bb8520f51c3d800a |
| service_name | keystone |
| service_type | identity |
| url | http://controller01:35357/v3 |
+--------------+----------------------------------+
- 这里创建的URL,使用的不同的URL进行,可以理解为:普通员工和经理使用的通道为controller01:5000;董事长使用的通道是controller01:35357
- public为公共的,internal为内部的,admin为管理员
创建域、项目、用户、角色
- 域的概念,可以理解为地域或者区域。类似于在云厂商购买云主机时,选择的主机所在地区。
- 项目(旧版本叫租户),同样借用云厂商的概念,一个登陆的用户,就为一个项目。比如你当前登陆的用户为xxx;不同项目的云主机,是隔离的
- 用户,可以理解为用户或者说项目下的,子用户的意思
- 角色,理解为子用户中,不同的管理者,有的高权限,有的低权限。在openstack里面,角色是写死的,只有两个角色,1个是admin,1个是user
- 创建域:
[root@controller01 ~]# openstack domain create --description "Default Domain" default
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Default Domain |
| enabled | True |
| id | 8cba1e7341c14ab993124909c705919a |
| name | default |
+-------------+----------------------------------+
- 创建admin项目
[root@controller01 ~]# openstack project create --domain default \
> --description "Admin Project" admin
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| domain_id | 8cba1e7341c14ab993124909c705919a |
| enabled | True |
| id | cfb654cc503f4da8aaed7fde4a01c1f7 |
| is_domain | False |
| name | admin |
| parent_id | 8cba1e7341c14ab993124909c705919a |
+-------------+----------------------------------+
- 创建admin的用户
PS:这里需要注意,使用了--password-prompt命令,为暗文输入密码,也就是不显示的密码
我配置的密码为wYRv9PbPlZZzCV49lr6g,和keystone上的默认admintoken一致
[root@controller01 ~]# openstack user create --domain default \
> --password-prompt admin
User Password:
Repeat User Password:
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | 8cba1e7341c14ab993124909c705919a |
| enabled | True |
| id | 8e411763aa0541a9b302247f21c487c9 |
| name | admin |
+-----------+----------------------------------+
- 创建admin的角色
[root@controller01 ~]# openstack role create admin
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | edf8fc933a084d518c6cc8695e6f61c8 |
| name | admin |
+-----------+----------------------------------+
因为之前创建的admin的项目、用户、角色都是没有任何关联的,这里使用命令将三个admin进行关联
PS:命令理解为,在admin项目上,给admin用户赋予admin角色
[root@controller01 ~]# openstack role add --project admin --user admin admin
创建给一个专给系统各个组件使用的项目;在后续安装其他组件的时候,会将他们的用户添加到这个项目中。
[root@controller01 ~]# openstack project create --domain default \
> --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | 8cba1e7341c14ab993124909c705919a |
| enabled | True |
| id | 46bc148e34444f83b2641ca2a41f19c9 |
| is_domain | False |
| name | service |
| parent_id | 8cba1e7341c14ab993124909c705919a |
+-------------+----------------------------------+
keystone 服务验证
因为我们默认使用的是keystone上配置的环境变量,所以在使用某些命令的时候,会出现报错。
[root@controller01 ~]# env |grep OS
HOSTNAME=controller01
OS_IDENTITY_API_VERSION=3
OS_TOKEN=wYRv9PbPlZZzCV49lr6g
OS_URL=http://controller01:35357/v3
[root@controller01 ~]# openstack token issue
'NoneType' object has no attribute 'service_catalog'
所以需要重新配置一个新的环境变量
在官方文档中 “因为安全性的原因,关闭临时认证令牌机制:”
编辑 /etc/keystone/keystone-paste.ini 文件,从[pipeline:public_api],[pipeline:admin_api]和[pipeline:api_v3]部分删除admin_token_auth 。
重置OS_TOKEN和OS_URL 环境变量:
$ unset OS_TOKEN OS_URL
作为 admin 用户,请求认证令牌
$ openstack --os-auth-url http://controller:35357/v3 \
--os-project-domain-name default --os-user-domain-name default \
--os-project-name admin --os-username admin token issue
Password:
+------------+-----------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------+
| expires | 2016-02-12T20:14:07.056119Z |
| id | gAAAAABWvi7_B8kKQD9wdXac8MoZiQldmjEO643d-e_j-XXq9AmIegIbA7UHGPv |
| | atnN21qtOMjCFWX7BReJEQnVOAj3nclRQgAYRsfSU_MrsuWb4EDtnjU7HEpoBb4 |
| | o6ozsA_NmFWEpLeKy0uNn_WeKbAhYygrsmQGA49dclHVnz-OMVLiyM9ws |
| project_id | 343d245e850143a096806dfaefa9afdc |
| user_id | ac3377633149401296f6c0d92d79dc16 |
+------------+-----------------------------------------------------------------+
- 这条命令,就是指定了访问的endpoint,指定了访问的域,指定访问的域用户,指定了访问的用户,指定了访问角色。最后的token issue 是获取一个token。执行完以后,还会让你输入用户的密码;
- 也就是前面的一大段,都是加载的参数,如果不加载环境变量,每次执行,都必须在命令中加载这一大段,最后的最后才能输入你需要执行的命令,这就太麻烦了。
但,这样操作命令会比较复杂,且很容易操作出现错误,同时,我们这里也是学习环境
因此,使用比较便捷的方法:
重新编辑一个环境变量,为刚刚创建的admin的
vim admin-openrc
[root@controller01 ~]# cat admin-openrc
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=wYRv9PbPlZZzCV49lr6g
export OS_AUTH_URL=http://controller01:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
每次登陆以后,都检查一下环境变量是否存在,如果不存在,就执行一下环境变量
source admin-openrc
扫一扫
1022
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
