Keystore
Keystone(OpenStack Identity Service)是 OpenStack 框架中负责管理身份验证、服务访问规则和服务令牌功能的组件。用户访问资源需要验证用户的身份与权限,服务执行操作也需要进行权限检测,这些都需要通过 Keystone 来处理
整体架构和功能
1.基本功能
keystone 作为 openstack 的 Identity Service(身份识别服务),提供了用户信息管理和完成各个模块认证服务
用户信息管理:user/tenant 基本信息,tenant 管理
认证服务:登录认证,各个组件 API 的权限控制
2.架构
既然 keystone 为各个模块提供认证服务,所以各个模块与 keystone 都有所交互。其中登录认证体现在用户访问各个组件的 API 时,调用了 WSGI 框架的 authtoken filter,该 filter 最调用 keystoneclient ,最终通过 keystone 验证 token,完成对用户的登录认证。如果认证失败,用户将不能访问该 API
3.基本概述
-
User
可简单的理解为用户,用户携带信物(token)能够访问 openstack 各服务和资源
-
Tenant
即租户,早期版本又称为 project,它是各个服务中的一些可以访问的资源集合,用户访问租户的资源前,必须与该租户关联,并且指定该用户在该租户下的角色
-
Role
即角色,可以理解为 VIP 等级,用户的 Role 越高,在 openstack 中能访问的服务和资源就更多
-
Service
即服务,如 Nova 提供云计算的服务,Glance 提供镜像管理服务,Swift 提供对象存储服务,heat 提供资源编排服务,ceilometer 则是提供告警计费服务,cinder 提供块存储服务
-
Endpoint
则为具体化 Service。Endpoint 翻译为“端点”,我们可以理解它是一个服务暴露出来的访问点,如果需要访问一个服务, 则必须知道他的 endpoint,而 endpoint 一般为 url; Endpoint 的 url 具有三种权限。public url 可以被全局访问,private url 只能被局域网访问,admin url 被从常规的访问中分离
-
Token
即是信物、令牌,用户通过用户名和密码获取在某个租户下的 token,通过 token,可以实现单点登录
-
Creaentials
简单的理解为用户和密码
4.访问流程
以创建一个虚拟机(server)为例
-
用户 Alice 通过自己的户名和密码向 keystone 申请 token,keystone 认证用户名和密码后,返回 token1
-
Alice 通过 token1 发送 keystone 查询他所拥有的租户,keystone 验证 token1 成功后,返回 Alice 的所有 Tenant
-
Alice 选择一个租户,通过用户名和密码申请 token,keystone 认证用 户名、密码、tenant 后,返回 token2 (若知道tenant的值,可以无视一、二步(两步为查询token))
-
Alice 通过 token2 发送创建 server 的请求,keystone 验证 token2(包括该 token 是否有效,是否有权限创建虚拟机等)成功后,然后再把请求下发到 nova, 最终创建虚拟机
使用命令之前运行环境变量
[root@openstack ~]# source /etc/keystone/admin-openrc.sh
用户管理user
查看用户列表
[root@openstack ~]# openstack user list
+----------------------------------+-------------------+
| ID | Name |
+----------------------------------+-------------------+
| 0f8782af6a654d77b587e25a32f91f28 | cinder |
| 1ab30f77400448eba6b2d47e55084540 | demo |
| 2550fa93b1fe4cb582f1f46353b836d8 | ceilometer |
| 2d2a345336184b1ebbdf022f710084e8 | neutron |
| 48b816f9db9541b4bd9ca49ad453574c | glance |
| 765a16c99d7d42a4b69ff941f7791b54 | aodh |
| 788efa329f324b91a431ad56cd7b9a14 | nova |
| 7ecae98d16d54483b964c9c2548fd7bc | swift |
| 962612a3e7784df38d0c98fea1f30320 | heat |
| 9ee4731c00c24f659b8790be6b77bc8a | admin |
| d6fdd1e5e1a348e0b6c5b8c7f33ba5fa | placement |
| d957a578fed2452ab91bc651f2f1fb97 | heat_domain_admin |
| e91070fa751e49689963b566db999bee | gnocchi |
+----------------------------------+-------------------+
创建用户
[root@openstack ~]# openstack user create --password 000000 --domain demo testuser
查看用户详细信息
[root@openstack ~]# openstack user show testuser +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | 0fd68b47435a4559b0bc42cd64e8cb87 | | enabled | True | | id | 529fbe41b72b4ec591e1c1367b6dd1d6 | | name | testuser | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+
更新用户
[root@openstack ~]# openstack user set --name myuser testuser
删除用户
[root@openstack ~]# openstack user delete myuser
租户管理project
查看租户列表
[root@openstack ~]# openstack project list
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 0dd87985eb314fed828e6888aed4880d | demo |
| 55b50cbb4dd4459b873cb15a8b03db43 | admin |
| a184a157399043c2a40abc52df0459a2 | service |
