近期在学习OpenStack,分享一下Rocky版本的OpenStack安装过程,请各位大佬多多关注,不当之处望斧正。
本小节分享Keystone认证组件的安装配置。接上小节:CentOS7-徒手安装OpenStack(Rocky版)系列-01
***本节操作命令均在控制节点执行****
1. 基本概念
keystone(OpenStack Identity Service)是OpenStack的核心组件之一,用于为其他组件提供统一的认证服务;包括身份验证、令牌的发放和校验,服务列表及用户权限的定义等。Keystone类似于一个服务总线,其他服务通过Keystone注册其服务的Endpoint(服务访问的URL),任何服务之间相互调用,需先经过keystone的身份验证,获取目标服务的Endpoint,然后再调用。 作为OpenStack的基础支持服务,Keystone主要负责:
|
1.1 名词解释
User
User 指代任何使用 OpenStack 的实体,可以是真正的用户,其他系统或者服务。当 User 请求访问 OpenStack 时,Keystone 会对其进行验证。 |
Credentials
Credentials 是 User 用来证明自己身份的信息。可以是: (1) 用户名/密码 (2) Token (3) API Key (4) 其他高级方式 |
Autentication
Authentication 是 Keystone 验证 User 身份的过程。User 访问 OpenStack 时向 Keystone 提交用户名和密码形式的 Credentials,Keystone 验证通过后会给 User 签发一个 Token 作为后续访问的 Credential。 注:Authentication是一个过程,进行时,验证成功后给登录者签发一个Token。 |
Token
Token 是由数字和字母组成的字符串,User 成功 Authentication 后由 Keystone 分配给 User。组件之间相互调用时用来验证调用者是否有权限访问自己,Token 只能用于认证用户对指定范围内资源的操作。 (1)Token 用作访问 Service 的 Credential (2)Service 会通过 Keystone 验证 Token 的有效性 (3)Token 的有效期默认是 24 小时 |
Project
Project 用于将 OpenStack 的资源(计算、存储和网络)进行分组和隔离。可以是一个客户(租户)、部门或者项目组。 注: (1) 资源的所有权是属于 Project 的,而不是 User。 (2)在 OpenStack 的界面和文档中,Tenant / Project / Account 这几个术语是通用的,但长期看会倾向使用 Project (3)每个 User(包括 admin)必须挂在 Project 里才能访问该 Project 的资源。 一个User可以属于多个 Project。 (4)admin 相当于 root 用户,具有最高权限。 |
Service
OpenStack 的 Service 包括 Compute (Nova)、Block Storage (Cinder)、Object Storage (Swift)、Image Service (Glance) 、Networking Service (Neutron) 等。每个 Service 都会提供若干个 Endpoint,User 通过 Endpoint 访问资源和执行操作。 |
Endpoint
endpoint 是一个网络上可访问的地址,通常是一个 URL。Service 通过 Endpoint 暴露自己的 API。Keystone 负责管理和维护每个 Service 的 Endpoint。 |
Role
Keystone 借助 Role 实现 Authorization,用来表明登录的用户有什么样的权限。 |
1.2 以创建VM为例分析Keystone在整个过程的工作流程:
通用流程为:首先用户向 Keystone 提供自己的身份验证信息,如用户名和密码。Keystone 会从数据库中读取数据对其验证,如验证通过,会向用户返回一个 token,此后用户所有的请求都会使用该 token 进行身份验证。如用户向 Nova 申请虚拟机服务,nova 会将用户提供的 token 发给 Keystone 进行验证,Keystone 会根据 token 判断用户是否拥有进行此项操作的权限,若验证通过那么 nova 会向其提供相对应的服务。其它组件和 Keystone 的交互也是如此。 |
2. 安装Keystone
2.1 Keystone认证服务
(1)用户与认证:用户权限与用户行为跟踪 User 用户 Tenant 租户 Token 令牌 Role 角色 (2)服务目录:提供一个服务目录,包括所有服务项与相关API的端点 Service 服务 Endpoint 端点 |
2.2在控制节点创建Keystone相关数据库
[root@controller ~]# mysql -predhat Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> CREATE DATABASE keystone; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone'; Query OK, 0 rows affected (0.01 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> flush privileges; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | keystone | | mysql | | performance_schema | +--------------------+ 4 rows in set (0.01 sec) MariaDB [(none)]> select user,host from mysql.user; +----------+------------------------+ | user | host | +----------+------------------------+ | keystone | % | | root | 127.0.0.1 | | root | ::1 | | root | controller.fzxz686.com | | keystone | localhost | | root | localhost | +----------+------------------------+ 6 rows in set (0.00 sec) MariaDB [(none)]> exit Bye |
2.3 安装Keystone的相关软件包
(1)安装Keystone相关软件包 # 配置Apache服务,使用带有“mod_wsgi”的HTTP服务器来相应认证服务请求,端口为5000和35357, 默认情况下,Kestone服务仍然监听这些端口 (2)配置keystone.conf,新增如下两行 [root@controller ~]# vi /etc/keystone/keystone.conf connection = mysql+pymysql://keystone:keystone@controller/keystone provider = fernet # 其他方式查看生效配置 [root@controller ~]# grep '^[a-z]' /etc/keystone/keystone.conf connection = mysql+pymysql://keystone:keystone@controller/keystone provider = fernet # keystone不需要启动,通过http服务进行调用 |
2.4 初始化同步Keystone数据库
