第二章 认证服务
简介
用户预认证:用户权限与用户行为跟踪
- User: 用户
- project:项目
- Token: 令牌
- Role: 角色
服务目录:提供一个服务目录,包括所有服务项与相关Api的端点
- Service: 服务
- Endpoint: 端点
安装配置操作
1 安装
1.1.1创建数据库第一章有创建这里就不创建了。
1.1.2 安装需要的包
[root@openstack-1 ~]# yum install openstack-keystone httpd mod_wsgi
2 修改配置文件
配置文件路径:[root@openstack-1 ~]# vim /etc/keystone/keystone.conf
2.1.1 在 [database] 部分,配置数据库访问:
connection = mysql+pymysql://keystone:keystone@192.168.10.131/keystone
2.1.2 初始化身份认证服务器的数据库:
[root@openstack-1 ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
验证:
[root@openstack-1 ~]# mysql -h 192.168.10.172 -ukeystone -pkeystone -e "use keystone;show tables;" +-----------------------------+ | Tables_in_keystone | +-----------------------------+ | access_token | | application_credential | | application_credential_role | | assignment | | config_register | | consumer | | credential | | endpoint | | endpoint_group | | federated_user | | federation_protocol | | group | | id_mapping | | identity_provider | | idp_remote_ids | | implied_role | | limit | | local_user | | mapping | | migrate_version | | nonlocal_user | | password | | policy | | policy_association | | project | | project_endpoint | | project_endpoint_group | | project_tag | | region | | registered_limit | | request_token | | revocation_event | | role | | sensitive_config | | service | | service_provider | | system_assignment | | token | | trust | | trust_role | | user | | user_group_membership | | user_option | | whitelisted_config | +-----------------------------+
2.1.3 在[cache]部分,配置memcache地址:
memcache_servers = 192.168.10.131:11211
2.1.4 在``[token]``部分,配置Fernet UUID令牌的提供者。
provider = fernet
2.1.5 在``[DEFAULT]``部分,定义初始管理令牌的值:
[root@openstack-1 ~]# openssl rand -hex 10 feaaf0b364b16d1c84b3 vim /etc/keystone/keystone.conf admin_token = feaaf0b364b16d1c84b3
2.1.6 初始化Fernet keys:
[root@openstack-1 ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
配置 Apache HTTP
编辑``/etc/httpd/conf/httpd.conf`` 文件,配置``ServerName`` 选项为控制节点:
[root@openstack-1 ~]# vim /etc/httpd/conf/httpd.conf ServerName 192.168.10.131.com:80
创建/etc/httpd/conf.d/wsgi-keystone.conf
[root@openstack-1 ~]# vim /etc/httpd/conf.d/wsgi-keystone.conf Listen 5000 Listen 35357 <VirtualHost *:5000> WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined <Directory /usr/bin> Require all granted </Directory> </VirtualHost> <VirtualHost *:35357> WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / /usr/bin/keystone-wsgi-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined <Directory /usr/bin> Require all granted </Directory> </VirtualHost>
启动 Apache HTTP
[root@openstack-1 ~]# systemctl start httpd.service [root@openstack-1 ~]# systemctl status httpd.service ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled) Active: active (running) since 一 2018-09-10 16:31:49 CST; 5s ago
[root@openstack-1 ~]# netstat -lnutp
tcp6 0 0 :::35357 :::* LISTEN 29366/httpd
tcp6 0 0 :::5000 :::* LISTEN 29366/httpd
创建服务实体和API端点
配置一些环境变量
#配置认证令牌将``ADMIN_TOKEN``替换为你在 :doc:`keystone-install`章节中生成的认证令牌。 [root@openstack-1 ~]# export OS_TOKEN=feaaf0b364b16d1c84b3 #配置端点URL: [root@openstack-1 ~]# export OS_URL=http://192.168.10.131:35357/v3 #配置认证 API 版本: [root@openstack-1 ~]# export OS_IDENTITY_API_VERSION=3
在你的Openstack环境中,认证服务管理服务目录。服务使用这个目录来决定您的环境中可用的服务。
创建服务实体和身份认证服务:
[root@openstack-1 ~]# openstack service create --name keystone --description "OpenStack Identity" identity +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | OpenStack Identity | | enabled | True | | id | 104c3080fcc244f7a35d8db7edd705fd | | name | keystone | | type | identity | +-------------+----------------------------------+
创建认证服务的 API 端点:
