centos7配置fstab Centos7配置keystone
转载
近期在学习OpenStack,分享一下Rocky版本的OpenStack安装过程,请各位大佬多多关注,不当之处望斧正。
本小节分享Keystone认证组件的安装配置。接上小节:CentOS7-徒手安装OpenStack(Rocky版)系列-01
***本节操作命令均在控制节点执行****
1. 基本概念
keystone(OpenStack Identity Service)是OpenStack的核心组件之一,用于为其他组件提供统一的认证服务;包括身份验证、令牌的发放和校验,服务列表及用户权限的定义等。Keystone类似于一个服务总线,其他服务通过Keystone注册其服务的Endpoint(服务访问的URL),任何服务之间相互调用,需先经过keystone的身份验证,获取目标服务的Endpoint,然后再调用。 作为OpenStack的基础支持服务,Keystone主要负责: - 管理用户及权限
- 维护OpenStack Service的Endpoint
- Authentication(认证)和 Authorization(鉴权)
|
1.1 名词解释
User 指代任何使用 OpenStack 的实体,可以是真正的用户,其他系统或者服务。当 User 请求访问 OpenStack 时,Keystone 会对其进行验证。 |
Credentials 是 User 用来证明自己身份的信息。可以是: (1) 用户名/密码 (2) Token (3) API Key (4) 其他高级方式 |
Authentication 是 Keystone 验证 User 身份的过程。User 访问 OpenStack 时向 Keystone 提交用户名和密码形式的 Credentials,Keystone 验证通过后会给 User 签发一个 Token 作为后续访问的 Credential。 注:Authentication是一个过程,进行时,验证成功后给登录者签发一个Token。 |
Token 是由数字和字母组成的字符串,User 成功 Authentication 后由 Keystone 分配给 User。组件之间相互调用时用来验证调用者是否有权限访问自己,Token 只能用于认证用户对指定范围内资源的操作。 (1)Token 用作访问 Service 的 Credential (2)Service 会通过 Keystone 验证 Token 的有效性 (3)Token 的有效期默认是 24 小时 |
Project 用于将 OpenStack 的资源(计算、存储和网络)进行分组和隔离。可以是一个客户(租户)、部门或者项目组。 注: (1) 资源的所有权是属于 Project 的,而不是 User。 (2)在 OpenStack 的界面和文档中,Tenant / Project / Account 这几个术语是通用的,但长期看会倾向使用 Project (3)每个 User(包括 admin)必须挂在 Project 里才能访问该 Project 的资源。 一个User可以属于多个 Project。 (4)admin 相当于 root 用户,具有最高权限。 |
OpenStack 的 Service 包括 Compute (Nova)、Block Storage (Cinder)、Object Storage (Swift)、Image Service (Glance) 、Networking Service (Neutron) 等。每个 Service 都会提供若干个 Endpoint,User 通过 Endpoint 访问资源和执行操作。
|
endpoint 是一个网络上可访问的地址,通常是一个 URL。Service 通过 Endpoint 暴露自己的 API。Keystone 负责管理和维护每个 Service 的 Endpoint。
|
Keystone 借助 Role 实现 Authorization,用来表明登录的用户有什么样的权限。 |
1.2 以创建VM为例分析Keystone在整个过程的工作流程:
通用流程为:首先用户向 Keystone 提供自己的身份验证信息,如用户名和密码。Keystone 会从数据库中读取数据对其验证,如验证通过,会向用户返回一个 token,此后用户所有的请求都会使用该 token 进行身份验证。如用户向 Nova 申请虚拟机服务,nova 会将用户提供的 token 发给 Keystone 进行验证,Keystone 会根据 token 判断用户是否拥有进行此项操作的权限,若验证通过那么 nova 会向其提供相对应的服务。其它组件和 Keystone 的交互也是如此。
|
2. 安装Keystone
2.1 Keystone认证服务
(1)用户与认证:用户权限与用户行为跟踪
User 用户
Tenant 租户
Token 令牌
Role 角色
(2)服务目录:提供一个服务目录,包括所有服务项与相关API的端点
Service 服务
Endpoint 端点
|
2.2在控制节点创建Keystone相关数据库
[root@controller ~]# mysql -predhat
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> CREATE DATABASE keystone;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';
Query OK, 0 rows affected (0.01 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| keystone |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.01 sec)
MariaDB [(none)]> select user,host from mysql.user;
+----------+------------------------+
| user | host |
+----------+------------------------+
| keystone | % |
| root | 127.0.0.1 |
| root | ::1 |
| root | controller.fzxz686.com |
| keystone | localhost |
| root | localhost |
+----------+------------------------+
6 rows in set (0.00 sec)
MariaDB [(none)]> exit
Bye
|
2.3 安装Keystone的相关软件包
(1)安装Keystone相关软件包 # 配置Apache服务,使用带有“mod_wsgi”的HTTP服务器来相应认证服务请求,端口为5000和35357, 默认情况下,Kestone服务仍然监听这些端口
(2)配置keystone.conf,新增如下两行
[root@controller ~]# vi /etc/keystone/keystone.conf
connection = mysql+pymysql://keystone:keystone@controller/keystone
provider = fernet
# 其他方式查看生效配置
[root@controller ~]# grep '^[a-z]' /etc/keystone/keystone.conf
connection = mysql+pymysql://keystone:keystone@controller/keystone