+----------------------------------+---------+
创建租户
[root@openstack ~]# openstack project create --domain demo myproject +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | | | domain_id | 0fd68b47435a4559b0bc42cd64e8cb87 | | enabled | True | | id | 28b94326849643388b4585264b57d72d | | is_domain | False | | name | myproject | | parent_id | 0fd68b47435a4559b0bc42cd64e8cb87 | | tags | [] | +-------------+----------------------------------+
[root@openstack ~]# openstack project show myproject +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | | | domain_id | 0fd68b47435a4559b0bc42cd64e8cb87 | | enabled | True | | id | 28b94326849643388b4585264b57d72d | | is_domain | False | | name | myproject | | parent_id | 0fd68b47435a4559b0bc42cd64e8cb87 | | tags | [] | +-------------+----------------------------------+
更新租户
[root@openstack ~]# openstack project set --disable myproject [root@openstack ~]# openstack project show myproject +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | | | domain_id | 0fd68b47435a4559b0bc42cd64e8cb87 | | enabled | False | | id | 28b94326849643388b4585264b57d72d | | is_domain | False | | name | myproject | | parent_id | 0fd68b47435a4559b0bc42cd64e8cb87 | | tags | [] | +-------------+----------------------------------+
删除租户
[root@openstack ~]# openstack project delete myproject
角色管理role
查看角色列表
[root@openstack ~]# openstack role list
+----------------------------------+------------------+
| ID | Name |
+----------------------------------+------------------+
| 5cf334e099bb45eeb8221a8d52fbc20b | user |
| 86894f5ec5b94c578612f8573b1654fd | admin |
| accbaf32c27c405fbdc00403e9d3b47f | heat_stack_user |
| bd9a0f5370ae499cbb0745e915145db8 | heat_stack_owner |
| efdb4ab19c764c9783735686cb2206fb | ResellerAdmin |
+----------------------------------+------------------+
[root@openstack ~]# openstack role create testrole +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | 8eaff88610454febb7fbc89c251acd18 | | name | testrole | +-----------+----------------------------------+
[root@openstack ~]# openstack role show testrole +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | 8eaff88610454febb7fbc89c251acd18 | | name | testrole | +-----------+----------------------------------+
授权角色
[root@openstack ~]# openstack role add --project myproject --user testuser testrole
撤回授权
[root@openstack ~]# openstack role remove --project myproject --user testuser testrole
删除角色
[root@openstack ~]# openstack role delete testrole
域管理domain
查看域名列表
[root@openstack ~]# openstack domain list
+----------------------------------+------+---------+--------------------------+
| ID | Name | Enabled | Description |
+----------------------------------+------+---------+--------------------------+
| 0fd68b47435a4559b0bc42cd64e8cb87 | demo | True | Default Domain |
| 5be750028f0c4928a361ffe09734098f | heat | True | Stack projects and users |
+----------------------------------+------+---------+--------------------------+
创建域名
[root@openstack ~]# openstack domain create test +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | | | enabled | True | | id | 33a649321a7a4b37818f20fdd151c5f1 | | name | test | | tags | [] | +-------------+----------------------------------+