[root@openstack-1 ~]# openstack endpoint create --region RegionOne \ > identity public http://192.168.10.131:5000/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | e4c16def09be48ef896f47dbd1d1acdf | | interface | public | | region | RegionOne | | region_id | RegionOne | | service_id | 104c3080fcc244f7a35d8db7edd705fd | | service_name | keystone | | service_type | identity | | url | http://192.168.10.131:5000/v3 | +--------------+----------------------------------+ [root@openstack-1 ~]# openstack endpoint create --region RegionOne \ > identity internal http://192.168.10.131:5000/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 4358d43f58db4e1597080563818789e4 | | interface | internal | | region | RegionOne | | region_id | RegionOne | | service_id | 104c3080fcc244f7a35d8db7edd705fd | | service_name | keystone | | service_type | identity | | url | http://192.168.10.131:5000/v3 | +--------------+----------------------------------+ [root@openstack-1 ~]# openstack endpoint create --region RegionOne \ > identity admin http://192.168.10.131:35357/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | fec325ae88c944b4bb7a638bf2cfd62f | | interface | admin | | region | RegionOne | | region_id | RegionOne | | service_id | 104c3080fcc244f7a35d8db7edd705fd | | service_name | keystone | | service_type | identity | | url | http://192.168.10.131:35357/v3 | +--------------+----------------------------------+
创建域、项目、用户和角色
创建域``default``:
[root@openstack-1 ~]# openstack domain create --description "Default Domain" default +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Default Domain | | enabled | True | | id | 1467b79777934b018b28795eaf630fda | | name | default | | tags | [] | +-------------+----------------------------------+
在你的环境中,为进行管理操作,创建管理的项目、用户和角色:
-
创建 admin 项目:
[root@openstack-1 ~]# openstack project create --domain default \ > --description "Admin Project" admin +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Admin Project | | domain_id | 1467b79777934b018b28795eaf630fda | | enabled | True | | id | 7cdfaafe2cc1430e952da1fbabbe5d44 | | is_domain | False | | name | admin | | parent_id | 1467b79777934b018b28795eaf630fda | | tags | [] | +-------------+----------------------------------+
创建 admin 用户:
[root@openstack-1 ~]# openstack user create --domain default \ > --password-prompt admin User Password: Repeat User Password: +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | 1467b79777934b018b28795eaf630fda | | enabled | True | | id | 5a0843d933314d50b17444964f9d0548 | | name | admin | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+
创建 admin 角色:
[root@openstack-1 ~]# openstack role create admin +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | a0a8af3ee12e489db94f28c3213f6714 | | name | admin | +-----------+----------------------------------+
添加``admin`` 角色到 admin 项目和用户上:
[root@openstack-1 ~]# openstack role add --project admin --user admin admin
创建一个添加到环境中每个服务包含独有用户的service 项目。创建``service``项目:
[root@openstack-1 ~]# openstack project create --domain default \ > --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | 1467b79777934b018b28795eaf630fda | | enabled | True | | id | 92a5288af551492187a08c8a4ceecae3 | | is_domain | False | | name | service | | parent_id | 1467b79777934b018b28795eaf630fda | | tags | [] | +-------------+----------------------------------+
常规(非管理)任务应该使用无特权的项目和用户。创建 demo 项目和用户。
[root@openstack-1 ~]# openstack project create --domain default \ > --description "Demo Project" demo +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Demo Project | | domain_id | 1467b79777934b018b28795eaf630fda | | enabled | True | | id | 7742f4ce532a47a595156c0523e13467 | | is_domain | False | | name | demo | | parent_id | 1467b79777934b018b28795eaf630fda | | tags | [] | +-------------+----------------------------------+
创建``demo`` 用户:
