本文分享openstack的认证服务组件keystone
--------------- 完美的分割线 ----------------
1)用户与认证:用户权限与用户行为跟踪
User 用户Tenant 租户Token 令牌Role 角色
2)服务目录:提供一个服务目录,包括所有服务项与相关API的端点
Service 服务Endpoint 端点
mysql -p123456--------------------------------CREATE DATABASE keystone;GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';flush privileges;show databases;select user,host from mysql.user;exit--------------------------------
# 配置Apache服务,使用带有“mod_wsgi”的HTTP服务器来相应认证服务请求,端口为5000和35357, 默认情况下,Kestone服务仍然监听这些端口
yum install openstack-keystone httpd mod_wsgi -yyum install openstack-keystone python-keystoneclient openstack-utils -y
# 下面使用的快速配置方法需要安装Openstack-utils才可以实现
openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:keystone@controller/keystoneopenstack-config --set /etc/keystone/keystone.conf token provider fernet
# 注意:keystone不需要连接rabbitmq
# 查看生效的配置
egrep -v "^#|^$" /etc/keystone/keystone.conf
# 其他方式查看生效配置
grep '^[a-z]' /etc/keystone/keystone.conf
# 实例演示:
[root@openstack01 tools]# grep '^[a-z]' /etc/keystone/keystone.confconnection = mysql+pymysql://keystone:keystone@controller/keystoneprovider = fernet
# keystone不需要启动,通过http服务进行调用
su -s /bin/sh -c "keystone-manage db_sync" keystone
# 保证所有需要的表已经建立,否则后面可能无法进行下去
mysql -h192.168.1.81 -ukeystone -pkeystone -e "use keystone;show tables;"
实例演示:
[root@openstack01 ~]# mysql -h192.168.1.81 -ukeystone -pkeystone -e "use keystone;show tables;"+-----------------------------+| Tables_in_keystone |+-----------------------------+| access_token || application_credential || application_credential_role || assignment || config_register || consumer || credential || endpoint || endpoint_group || federated_user || federation_protocol || group || id_mapping || identity_provider || idp_remote_ids | implied_role |▽ limit || local_user || mapping || migrate_version || nonlocal_user || password || policy || policy_association || project || project_endpoint || project_endpoint_group || project_tag || region || registered_limit || request_token || revocation_event || role || sensitive_config || service || service_provider || system_assignment || token || trust || trust_role || user || user_group_membership || user_option || whitelisted_config |+-----------------------------+[root@openstack01 ~]# mysql -h192.168.1.81 -ukeystone -pkeystone -e "use keystone;show tables;"|wc -l45
# Initialize Fernet key repositories:
# 关于Fernet令牌可以参考:https://blog.csdn.net/wllabs/article/details/79064094
# 以下命令无返回信息
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystonekeystone-manage credential_setup --keystone-user keystone --keystone-group keystone
vim /etc/httpd/conf/httpd.conf +95----------------------------------ServerName controller----------------------------------
# 或者
sed -i "s/#ServerName www.example.com:80/ServerName 192.168.1.81/" /etc/httpd/conf/httpd.confcat /etc/httpd/conf/httpd.conf |grep ServerName
# 创建keystone虚拟主机配置文件的快捷方式,也可以复制过来
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
# 或者可以手动编辑创建该文件
cat /usr/share/keystone/wsgi-keystone.conf-------------------------------[root@openstack01 ~]# cat /usr/share/keystone/wsgi-keystone.confListen 5000 <VirtualHost *:5000> WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On LimitRequestBody 114688 <IfVersion >= 2.4> ErrorLogFormat "%{cu}t %M" </IfVersion> ErrorLog /var/log/httpd/keystone.log CustomLog /var/log/httpd/keystone_access.log combined <Directory /usr/bin> <IfVersion >= 2.4> Require all granted </IfVersion> <IfVersion < 2.4> Order allow,deny Allow from all </IfVersion> </Directory></VirtualHost>Alias /identity /usr/bin/keystone-wsgi-public<Location /identity> SetHandler wsgi-script Options +ExecCGI WSGIProcessGroup keystone-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On</Location>--------------------------------