(1)同步keystone数据库(44张表) [root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone (2)同步完成进行连接测试,保证所有的表均同步成功 [root@controller ~]# mysql -h192.168.137.100 -ukeystone -pkeystone -e "use keystone;show tables;" +-----------------------------+ | Tables_in_keystone | +-----------------------------+ | access_token | | application_credential | | application_credential_role | | assignment | | config_register | | consumer | | credential | | endpoint | | endpoint_group | | federated_user | | federation_protocol | | group | | id_mapping | | identity_provider | | idp_remote_ids | | implied_role | | limit | | local_user | | mapping | | migrate_version | | nonlocal_user | | password | | policy | | policy_association | | project | | project_endpoint | | project_endpoint_group | | project_tag | | region | | registered_limit | | request_token | | revocation_event | | role | | sensitive_config | | service | | service_provider | | system_assignment | | token | | trust | | trust_role | | user | | user_group_membership | | user_option | | whitelisted_config | +-----------------------------+ [root@controller ~]# mysql -h192.168.137.100 -ukeystone -pkeystone -e "use keystone;show tables;" | wc -l 45 |
2.5 初始化key仓库
#Initialize Fernet key repositories [root@controller ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone [root@controller ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone #执行成功即可,无返回 |
2.6配置启动Apache
(1)修改httpd的主配置文件 [root@controller ~]# cd /etc/httpd/conf/ [root@controller conf]# cp httpd.conf httpd.conf-bak [root@controller conf]# vi httpd.conf [root@controller conf]# cat httpd.conf | grep ServerName # ServerName gives the name and port that the server uses to identify itself. ServerName 192.168.137.100 (2)创建虚拟主机配置文件 [root@controller ~]# cp /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/ [root@controller ~]# more /etc/httpd/conf.d/wsgi-keystone.conf Listen 5000 WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On LimitRequestBody 114688 = 2.4> ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone.log CustomLog /var/log/httpd/keystone_access.log combined = 2.4> Require all granted Order allow,deny Allow from all Alias /identity /usr/bin/keystone-wsgi-public SetHandler wsgi-script Options +ExecCGI WSGIProcessGroup keystone-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On (3)启动httpd并配置开机启动 [root@controller ~]# systemctl start httpd.service [root@controller ~]# systemctl status httpd.service ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2020-06-12 16:30:26 CST; 5s ago Docs: man:httpd(8) man:apachectl(8) Main PID: 4686 (httpd) Status: "Processing requests..." CGroup: /system.slice/httpd.service ├─4686 /usr/sbin/httpd -DFOREGROUND ├─4687 (wsgi:keystone- -DFOREGROUND ├─4688 (wsgi:keystone- -DFOREGROUND ├─4689 (wsgi:keystone- -DFOREGROUND ├─4690 (wsgi:keystone- -DFOREGROUND ├─4691 (wsgi:keystone- -DFOREGROUND ├─4692 /usr/sbin/httpd -DFOREGROUND ├─4693 /usr/sbin/httpd -DFOREGROUND ├─4694 /usr/sbin/httpd -DFOREGROUND ├─4701 /usr/sbin/httpd -DFOREGROUND └─4702 /usr/sbin/httpd -DFOREGROUND Jun 12 16:30:26 controller.fzxz686.com systemd[1]: Starting The Apache HTTP Server... Jun 12 16:30:26 controller.fzxz686.com systemd[1]: Started The Apache HTTP Server. [root@controller ~]# netstat -anptl | grep httpd tcp6 0 0 :::5000 :::* LISTEN 4686/httpd tcp6 0 0 :::80 :::* LISTEN 4686/httpd [root@controller ~]# systemctl enable httpd.service Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service. [root@controller ~]# systemctl list-unit-files | grep httpd.service httpd.service enabled # 以上,http服务配置完成 |
2.7 初始化Keystone认证服务