[root@openstack-1 ~]# openstack user create --domain default \ > --password-prompt demo User Password: Repeat User Password: +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | 1467b79777934b018b28795eaf630fda | | enabled | True | | id | 48ecd31297544488bec6fd22ee4395ff | | name | demo | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+
创建 user 角色:
[root@openstack-1 ~]# openstack role create user +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | ba43c688d79041fc903af29b85379936 | | name | user | +-----------+----------------------------------+
添加 user``角色到 ``demo 项目和用户:
[root@openstack-1 ~]# openstack role add --project demo --user demo user
创建其他所用到的用户
创建glance用户添加到service项目中,赋予admin角色
[root@openstack-1 ~]# openstack user create --domain default --password-prompt glance User Password: Repeat User Password: +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | 1467b79777934b018b28795eaf630fda | | enabled | True | | id | 48fd9a0e6a0a47a8b09fba0c5b7ec7b0 | | name | glance | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+ [root@openstack-1 ~]# openstack role add --project service --user glance admin
创建nova用户添加到service项目中,赋予admin角色
[root@openstack-1 ~]# openstack user create --domain default --password-prompt nova User Password: Repeat User Password: +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | 1467b79777934b018b28795eaf630fda | | enabled | True | | id | e243dac9e0674cd0b40d6b8e1e75e1a5 | | name | nova | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+ [root@openstack-1 ~]# openstack role add --project service --user nova admin [root@openstack-1 ~]#
创建neutron用户添加到service项目中,赋予admin角色
[root@openstack-1 ~]# openstack role add --project service --user nova admin [root@openstack-1 ~]# openstack user create --domain default --password-prompt neutron User Password: Repeat User Password: +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | 1467b79777934b018b28795eaf630fda | | enabled | True | | id | e0b539e08e2f428790e61343936e75eb | | name | neutron | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+ [root@openstack-1 ~]# openstack role add --project service --user neutron admin
创建cinder用户添加到service项目中,赋予admin角色
[root@openstack-1 ~]# openstack user create --domain default --password-prompt cinder User Password: Repeat User Password: +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | 1467b79777934b018b28795eaf630fda | | enabled | True | | id | 19349d3983bb47eeb92b27c1970217b5 | | name | cinder | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+
[root@openstack-1 ~]# openstack role add --project service --user cinder admin
验证
[root@openstack-1 ~]# openstack user list +----------------------------------+---------+ | ID | Name | +----------------------------------+---------+ | 19349d3983bb47eeb92b27c1970217b5 | cinder | | 48ecd31297544488bec6fd22ee4395ff | demo | | 48fd9a0e6a0a47a8b09fba0c5b7ec7b0 | glance | | 5a0843d933314d50b17444964f9d0548 | admin | | e0b539e08e2f428790e61343936e75eb | neutron | | e243dac9e0674cd0b40d6b8e1e75e1a5 | nova | +----------------------------------+---------+ [root@openstack-1 ~]# openstack project list +----------------------------------+---------+ | ID | Name | +----------------------------------+---------+ | 7742f4ce532a47a595156c0523e13467 | demo | | 7cdfaafe2cc1430e952da1fbabbe5d44 | admin | | 92a5288af551492187a08c8a4ceecae3 | service | +----------------------------------+---------+ [root@openstack-1 ~]# openstack role list +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | a0a8af3ee12e489db94f28c3213f6714 | admin | | ba43c688d79041fc903af29b85379936 | user | +----------------------------------+-------+
#删除操作