查看域名详细信息
[root@openstack ~]# openstack domain show test +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | | | enabled | True | | id | 33a649321a7a4b37818f20fdd151c5f1 | | name | test | | tags | [] | +-------------+----------------------------------+
更新域名
[root@openstack ~]# openstack domain set --disable test [root@openstack ~]# openstack domain show test +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | | | enabled | False | | id | 33a649321a7a4b37818f20fdd151c5f1 | | name | test | | tags | [] | +-------------+----------------------------------+
[root@openstack ~]# openstack domain delete test
服务管理service
查看服务列表
[root@openstack ~]# openstack service list +----------------------------------+------------+----------------+ | ID | Name | Type | +----------------------------------+------------+----------------+ | 0180c4415e9441d081d4cd32c0c4653a | heat | orchestration | | 3a062312dd734acc9accdf6d49018351 | aodh | alarming | | 5358ad058dfc43bcacaa1c757a200554 | nova | compute | | 56f5bf25e1c4402bbfbadc011ad89cf8 | cinderv3 | volumev3 | | 63e09469c88a442cab182bbb42a22c56 | keystone | identity | | 650c870db0c746c5821680fe3c71d38e | placement | placement | | 715da9d8156543c5909a1a5cca0f82f2 | heat-cfn | cloudformation | | 769f82493c8e4412a88c1d54cb83b181 | cinderv2 | volumev2 | | 9b82d36a3df948e2921aec3d26022dc5 | gnocchi | metric | | b4b4ce6e93ef44fd9827b9da61962d63 | ceilometer | metering | | bc348aa7e16045ea9d5b9e4ee92777dc | neutron | network | | c7758f0593c746718ed9ac4c69dfec80 | cinder | volume | | da90ae15a2c448ebb72542880713b453 | glance | image | | dc1b0ef593ae45c993fb69cff54c3037 | swift | object-store | +----------------------------------+------------+----------------+
创建服务
[root@openstack ~]# openstack service create test +---------+----------------------------------+ | Field | Value | +---------+----------------------------------+ | enabled | True | | id | 647b4240f53c4cbc8abed5d695543d95 | | name | | | type | test | +---------+----------------------------------+
[root@openstack ~]# openstack service delete test
创建服务入口
openstack endpoint create --region region_name service_id interface url
创建nova-compute入口
# openstack endpoint create --region myregion 5358ad058dfc43bcacaa1c757a200554 admin http://172.25.253.5:8774/v2 # openstack endpoint create --region myregion 5358ad058dfc43bcacaa1c757a200554 initernal http://172.25.253.5:8774/v2 # openstack endpoint create --region myregion 5358ad058dfc43bcacaa1c757a200554 public http://172.25.253.5:8774/v2
创建nova-volume入口
# openstack endpoint create --region myregion 08ebebcbcbf64e4f9012b13db94e83e2 admin http://172.25.253.5:8776/v1 # openstack endpoint create --region myregion 08ebebcbcbf64e4f9012b13db94e83e2 initernal http://172.25.253.5:8776/v1 # openstack endpoint create --region myregion 08ebebcbcbf64e4f9012b13db94e83e2 public http://172.25.253.5:8776/v1
Keystone权限
使用自行搭建的OpenStack私有云平台,修改普通用户权限,使普通用户不能对镜像进行创建和删除操作
略
openstack 提速
清理过期的token使openstack提速
有时候你会发现使用 Horizon 创建或查询数据的速度变慢了,或者 mysql 占用 CPU 过高,亦或是备份数据库尤其是备份 keystone 数据库时耗时太长,这时候你就要考虑清理 keystone 数据库中的 token 表了