systemctl start httpd.servicesystemctl status httpd.servicenetstat -anptl|grep httpdsystemctl enable httpd.servicesystemctl list-unit-files |grep httpd.service
# 如果http起不来,需要关闭 selinux 或者安装 yum install openstack-selinux
[root@openstack01 ~]# systemctl start httpd.service[root@openstack01 ~]# systemctl status httpd.service● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since 五 2018-10-26 18:06:20 CST; 98ms ago Docs: man:httpd(8) man:apachectl(8) Main PID: 1978 (httpd) Status: "Processing requests..." CGroup: /system.slice/httpd.service ├─1978 /usr/sbin/httpd -DFOREGROUND ├─1981 (wsgi:keystone- -DFOREGROUND ├─1982 (wsgi:keystone- -DFOREGROUND ├─1983 (wsgi:keystone- -DFOREGROUND ├─1984 (wsgi:keystone- -DFOREGROUND ├─1985 (wsgi:keystone- -DFOREGROUND ├─1986 /usr/sbin/httpd -DFOREGROUND ├─1988 /usr/sbin/httpd -DFOREGROUND └─1989 /usr/sbin/httpd -DFOREGROUND10月 26 18:06:20 openstack01.zuiyoujie.com systemd[1]: Starting The Apache HTTP Server...10月 26 18:06:20 openstack01.zuiyoujie.com systemd[1]: Started The Apache HTTP Server.[root@openstack01 ~]# netstat -anptl|grep httpdtcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN 1978/httpd tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1978/httpd [root@openstack01 ~]# systemctl enable httpd.serviceCreated symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.[root@openstack01 ~]# systemctl list-unit-files |grep httpd.servicehttpd.service enabled
# 至此,http服务配置完成
# 在之前的版本(queens之前),引导服务需要2个端口提供服务(用户5000和管理35357),本版本通过同一个端口提供服务
# 创建keystone服务实体和身份认证服务,以下三种类型分别为公共的、内部的、管理的。
# 需要创建一个密码ADMIN_PASS,作为登陆openstack的管理员用户,这里创建为123456
keystone-manage bootstrap --bootstrap-password ADMIN_PASS --bootstrap-admin-url http://controller:5000/v3/ --bootstrap-internal-url http://controller:5000/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne
# 以下为命令实例:
keystone-manage bootstrap --bootstrap-password 123456 --bootstrap-admin-url http://controller:5000/v3/ --bootstrap-internal-url http://controller:5000/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne
# 运行这条命令,会在keystone数据库执增加以下任务,之前的版本需要手动创建:
1)在endpoint表增加3个服务实体的API端点2)在local_user表中创建admin用户3)在project表中创建admin和Default项目(默认域)4)在role表创建3种角色,admin,member和reader5)在service表中创建identity服务
# 这里的export OS_PASSWORD要使用上面配置的ADMIN_PASS
export OS_PROJECT_DOMAIN_NAME=Defaultexport OS_PROJECT_NAME=adminexport OS_USER_DOMAIN_NAME=Defaultexport OS_USERNAME=adminexport OS_PASSWORD=123456export OS_AUTH_URL=http://controller:5000/v3export OS_IDENTITY_API_VERSION=3
# 查看声明的变量
env |grep OS_
[root@openstack01 ~]# env|grep OS_OS_USER_DOMAIN_NAME=DefaultOS_PROJECT_NAME=adminOS_IDENTITY_API_VERSION=3OS_PASSWORD=123456OS_AUTH_URL=http://controller:5000/v3OS_USERNAME=adminOS_PROJECT_DOMAIN_NAME=Default
# 之前的版本采用admin_token来设置初始化的管理用户认证令牌,类似下面的
export OS_TOKEN=c0053993bb39ad3de84aexport OS_URL=http://192.168.1.81:35357/v3export OS_IDENTITY_API_VERSION=3export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0
附:常用的openstack管理命令,需要应用管理员的环境变量
# 查看keystone实例相关信息
openstack endpoint listopenstack project listopenstack user list
