一、认证服务概览
- OpenStack:term:Identity
service为认证管理,授权管理和服务目录服务管理提供单点整合。其它OpenStack服务将身份认证服务当做通用统一API来使用。此外,提供用户信息但是不在OpenStack项目中的服务(如LDAP服务)可被整合进先前存在的基础设施中。
为了从identity服务中获益,其他的OpenStack服务需要与它合作。当某个OpenStack服务收到来自用户的请求时,该服务询问Identity服务,验证该用户是否有权限进行此次请求 - 身份服务包含这些组件:
- 服务器:一个中心化的服务器使用RESTful 接口来提供认证和授权服务。
驱动:驱动或服务后端被整合进集中式服务器中。它们被用来访问OpenStack外部仓库的身份信息, 并且它们可能已经存在于OpenStack被部署在的基础设施(例如,SQL数据库或LDAP服务器)中。
模块:中间件模块运行于使用身份认证服务的OpenStack组件的地址空间中。这些模块拦截服务请求,取出用户凭据,并将它们送入中央是服务器寻求授权。中间件模块和OpenStack组件间的整合使用Python Web服务器网关接口。
当安装OpenStack身份服务,用户必须将之注册到其OpenStack安装环境的每个服务。身份服务才可以追踪那些OpenStack服务已经安装,以及在网络中定位它们。
二、安装和配置
1.创建数据库
(1)以 root 用户连接到数据库服务器
[root@controller ~]# mysql -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 10
Server version: 10.1.20-MariaDB MariaDB Server
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
(2)创建 keystone 数据库
MariaDB [(none)]> CREATE DATABASE keystone;
Query OK, 1 row affected (0.00 sec)
(3)对keystone数据库授予恰当的权限
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
-> IDENTIFIED BY 'keystone';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> exit
Bye
2.安装软件
[root@controller ~]# yum install openstack-keystone httpd mod_wsgi -y
[root@controller ~]# cd /etc/keystone/
[root@controller keystone]# ls
default_catalog.templates keystone-paste.ini policy.json
keystone.conf logging.conf sso_callback_template.html
3.生成一个随机值在初始的配置中作为管理员的令牌
[root@controller keystone]# openssl rand -hex 10
8de2ba44be7bdf6dde76
4.编辑文件 /etc/keystone/keystone.conf
[root@controller keystone]# vim keystone.conf
定义初始管理令牌的值:
[DEFAULT]
admin_token = 8de2ba44be7bdf6dde76
配置数据库访问
[database]
connection = mysql+pymysql://keystone:keystone@controller/keystone
配置Fernet UUID令牌的提供者
[token]
provider = fernet
5.初始化身份认证服务的数据库:
[root@controller keystone]# su -s /bin/sh -c "keystone-manage db_sync" keystone
6.进入数据库查看
[root@controller keystone]# mysql -p keystone
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 13
Server version: 10.1.20-MariaDB MariaDB Server
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [keystone]> show tables;
+------------------------+
| Tables_in_keystone |
+------------------------+
| access_token |
| assignment |
| config_register |
| consumer |
| credential |
| domain |
| endpoint |
| endpoint_group |
| federated_user |
| federation_protocol |
| group |
| id_mapping |
| identity_provider |
| idp_remote_ids |
| implied_role |
| local_user |
| mapping |
| migrate_version |
| password |
| policy |
| policy_association |
| project |
| project_endpoint |
| project_endpoint_group |
| region |
| request_token |
| revocation_event |
| role |
| sensitive_config |
| service |
| service_provider |
| token |
| trust |
| trust_role |
| user |
| user_group_membership |
| whitelisted_config |
+------------------------+
37 rows in set (0.00 sec)
7.初始化Fernet keys
[root@controller keystone]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@controller keystone]# ls
default_catalog.templates keystone-paste.ini sso_callback_template.html
fernet-keys logging.conf
keystone.conf policy.json
8.查看Fernet keys
[root@controller keystone]# cd fernet-keys/
[root@controller fernet-keys]# ls
0 1
[root@controller fernet-keys]# ll
total 8
-rw------- 1 keystone keystone 44 Jun 23 11:25 0
-rw------- 1 keystone keystone 44 Jun 23 11:25 1
9.配置 Apache HTTP 服务器
(1)编辑/etc/httpd/conf/httpd.conf 文件,配置ServerName 选项为控制节点
[root@controller fernet-keys]# vim /etc/httpd/conf/httpd.conf
ServerName controller
(2)创建文件 /etc/httpd/conf.