provider = fernet
# keystone不需要启动,通过http服务进行调用
|
2.4 初始化同步Keystone数据库
(1)同步keystone数据库(44张表)
[root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
(2)同步完成进行连接测试,保证所有的表均同步成功
[root@controller ~]# mysql -h192.168.137.100 -ukeystone -pkeystone -e "use keystone;show tables;"
+-----------------------------+
| Tables_in_keystone |
+-----------------------------+
| access_token |
| application_credential |
| application_credential_role |
| assignment |
| config_register |
| consumer |
| credential |
| endpoint |
| endpoint_group |
| federated_user |
| federation_protocol |
| group |
| id_mapping |
| identity_provider |
| idp_remote_ids |
| implied_role |
| limit |
| local_user |
| mapping |
| migrate_version |
| nonlocal_user |
| password |
| policy |
| policy_association |
| project |
| project_endpoint |
| project_endpoint_group |
| project_tag |
| region |
| registered_limit |
| request_token |
| revocation_event |
| role |
| sensitive_config |
| service |
| service_provider |
| system_assignment |
| token |
| trust |
| trust_role |
| user |
| user_group_membership |
| user_option |
| whitelisted_config |
+-----------------------------+
[root@controller ~]# mysql -h192.168.137.100 -ukeystone -pkeystone -e "use keystone;show tables;" | wc -l
45
|
2.5 初始化key仓库
#Initialize Fernet key repositories
[root@controller ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@controller ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
#执行成功即可,无返回
|
2.6配置启动Apache
(1)修改httpd的主配置文件 [root@controller ~]# cd /etc/httpd/conf/
[root@controller conf]# cp httpd.conf httpd.conf-bak
[root@controller conf]# vi httpd.conf
[root@controller conf]# cat httpd.conf | grep ServerName
# ServerName gives the name and port that the server uses to identify itself.
ServerName 192.168.137.100
(2)创建虚拟主机配置文件
[root@controller ~]# cp /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
[root@controller ~]# more /etc/httpd/conf.d/wsgi-keystone.conf
Listen 5000
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
LimitRequestBody 114688
= 2.4>
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone.log
CustomLog /var/log/httpd/keystone_access.log combined
= 2.4>
Require all granted
Order allow,deny
Allow from all
Alias /identity /usr/bin/keystone-wsgi-public
SetHandler wsgi-script
Options +ExecCGI
WSGIProcessGroup keystone-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
(3)启动httpd并配置开机启动
[root@controller ~]# systemctl start httpd.service
[root@controller ~]# systemctl status httpd.service
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Active: active (running) since Fri 2020-06-12 16:30:26 CST; 5s ago
Docs: man:httpd(8)
man:apachectl(8)
Main PID: 4686 (httpd)
Status: "Processing requests..."
CGroup: /system.slice/httpd.service
├─4686 /usr/sbin/httpd -DFOREGROUND
├─4687 (wsgi:keystone- -DFOREGROUND
├─4688 (wsgi:keystone- -DFOREGROUND
├─4689 (wsgi:keystone- -DFOREGROUND
├─4690 (wsgi:keystone- -DFOREGROUND
├─4691 (wsgi:keystone- -DFOREGROUND
├─4692 /usr/sbin/httpd -DFOREGROUND
├─4693 /usr/sbin/httpd -DFOREGROUND
├─4694 /usr/sbin/httpd -DFOREGROUND
├─4701 /usr/sbin/httpd -DFOREGROUND
└─4702 /usr/sbin/httpd -DFOREGROUND
Jun 12 16:30:26 controller.fzxz686.com systemd[1]: Starting The Apache HTTP Server...
Jun 12 16:30:26 controller.fzxz686.com systemd[1]: Started The Apache HTTP Server.