[root@openstack01 ~]# openstack endpoint list+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+| ID | Region | Service Name | Service Type | Enabled | Interface | URL |+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+| b8dabe6c548e435eb2b1f7efe3b23236 | RegionOne | keystone | identity | True | admin | http://controller:5000/v3/ || eb72eb6ea51842feb67ba5849beea48c | RegionOne | keystone | identity | True | internal | http://controller:5000/v3/ || f172f6159ad34fbd8e10e0d42828d8cd | RegionOne | keystone | identity | True | public | http://controller:5000/v3/ |+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+[root@openstack01 ~]# openstack project list+----------------------------------+-----------+| ID | Name |+----------------------------------+-----------+| 3706708374804e2eb4ed056f55d84666 | admin || 84cc7185f2c8461eb19a14968228b272 | myproject || b8e318b3c7a844708762169959c34ff8 | service |+----------------------------------+-----------+[root@openstack01 ~]# openstack user list+----------------------------------+--------+| ID | Name |+----------------------------------+--------+| cbb2b3830a8f44bc837230bca27ae563 | myuser || e5dbfc8b394c41679fd5ce229cdd6ed3 | admin |+----------------------------------+--------+
# 删除endpoint
# 以前的版本单独创建endpoint可能会出错需要删除,新版本已经优化好,只要系统配置没问题,会自动生成一般也不会出错
openstack endpoint delete [ID]
# Create a domain, projects, users, and roles
https://docs.openstack.org/keystone/rocky/install/keystone-users-rdo.html
# 以下命令会在project表中创建名为example的项目
openstack domain create --description "An Example Domain" example
[root@openstack01 ~]# openstack domain create --description "An Example Domain" example+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | An Example Domain || enabled | True || id | 17254ea898de477ca4a1f6f3cbc6c5bc || name | example || tags | [] |+-------------+----------------------------------+
# 用于常规(非管理)任务,需要使用无特权用户
# 以下命令会在project表中创建名为service的项目
openstack project create --domain default --description "Service Project" service
[root@openstack01 ~]# openstack project create --domain default --description "Service Project" service+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Service Project || domain_id | default || enabled | True || id | b8e318b3c7a844708762169959c34ff8 || is_domain | False || name | service || parent_id | default || tags | [] |+-------------+----------------------------------+
# 作为一般用户(非管理员)的项目,为普通用户提供服务
# 以下命令会在project表中创建名为myproject项目
openstack project create --domain default --description "Demo Project" myproject
[root@openstack01 ~]# openstack project create --domain default --description "Demo Project" myproject+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Demo Project || domain_id | default || enabled | True || id | 84cc7185f2c8461eb19a14968228b272 || is_domain | False || name | myproject || parent_id | default || tags | [] |+-------------+----------------------------------+
# 使用--password选项为直接配置明文密码,使用--password-prompt选项为交互式输入密码# 以下命令会在local_user表增加myuser用户
openstack user create --domain default --password-prompt myuser # 交互式输入密码# openstack user create --domain default --password=myuser myuser # 直接创建用户和密码
[root@openstack01 ~]# openstack user create --domain default --password-prompt myuserUser Password:Repeat User Password:+---------------------+----------------------------------+| Field | Value |+---------------------+----------------------------------+| domain_id | default || enabled | True || id | cbb2b3830a8f44bc837230bca27ae563 || name | myuser || options | {} || password_expires_at | None |+---------------------+----------------------------------+
openstack role create myrole
[root@openstack01 ~]# openstack role create myrole+-----------+----------------------------------+| Field | Value |+-----------+----------------------------------+| domain_id | None || id | 75ac33f79cc945afa42a18a3dd0ba0ad || name | myrole |+-----------+----------------------------------+
# 以下命令无返回,数据表操作不太明显
openstack role add --project myproject --user myuser myrole