#删除用户加ID [root@openstack-1 ~]# openstack user delete 19349d3983bb47eeb92b27c1970217b5 #删除项目 [root@openstack-1 ~]# openstack service delete 7cdfaafe2cc1430e952da1fbabbe5d44 #删除endpoint [root@openstack-1 ~]# openstack endpoint list +----------------------------------+-----------+--------------+--------------+---------+-----------+--------------------------------+ | ID | Region | Service Name | Service Type | Enabled | Interface | URL | +----------------------------------+-----------+--------------+--------------+---------+-----------+--------------------------------+ | 4358d43f58db4e1597080563818789e4 | RegionOne | keystone | identity | True | internal | http://192.168.10.131:5000/v3 | | e4c16def09be48ef896f47dbd1d1acdf | RegionOne | keystone | identity | True | public | http://192.168.10.131:5000/v3 | | fec325ae88c944b4bb7a638bf2cfd62f | RegionOne | keystone | identity | True | admin | http://192.168.10.131:35357/v3 | +----------------------------------+-----------+--------------+--------------+---------+-----------+--------------------------------+ [root@openstack-1 ~]# openstack endpoint delete 4358d43f58db4e1597080563818789e4
验证操作
取消环境变量
[root@openstack-1 ~]# unset OS_TOKEN OS_URL
作为admin用户请求令牌(验证成功返回token)
[root@openstack-1 ~]# openstack --os-auth-url http://192.168.10.131:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue Password: +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2018-09-10T11:31:02+0000 | | id | gAAAAABblkfmdZNlskARb2gmmlWp5YTjGh6hFM-Ts4y6-gl7KexwJdVjng31Lxh_c8IgT7rtemol0SPiMHjnHplNn38b3z9sfjX3Is3AIEAfrOPsM-x9BU7Xorn-Ril9_fqm0xXI2_xUXHjk4LeOjArc2doIoHK63myx03HPvMtzfIqLjXUO4pA | | project_id | 7cdfaafe2cc1430e952da1fbabbe5d44 | | user_id | 5a0843d933314d50b17444964f9d0548 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
作为demo用户请求令牌
这个命令使用``demo`` 用户的密码和API端口5000,这样只会允许对身份认证服务API的常规(非管理)访问。
[root@openstack-1 ~]# openstack --os-auth-url http://192.168.10.131:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name ^C-os-username admin token issue [root@openstack-1 ~]# openstack --os-auth-url http://192.168.10.131:5000/v3 \ > --os-project-domain-name default --os-user-domain-name default \ > --os-project-name demo --os-username demo token issue Password: +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2018-09-10T11:32:33+0000 | | id | gAAAAABblkhBJgsaj9lkg1dx7kqvbC3APAiyNDmv1ELZ_YTXJuPfKYE7nlZM3BWVYXqu7Cx9hA5oIr6GGyECiLYliVO08YLwPxqDil2lVLpSLBVqdY3i7WJ6oHvS6VxYgTiC_EUmsxY3cJj5QxFQz9rf607bFf0Z9RXLKkRLTyWfB7mchGGS_74 | | project_id | 7742f4ce532a47a595156c0523e13467 | | user_id | 48ecd31297544488bec6fd22ee4395ff | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
创建 OpenStack 客户端环境脚本
使用特定租户和用户运行客户端,你可以在运行之前简单地加载相关客户端脚本
之前使用环境变量和命令选项的组合通过``openstack``客户端与身份认证服务交互,避免麻烦使用环境变量写成脚本使用的时候source就行了
admin脚本
[root@openstack-1 ~]# cat admin-openstack export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=admin export OS_AUTH_URL=http://192.168.10.131:35357/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2
demo脚本
[root@openstack-1 ~]# cat demo-openstack export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=demo export OS_USERNAME=demo export OS_PASSWORD=demo export OS_AUTH_URL=http://192.168.10.131:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2
验证:
[root@openstack-1 ~]# openstack token issue Missing value auth-url required for auth plugin password [root@openstack-1 ~]# source admin-openstack [root@openstack-1 ~]# openstack token issue +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2018-09-10T11:40:23+0000 | | id | gAAAAABblkoX9V1z_13g2y0o3suJQwtZTiK85fMPbBlaTYZ2MB2C8Ph4yargBYDrbO6VIg1FXZKNeBnNrQOdVrTR3apmUloiprP6ZSEaY1Un8__Umka2v5W-BtYl5FXYtPabVmL6FSmCvnexLrxdL7dCZhtbkyCqhq5xkiqmWgC56xt-atQZE7k | | project_id | 7cdfaafe2cc1430e952da1fbabbe5d44 | | user_id | 5a0843d933314d50b17444964f9d0548 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
作者:闫世成
出处:http://cnblogs.com/yanshicheng
本文版权归作者和博客园共有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接。如有问题或建议,请联系上述邮箱,非常感谢。
浙公网安备 33010602011771号