身份服务概述
OpenStack认证管理服务提供一个单点集成身份验证、授权和服务目录服务。其他OpenStack服务使用认证服务作为一个通用统一的API。此外,服务提供用户的信息,但不包括在OpenStack(如LDAP服务)可以集成到一个现有的基础设施。为了从认证服务中受益,其他OpenStack服务需要与身份认证服务协同工作。当一个OpenStack服务从用户那里接收一个请求,它检查与身份认证服务用户是否被授权请求。身份服务包含这些组件:
Server
一个集中的服务器使用RESTful接口提供身份验证和授权服务。
Drivers
驱动程序或服务后端集成到集中式服务器。他们是用于访问的身份信息存储库中的外部OpenStack,并且可能已经存在在OpenStack部署的基础设施(例如,SQL数据库或LDAP服务器)。
Modules
中间件模块运行在OpenStack组件的地址空间使用身份认证服务。这些模块拦截服务请求,提取用户凭证,并将它们发送到中央服务器进行授权。中间件模块和OpenStack组件之间的集成使用Python Web Server Gateway Interface。
前期需求
mysql -uroot -pSWPUcs406mariadb -e "CREATE DATABASE keystone;"
mysql -uroot -pSWPUcs406mariadb -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'SWPUcs406dbkeystone';"
mysql -uroot -pSWPUcs406mariadb -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'SWPUcs406dbkeystone';"
mysql -uroot -pSWPUcs406mariadb -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'controller' IDENTIFIED BY 'SWPUcs406dbkeystone';"
mysql -uroot -pSWPUcs406mariadb -e "FLUSH PRIVILEGES;"
安装配置组件
所有Controller节点:
yum install -y openstack-keystone httpd mod_wsgi openstack-utils
编辑 /etc/keystone/keystone.conf文件
openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token SWPUcs406token
openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:SWPUcs406dbkeystone@controller/keystone
openstack-config --set /etc/keystone/keystone.conf token provider fernet
openstack-config --set /etc/keystone/keystone.conf DEFAULT public_bind_host 10.0.0.1X
openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_bind_host 10.0.0.1X
Controller1节点:
su -s /bin/sh -c "keystone-manage db_sync" keystone
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
scp /etc/keystone/fernet-keys controller2:/etc/keystone/fernet-keys/
Controller2节点:
mkdir -p /etc/keystone/fernet-keys
chown -R keystone:keystone /etc/keystone/fernet-keys
所有Controller节点,配置HTTP服务
sed -i "s/#ServerName www.example.com:80/ServerName controller/" /etc/httpd/conf/httpd.conf
cat > /etc/httpd/conf.d/wsgi-keystone.conf <<OFF
Listen 10.0.0.1x:5000
Listen 10.0.0.1x35357
<VirtualHost 10.0.0.1x:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost 10.0.0.1x:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
OFF
完成安装
systemctl enable httpd.service
systemctl start httpd.service
创建服务实体和API终端
在Controller1节点:
导入环境变量
export OS_TOKEN=SWPUcs406token
export OS_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
创建keystone服务
openstack service create --name keystone --description "OpenStack Identity" identity
创建endpoint
openstack endpoint create --region RegionOne identity public http://controller:5000/v3
openstack endpoint create --region RegionOne identity internal http://controller:5000/v3
openstack endpoint create --region RegionOne identity admin http://controller:35357/v3
创建default域
openstack domain create --description "Default Domain" default
创建用户角色
openstack role create admin
openstack role create user
创建admin用户
openstack project create --domain default --description "Admin Project" admin
openstack user create --domain default --password-prompt admin SWPUcs406admin
openstack role add --project admin --user admin admin
创建service项目
openstack project create --domain default --description "Service Project" service
创建demo用户
openstack project create --domain default --description "Demo Project" demo
openstack user create --domain default --password-prompt demo SWPUcs406demo
openstack role add --project demo --user demo user
验证Keystone
删除/etc/keystone/keystone-paste.ini文件中[pipeline:public_api], [pipeline:admin_api], [pipeline:api_v3] 区域下的admin_token_auth
unset OS_TOKEN OS_URL
openstack --os-auth-url http://controller:35357/v3 \
--os-project-domain-name default --os-user-domain-name default \
--os-project-name admin --os-username admin token issue
+------------+-------------------------------------------------------------------------+ | Field | Value | +------------+-------------------------------------------------------------------------+ | expires | 2016-05-17T05:53:37.208304Z | | id | gAAAAABXOqPRLF4fdxaeLV-1_bXeSknDjVgn91qer1wxlsMaUtsZ9feGjHvewJQQ8HgFKCF | | | b0sZnm0MOOk9qUF4jeyPAy2uFZXuuEmL2avStN-cPguXBC09Sm7mosKh1hwdncv3E7oxe8N | | | Ge8yD0A2_RHfwV5wWj2uBXQMf2qCcBk7iltsaBfT4 | | project_id | 6636db93659e43189b5428151b63f5e8 | | user_id | 7a63ba1a8fb84014a413f435742f2583 | +------------+-------------------------------------------------------------------------+
openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name default --os-user-domain-name default \
--os-project-name demo --os-username demo token issue
+------------+-------------------------------------------------------------------------+ | Field | Value | +------------+-------------------------------------------------------------------------+ | expires | 2016-05-17T05:54:20.743858Z | | id | gAAAAABXOqP8laJo3borpBVKlEEIHk1xgkVAIyLKbOrxMUm2CfoxI0ZjbFRfqqRhVX4oZwh | | | n6E9dtjj5RxkOFZBM_6wIAK6RUl18g8T6AmDNx0Izv- | | | ngAdctlB2ZO0FuMJUvJrYjcIjzPPbzuCkFmJJWjVCK3GIOekjrABH7vu5yK_r8SywprFI | | project_id | 64da450222c74ffcae213fe29a7ea9a6 | | user_id | 5da76ac5669c4afd95ce411a75d23461 | +------------+-------------------------------------------------------------------------+
所有Controller节点
admin用户环境变量
cat > admin-openrc << OFF
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=SWPUcs406admin
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
OFF
demo用户环境变量
cat > demo-openrc << OFF
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=SWPUcs406demo
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
OFF
验证
. admin-openrc
openstack token issue
+------------+-------------------------------------------------------------------------+ | Field | Value | +------------+-------------------------------------------------------------------------+ | expires | 2016-05-24T10:56:18.447602Z | | id | gAAAAABXRCVCpWWTz-W_Oe0Pgvi_97clytWFDlFeuwGWzwZRZ8X0Eir9nxoMDJChcgaDfg4 | | | w4EPIlza0nTKZiSSYlkOmp_tw43OuESfxiZ3DRJt1JZDjYayUn59xD80MmMs528QpkdgtNh | | | qGZDPeOaaop-Bpun_Qg5JPLj0KN8x-fpyBGRo1kMA | | project_id | 6636db93659e43189b5428151b63f5e8 | | user_id | 7a63ba1a8fb84014a413f435742f2583 | +------------+-------------------------------------------------------------------------+
参考文章:
http://docs.openstack.org/ha-guide/controller-ha-identity.html
http://docs.openstack.org/mitaka/install-guide-rdo/keystone.html