Keystone 默认使用 SQL 数据库存储 token,在 keystone.conf 可以看到相关信息(# vim /etc/keystone/keystone.conf token) token 默认有效期为 1 天
token 的存放还有两个选择
-
keystone.token.backends.memcache:内存数据库
-
keystone.token.backends.kvs:二元组(键对)
使用 memcache 虽然速度加快,但耗内存。使用键对速度相对较慢。所以最好的选择还是使用关系数据库,例如 mysql
-
清理过期的token
# keystone-manage token_flush
加入到 crontab 里,根据需要运行就可以了,例如每周运行一次
0 1 * * 7 keystone-manage token_flush
鉴于 PKI 过于庞大,不仅对 Keystone,对 Horizon 上的 HTTP 的负载也会加大,所以在私有云环境下我们完全可以用 UUID 来代替默认的 PKI
# vim /etc/keystone/keystone.conf [signing] # Deprecated in favor of provider in the [token] section # Allowed values are PKI or UUID token_format = UUID # systemctl restart openstack-keystone.service
user api
openstack 所有的命令都是通过 WSGI 进行扩展,用 http 请求来完成。用户 PUT/POST 请求数据给相应的 nova endpoint, nova 处理请求,reponse 相关的数据
user 关联的 endpoint 可以用以下命令取得
# openstack endpoint list +----------------------------------+-----------+--------------+----------------+---------+-----------+---------------------------------------------+ | ID | Region | Service Name | Service Type | Enabled | Interface | URL | +----------------------------------+-----------+--------------+----------------+---------+-----------+---------------------------------------------+ | 417121e01da84191acce4c2c64189cfe | RegionOne | keystone | identity | True | internal | http://openstack:5000/v3 | | a10f5833f89c45e4939c76e239c4ac56 | RegionOne | keystone | identity | True | admin | http://openstack:5000/v3 | | df768633f7f04842bf76be785a475e21 | RegionOne | keystone | identity | True | public | http://openstack:5000/v3 | +----------------------------------+-----------+--------------+----------------+---------+-----------+---------------------------------------------+
user token 可以以下命令获得
curl -X POST http://openstack:5000/v3/tokens -d '{"auth":{"passwordCredentials":{"username": "myadmin", "password":"000000"}}}' -H "Content-type: application/json"
获取 Keystone token
调用python-keystoneclient
发一个简单的 cURL 发送请求
# curl -d '{"auth": {"tenantName": "demo", "passwordCredentials": {"username": "demo", "password": "password"}}}' -H "Content-type: application/json" http://localhost:5000/v2.0/tokens *tenantName 是作用域名* 返回值: { "access": { "token": { "issued_at": "2014-02-10T00:40:20.909222", "expires": "2014-02-11T00:40:20Z", "id": "MIIDjwYJKoZIhvcNAQcCoIIDgDC", "tenant": { "description": null, "enabled": true, "id": "8cdca733159c4bf6a622b9bb25a73ad6", "name": "demo" } }, "serviceCatalog": [], "user": { "username": "demo", "roles_links": [], "id": "d5cf3796f7c04a468b5282555110ba5d", "roles": [ { "name": "member" } ], "name": "demo" }, "metadata": { "is_admin": 0, "roles": [ "a790ff829b0e4bc29d5ca4bbc58d48f1" ] } } }
调用 Requests 库
from__future__ importprint_function importrequests importjson if__name__ =="__main__": json_payload={ "auth": { "tenantName":"demo", "passwordCredentials": { "username":"demo", "password":"password" } } } headers={'content-type':'application/json','accept':'application/json'} response=requests.post(url='http://localhost:5000/v2.0/tokens', data=json.dumps(json_payload), headers=headers) ifresponse.status_code ==requests.codes.ok: print(response.json()) else: print('Something went wrong!')
浙公网安备 33010602011771号