[root@controller ~]# netstat -anptl | grep httpd
tcp6 0 0 :::5000 :::* LISTEN 4686/httpd
tcp6 0 0 :::80 :::* LISTEN 4686/httpd
[root@controller ~]# systemctl enable httpd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@controller ~]# systemctl list-unit-files | grep httpd.service
httpd.service enabled
# 以上,http服务配置完成
|
2.7 初始化Keystone认证服务
(1)创建keystone用户,初始化服务实体和API端点
# 创建keystone服务实体和身份认证服务,以下三种类型分别为公共的、内部的、管理的。
# 需要创建一个密码ADMIN_PASS,作为登陆openstack的管理员用户,这里创建为123456
[root@controller ~]# keystone-manage bootstrap --bootstrap-password 123456 \
> --bootstrap-admin-url http://controller:5000/v3/ \
> --bootstrap-internal-url http://controller:5000/v3/ \
> --bootstrap-public-url http://controller:5000/v3/ \
> --bootstrap-region-id RegionOne
# 运行这条命令,会在keystone数据库增加以下任务,之前的版本需要手动创建:
1)在endpoint表增加3个服务实体的API端点
2)在local_user表中创建admin用户
3)在project表中创建admin和Default项目(默认域)
4)在role表创建3种角色,admin,member和reader
5)在service表中创建identity服务
(2)Configure the administrative account
# 这里的export OS_PASSWORD要使用上面配置的ADMIN_PASS
[root@controller ~]# export OS_PROJECT_DOMAIN_NAME=Default
[root@controller ~]# export OS_PROJECT_NAME=admin
[root@controller ~]# export OS_USER_DOMAIN_NAME=Default
[root@controller ~]# export OS_USERNAME=admin
[root@controller ~]# export OS_PASSWORD=123456
[root@controller ~]# export OS_AUTH_URL=http://controller:5000/v3
[root@controller ~]# export OS_IDENTITY_API_VERSION=3
#查看
[root@controller ~]# env |grep OS_
OS_USER_DOMAIN_NAME=Default
OS_PROJECT_NAME=admin
OS_IDENTITY_API_VERSION=3
OS_PASSWORD=123456
OS_AUTH_URL=http://controller:5000/v3
OS_USERNAME=admin
OS_PROJECT_DOMAIN_NAME=Default
(3)查看Keystone实例相关信息
[root@controller ~]# openstack endpoint list
+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+
| 7a635e94e3b2405e80bf0d8ac1797635 | RegionOne | keystone | identity | True | internal | http://controller:5000/v3/ |
| 9611f6055bba4ccd988c0b3e899962d6 | RegionOne | keystone | identity | True | public | http://controller:5000/v3/ |
| ea048b8741a444abb6dad98648c4cbb9 | RegionOne | keystone | identity | True | admin | http://controller:5000/v3/ |
+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+
[root@controller ~]# openstack project list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| e0d62651d2ad4c98a9a582b561ccc685 | admin |
+----------------------------------+-------+
[root@controller ~]# openstack user list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 7129dac220e041acabf74d8f722bc080 | admin |
+----------------------------------+-------+
|
2.8创建Keystone的一般实例
Create a domain, projects, users, and roles
参考文档:https://docs.openstack.org/keystone/rocky/install/keystone-users-rdo.html
(1)创建名为example的keystone域,会在project表中创建名为example的项目
[root@controller ~]# openstack domain create --description "An Example Domain" example
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | An Example Domain |
| enabled | True |
| id | 33a3eb73de9b44f29cb0e1b8580e4112 |
| name | example |
| tags | [] |
+-------------+----------------------------------+
(2)为keystone系统环境创建名为service的项目提供服务,用于常规(非管理)任务,需要使用无特权用户,以下命令会在project表中创建名为service的项目。
[root@controller ~]# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 0c127478207042828e8196fb79a88a45 |
| is_domain | False |
| name | service |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
(3)创建myproject项目和对应的用户及角色,作为一般用户(非管理员)的项目,为普通用户提供服务,以下命令会在project表中创建名为myproject项目。
[root@controller ~]# openstack project create --domain default --description "Demo Project" myproject
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | bae0d0303095429ba2b01363ef800f57 |
| is_domain | False |
| name | myproject |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
(4)在默认域创建myuser用户,使用--password选项为直接配置明文密码,使用--password-prompt选项为交互式输入密码,以下命令会在local_user表增加myuser用户。