(1)创建keystone用户,初始化服务实体和API端点 # 创建keystone服务实体和身份认证服务,以下三种类型分别为公共的、内部的、管理的。 # 需要创建一个密码ADMIN_PASS,作为登陆openstack的管理员用户,这里创建为123456 [root@controller ~]# keystone-manage bootstrap --bootstrap-password 123456 \ > --bootstrap-admin-url http://controller:5000/v3/ \ > --bootstrap-internal-url http://controller:5000/v3/ \ > --bootstrap-public-url http://controller:5000/v3/ \ > --bootstrap-region-id RegionOne # 运行这条命令,会在keystone数据库增加以下任务,之前的版本需要手动创建: 1)在endpoint表增加3个服务实体的API端点 2)在local_user表中创建admin用户 3)在project表中创建admin和Default项目(默认域) 4)在role表创建3种角色,admin,member和reader 5)在service表中创建identity服务 (2)Configure the administrative account # 这里的export OS_PASSWORD要使用上面配置的ADMIN_PASS [root@controller ~]# export OS_PROJECT_DOMAIN_NAME=Default [root@controller ~]# export OS_PROJECT_NAME=admin [root@controller ~]# export OS_USER_DOMAIN_NAME=Default [root@controller ~]# export OS_USERNAME=admin [root@controller ~]# export OS_PASSWORD=123456 [root@controller ~]# export OS_AUTH_URL=http://controller:5000/v3 [root@controller ~]# export OS_IDENTITY_API_VERSION=3 #查看 [root@controller ~]# env |grep OS_ OS_USER_DOMAIN_NAME=Default OS_PROJECT_NAME=admin OS_IDENTITY_API_VERSION=3 OS_PASSWORD=123456 OS_AUTH_URL=http://controller:5000/v3 OS_USERNAME=admin OS_PROJECT_DOMAIN_NAME=Default (3)查看Keystone实例相关信息 [root@controller ~]# openstack endpoint list +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+ | ID | Region | Service Name | Service Type | Enabled | Interface | URL | +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+ | 7a635e94e3b2405e80bf0d8ac1797635 | RegionOne | keystone | identity | True | internal | http://controller:5000/v3/ | | 9611f6055bba4ccd988c0b3e899962d6 | RegionOne | keystone | identity | True | public | http://controller:5000/v3/ | | ea048b8741a444abb6dad98648c4cbb9 | RegionOne | keystone | identity | True | admin | http://controller:5000/v3/ | +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+ [root@controller ~]# openstack project list +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | e0d62651d2ad4c98a9a582b561ccc685 | admin | +----------------------------------+-------+ [root@controller ~]# openstack user list +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | 7129dac220e041acabf74d8f722bc080 | admin | +----------------------------------+-------+ |
2.8创建Keystone的一般实例
Create a domain, projects, users, and roles 参考文档:https://docs.openstack.org/keystone/rocky/install/keystone-users-rdo.html (1)创建名为example的keystone域,会在project表中创建名为example的项目 [root@controller ~]# openstack domain create --description "An Example Domain" example +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | An Example Domain | | enabled | True | | id | 33a3eb73de9b44f29cb0e1b8580e4112 | | name | example | | tags | [] | +-------------+----------------------------------+ (2)为keystone系统环境创建名为service的项目提供服务,用于常规(非管理)任务,需要使用无特权用户,以下命令会在project表中创建名为service的项目。 [root@controller ~]# openstack project create --domain default --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | default | | enabled | True | | id | 0c127478207042828e8196fb79a88a45 | | is_domain | False | | name | service | | parent_id | default | | tags | [] | +-------------+----------------------------------+ (3)创建myproject项目和对应的用户及角色,作为一般用户(非管理员)的项目,为普通用户提供服务,以下命令会在project表中创建名为myproject项目。 [root@controller ~]# openstack project create --domain default --description "Demo Project" myproject +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Demo Project | | domain_id | default | | enabled | True | | id | bae0d0303095429ba2b01363ef800f57 | | is_domain | False | | name | myproject | | parent_id | default | | tags | [] | +-------------+----------------------------------+ (4)在默认域创建myuser用户,使用--password选项为直接配置明文密码,使用--password-prompt选项为交互式输入密码,以下命令会在local_user表增加myuser用户。 # openstack user create --domain default --password-prompt myuser # 交互式输入密码 # openstack user create --domain default --password=myuser myuser # 直接创建用户和密码 [root@controller ~]# openstack user create --domain default --password-prompt myuser User Password: Repeat User Password: +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | default | | enabled | True | | id | 07d8304d0e7346f5940e3b7842f88f2d | | name | myuser | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+ 密码为redhat (5)在role表创建myrole角色 [root@controller ~]# openstack role create myrole +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | e6090b04661146e0ba4390614432ce8a | | name | myrole | +-----------+----------------------------------+ (6)将myrole角色添加到myproject项目中和myuser用户组中 [root@controller ~]# openstack role add --project myproject --user myuser myrole |