# 关闭临时认证令牌机制,获取 token,验证keystone配置成功
unset OS_AUTH_URL OS_PASSWORDenv |grep OS_
# 测试是否可以使用admin账户进行登陆认证,请求认证令牌
openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name admin --os-username admin token issue
[root@openstack01 ~]# openstack --os-auth-url http://controller:5000/v3 \> --os-project-domain-name Default --os-user-domain-name Default > --os-project-name admin --os-username admin token issuePassword: +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| Field | Value |+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| expires | 2018-10-26T11:48:40+0000 || id | gAAAAABb0vEIENgBaYEBJZSJX7RDelXdM2sHi_hbfT-FHTjd3z5j5Mt-sssJpW1EXeWVAbMdyBI2t9XNCxG5m1XNm_2k1xWP7WnbOYAp1rl2FZCwz4LL0F-mER_bOW-HnE0rjA6YvP0MzW4HVg0eEE_6zACr0R0NaaVytK_eRsvO_Lhco6vacYY || project_id | 3706708374804e2eb4ed056f55d84666 || user_id | e5dbfc8b394c41679fd5ce229cdd6ed3 |+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
# 以下命令使用”myuser“用户的密码和API端口5000,只允许对身份认证服务API的常规(非管理)访问。
openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name myproject --os-username myuser token issue
[root@openstack01 ~]# openstack --os-auth-url http://controller:5000/v3 \> --os-project-domain-name Default --os-user-domain-name Default > --os-project-name myproject --os-username myuser token issuePassword: +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| Field | Value |+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| expires | 2018-10-26T11:49:18+0000 || id | gAAAAABb0vEuxOrgkmLfcZJl8vB6dJyrHFtvxBT1m7qLYzuD-WkOVoQUzE9mTGcrKE6CrZbLU57Nc7mv-50-ggH9pf2qrW5uWQu7MRJcUb3rgpmoYn7EVdv8X0lGK3IiWEPSF48u1b2y7mEmvYb7TGOFO8l87of6L2aaJmdMxp9KgM87_3Mu2-g || project_id | 84cc7185f2c8461eb19a14968228b272 || user_id | cbb2b3830a8f44bc837230bca27ae563 |+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
# Create OpenStack client environment scripts
# 上面使用环境变量和命令选项的组合通过“openstack”客户端与身份认证服务交互。# 为了提升客户端操作的效率,OpenStack支持简单的客户端环境变量脚本即OpenRC 文件,我这里使用自定义的文件名
# vim admin-openrccd /server/toolsvim keystone-admin-pass.sh----------------------------------export OS_PROJECT_DOMAIN_NAME=Defaultexport OS_USER_DOMAIN_NAME=Defaultexport OS_PROJECT_NAME=adminexport OS_USERNAME=adminexport OS_PASSWORD=123456export OS_AUTH_URL=http://controller:5000/v3export OS_IDENTITY_API_VERSION=3export OS_IMAGE_API_VERSION=2----------------------------------env |grep OS_
# 应用:如果修改dashboard登陆密码忘记了,可以使用admin_token认证机制修改登陆密码
vim keystone-myuser-pass.sh-------------------------------export OS_PROJECT_DOMAIN_NAME=Defaultexport OS_USER_DOMAIN_NAME=Defaultexport OS_PROJECT_NAME=myprojectexport OS_USERNAME=myuserexport OS_PASSWORD=myuserexport OS_AUTH_URL=http://controller:5000/v3export OS_IDENTITY_API_VERSION=3export OS_IMAGE_API_VERSION=2-------------------------------
# 使用脚本加载相关客户端配置,以便快速使用特定租户和用户运行客户端
source keystone-admin-pass.sh
openstack token issue
[root@openstack01 tools]# openstack token issue+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| Field | Value |+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| expires | 2018-10-26T12:13:28+0000 || id | gAAAAABb0vbYr--LRd1NJ9ZXH68zSR4mIW4hDr6UqqiPmsA7vNEGDcMx8o-6Ihy8o47c5jo5GInOCe9KpKMfbXtdWPz6QkkWzZcFMqwXYS4tUI8DjjamEUBqFwlI10Oxbq7pEIGKVtFdMrOHy3EoLmE1rjY0p4DDm48pt3u8ON807nr0MUa1zIE || project_id | 3706708374804e2eb4ed056f55d84666 || user_id | e5dbfc8b394c41679fd5ce229cdd6ed3 |+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
# 可以看到user_id和上面用命令获取到的是一样的,说明配置成功
# 至此,keystone安装完毕
======== 完毕,呵呵呵呵 ========
本站QQ群:前端 618073944 | Java 606181507 | Python 626812652 | C/C++ 612253063 | 微信 634508462 | 苹果 692586424 | C#/.net 182808419 | PHP 305140648 | 运维 608723728
经验首页