# openstack user create --domain default --password-prompt myuser # 交互式输入密码
# openstack user create --domain default --password=myuser myuser # 直接创建用户和密码
[root@controller ~]# openstack user create --domain default --password-prompt myuser
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 07d8304d0e7346f5940e3b7842f88f2d |
| name | myuser |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
密码为redhat
(5)在role表创建myrole角色
[root@controller ~]# openstack role create myrole
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | e6090b04661146e0ba4390614432ce8a |
| name | myrole |
+-----------+----------------------------------+
(6)将myrole角色添加到myproject项目中和myuser用户组中
[root@controller ~]# openstack role add --project myproject --user myuser myrole
|
2.9 验证Keystone是否安装成功
(1)添加临时认证令牌机制,获取token,验证keystone配置成功 [root@controller ~]# openstack role add --project myproject --user myuser myrole
[root@controller ~]# unset OS_AUTH_URL OS_PASSWORD
[root@controller ~]# env |grep OS_
OS_USER_DOMAIN_NAME=Default
OS_PROJECT_NAME=admin
OS_IDENTITY_API_VERSION=3
OS_USERNAME=admin
OS_PROJECT_DOMAIN_NAME=Default
(2)作为管理员用户去请求一个认证的token,使用admin用户。
[root@controller ~]# openstack --os-auth-url http://controller:5000/v3 \
> --os-project-domain-name Default --os-user-domain-name Default \
> --os-project-name admin --os-username admin token issue
Password: ###输入123456
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2020-06-12T10:11:58+0000 |
| id | gAAAAABe40be-TWvaLjxck4w0EyK6RaHp7j9wboJSoPdjM1ztyH-YsWjxYtwfuwqERhNLHzRGVcdBNxxZKqz6jedGRp5WXPC1A3Yq5k9IAhkiO-wsvcnvfsk9KdQWy6iVgwxxMeyqb5zoGBoH5BEG6wjqSLjVirZObvisxYy9TQuEtpPqf0g4PE |
| project_id | e0d62651d2ad4c98a9a582b561ccc685 |
| user_id | 7129dac220e041acabf74d8f722bc080 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
(3)使用普通用户获取认证token,使用刚刚创建的myuser用户
[root@controller ~]# openstack --os-auth-url http://controller:5000/v3 \
> --os-project-domain-name Default --os-user-domain-name Default \
> --os-project-name myproject --os-username myuser token issue
Password: ###输入密码刚刚指定的密码:redhat
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2020-06-12T10:13:21+0000 |
| id | gAAAAABe40cxQwX2gXQ1xvKhueQINgMRkZ9y10cU_bavcMdEFHBfgQ-9qYflXi4sGQ1VpBs0wjOcoNAjml-ZYP4q4Alg5Cmt3XvRpk7LZcm0gnXa8ZpS3epdr5aGJ4hccn-aw0JlPcjLSUl8osqrS7nAkTfUmEy0TjAUOlDF9ZlUXf9_o0AKidw |
| project_id | bae0d0303095429ba2b01363ef800f57 |
| user_id | 07d8304d0e7346f5940e3b7842f88f2d |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
2.10 创建OpenStack客户端环境脚本
# Create OpenStack client environment scripts
# 上面使用环境变量和命令选项的组合通过“openstack”客户端与身份认证服务交互。
# 为了提升客户端操作的效率,OpenStack支持简单的客户端环境变量脚本即OpenRC 文件,我这里使用自定义的文件名
(1)创建admin用户的环境管理脚本
[root@controller ~]# cd /server/tools/
[root@controller tools]# vi keystone-admin-pass.sh
[root@controller tools]# more keystone-admin-pass.sh
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=123456
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
(2)创建普通用户myuser的环境管理脚本
[root@controller tools]# vi keystone-myuser-pass.sh
[root@controller tools]# more keystone-myuser-pass.sh
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=myproject
export OS_USERNAME=myuser
export OS_PASSWORD=redhat
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
(3)测试环境管理脚本,使用脚本加载相关客户端配置,以便快速使用特定租户和用户运行客户端
[root@controller tools]# source keystone-admin-pass.sh
(4)请求认证令牌
[root@controller tools]# openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2020-06-12T10:30:54+0000 |
| id | gAAAAABe40tOfNcB-9D4B3ShWWN_WntyzrvwfVzepRSplwEWFM6i5Mt5utqqfg0tEZnQxcAtwHimVsMGChrqyedns2hE_gQIxM_ewa_gy5EY5OW7mxBIVMVXqlcTRrbp-3RhzquPMNxyTC5ZNzeg5qPUOI4KMOZHUvXYt8DQyb2NLSt2mDGhCN4 |
| project_id | e0d62651d2ad4c98a9a582b561ccc685 |
| user_id | 7129dac220e041acabf74d8f722bc080
| +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ |
# 可以看到user_id和上面用命令获取到的是一样。
#以上,keystone组件配置成功。
参考文档:
https://docs.openstack.org/keystone/rocky/getting-started/index.html
-------------END------------
作者:疯子行者
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。