2.9 验证Keystone是否安装成功
(1)添加临时认证令牌机制,获取token,验证keystone配置成功 [root@controller ~]# openstack role add --project myproject --user myuser myrole [root@controller ~]# unset OS_AUTH_URL OS_PASSWORD [root@controller ~]# env |grep OS_ OS_USER_DOMAIN_NAME=Default OS_PROJECT_NAME=admin OS_IDENTITY_API_VERSION=3 OS_USERNAME=admin OS_PROJECT_DOMAIN_NAME=Default (2)作为管理员用户去请求一个认证的token,使用admin用户。 [root@controller ~]# openstack --os-auth-url http://controller:5000/v3 \ > --os-project-domain-name Default --os-user-domain-name Default \ > --os-project-name admin --os-username admin token issue Password: ###输入123456 +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2020-06-12T10:11:58+0000 | | id | gAAAAABe40be-TWvaLjxck4w0EyK6RaHp7j9wboJSoPdjM1ztyH-YsWjxYtwfuwqERhNLHzRGVcdBNxxZKqz6jedGRp5WXPC1A3Yq5k9IAhkiO-wsvcnvfsk9KdQWy6iVgwxxMeyqb5zoGBoH5BEG6wjqSLjVirZObvisxYy9TQuEtpPqf0g4PE | | project_id | e0d62651d2ad4c98a9a582b561ccc685 | | user_id | 7129dac220e041acabf74d8f722bc080 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ (3)使用普通用户获取认证token,使用刚刚创建的myuser用户 [root@controller ~]# openstack --os-auth-url http://controller:5000/v3 \ > --os-project-domain-name Default --os-user-domain-name Default \ > --os-project-name myproject --os-username myuser token issue Password: ###输入密码刚刚指定的密码:redhat +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2020-06-12T10:13:21+0000 | | id | gAAAAABe40cxQwX2gXQ1xvKhueQINgMRkZ9y10cU_bavcMdEFHBfgQ-9qYflXi4sGQ1VpBs0wjOcoNAjml-ZYP4q4Alg5Cmt3XvRpk7LZcm0gnXa8ZpS3epdr5aGJ4hccn-aw0JlPcjLSUl8osqrS7nAkTfUmEy0TjAUOlDF9ZlUXf9_o0AKidw | | project_id | bae0d0303095429ba2b01363ef800f57 | | user_id | 07d8304d0e7346f5940e3b7842f88f2d | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ |
2.10 创建OpenStack客户端环境脚本
# Create OpenStack client environment scripts # 上面使用环境变量和命令选项的组合通过“openstack”客户端与身份认证服务交互。 # 为了提升客户端操作的效率,OpenStack支持简单的客户端环境变量脚本即OpenRC 文件,我这里使用自定义的文件名 (1)创建admin用户的环境管理脚本 [root@controller ~]# cd /server/tools/ [root@controller tools]# vi keystone-admin-pass.sh [root@controller tools]# more keystone-admin-pass.sh export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=123456 export OS_AUTH_URL=http://controller:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 (2)创建普通用户myuser的环境管理脚本 [root@controller tools]# vi keystone-myuser-pass.sh [root@controller tools]# more keystone-myuser-pass.sh export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=myproject export OS_USERNAME=myuser export OS_PASSWORD=redhat export OS_AUTH_URL=http://controller:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 (3)测试环境管理脚本,使用脚本加载相关客户端配置,以便快速使用特定租户和用户运行客户端 [root@controller tools]# source keystone-admin-pass.sh (4)请求认证令牌 [root@controller tools]# openstack token issue +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2020-06-12T10:30:54+0000 | | id | gAAAAABe40tOfNcB-9D4B3ShWWN_WntyzrvwfVzepRSplwEWFM6i5Mt5utqqfg0tEZnQxcAtwHimVsMGChrqyedns2hE_gQIxM_ewa_gy5EY5OW7mxBIVMVXqlcTRrbp-3RhzquPMNxyTC5ZNzeg5qPUOI4KMOZHUvXYt8DQyb2NLSt2mDGhCN4 | | project_id | e0d62651d2ad4c98a9a582b561ccc685 | | user_id | 7129dac220e041acabf74d8f722bc080 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ |
# 可以看到user_id和上面用命令获取到的是一样。
#以上,keystone组件配置成功。
参考文档:
https://docs.openstack.org/keystone/rocky/getting-started/index.html
https://www.cnblogs.com/tssc/p/9858655.html
-------------END------------
作者:疯子行者 ID:fzxz686
小手一挥,关注公众号,谢谢
===》慎独、责任、专注《===