简介
Endpoint:用户组携带认证信息通过Endpoint访问service组,获得资源
- 当用户认证授权之后,通过API方式携带Token访问资源
- openstack采用的风格是Restful api:类似于http协议拥有GET POST Delete 等动作
- user:访问openstack资源的实体(人/系统/其他服务)
- credentials:验证user的身份信息
账户密码
token
api key
其他高级方式
。。。。
- Authentication:验证user身份信息的过程
- token: 身份验证通过后,去访问服务资源的credentials
- project:根据不同的对象,将服务资源进行隔离:服务资源属于project,用户想要去访问相
需要挂在(属于)对应的project后才能够去访问
amdin组:拥有所有资源(超级组)
admin用户:属于admin组(超级用户)访问所有资源
- service: Openstack当中提供服务资源(nova nuetorn cinder swift... )的抽象概念
每个service都会提供三种类型的ENDPOINT,作为资源的访问入口
admin
public
internal
- ENDPOINT:通常来说是一个网络上可以访问的url地址
keystone负责去维护每个service的endpoint
- role:角色控制用户能够对资源进行哪些操作
admin角色:对服务资源进行任何操作
domain: 域
- 类似于一个公司的不同分部
安装Keystone认证服务:控制节点
1.创建keystone数据库,创建keystone用户并授权
用来存储服务的配置信息
mysql -uroot -p000000 CREATE DATABASE keystone; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '000000'; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '000000';2.安装包:openstack-keystone httpd mod_wsgi
yum install openstack-keystone httpd mod_wsgi3.编辑/etc/keystone/keystone.conf配置文件
vim /etc/keystone/keystone.conf[database]下添加
connection = mysql+pymysql://keystone:000000@controller/keystone[token]下添加
provider = fernet4.同步数据库
su -s /bin/sh -c "keystone-manage db_sync" keystone
记得进入数据库检查是否同步表:
MariaDB [(none)]> use keystone
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [keystone]> show tables;
+-----------------------------+
| Tables_in_keystone |
+-----------------------------+
| access_token |
| application_credential |
| application_credential_role |
| assignment |
| config_register |
| consumer |
| credential |
| endpoint |
| endpoint_group |
| federated_user |
| federation_protocol |
| group |
| id_mapping |
| identity_provider |
| idp_remote_ids |
| implied_role |
| limit |
| local_user |
| mapping |
| migrate_version |
| nonlocal_user |
| password |
| policy |
| policy_association |
| project |
| project_endpoint |
| project_endpoint_group |
| project_tag |
| region |
| registered_limit |
| request_token |
| revocation_event |
| role |
| sensitive_config |
| service |
| service_provider |
| system_assignment |
| token |
| trust |
| trust_role |
| user |
| user_group_membership |
| user_option |
| whitelisted_config |
+-----------------------------+
44 rows in set (0.00 sec)5.初始化Fernet密钥存储库
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
6.引导身份服务(设置admin的密码)
keystone-manage bootstrap --bootstrap-password 000000 \
--bootstrap-admin-url http://controller:5000/v3/ \
--bootstrap-internal-url http://controller:5000/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne7.配置HTTP服务,启动服务
vim /etc/httpd/conf/httpd.conf
在ServerName下添加:
ServerName controllerCreate a link to the /usr/share/keystone/wsgi-keystone.conf file: ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
启动: systemctl enable httpd.service && systemctl start httpd.service
检查:
[root@controller ~]# systemctl status httpd
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: active (running) since 四 2020-05-14 13:20:51 CST; 47s ago
Docs: man:httpd(8)
man:apachectl(8)
Main PID: 15991 (httpd)
Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec"
CGroup: /system.slice/httpd.service
├─15991 /usr/sbin/httpd -DFOREGROUND
├─15992 (wsgi:keystone- -DFOREGROUND
├─15993 (wsgi:keystone- -DFOREGROUND
├─15994 (wsgi:keystone- -DFOREGROUND
├─15995 (wsgi:keystone- -DFOREGROUND
├─15996 (wsgi:keystone- -DFOREGROUND
├─15997 (wsgi:keystone- -DFOREGROUND
├─15998 (wsgi:keystone- -DFOREGROUND
├─15999 (wsgi:keystone- -DFOREGROUND
├─16000 (wsgi:keystone- -DFOREGROUND
├─16001 (wsgi:keystone- -DFOREGROUND
├─16002 /usr/sbin/httpd -DFOREGROUND
├─16003 /usr/sbin/httpd -DFOREGROUND
├─16034 /usr/sbin/httpd -DFOREGROUND
├─16035 /usr/sbin/httpd -DFOREGROUND
└─16036 /usr/sbin/httpd -DFOREGROUND
5月 14 13:20:51 controller systemd[1]: Starting The Apache HTTP Server...
5月 14 13:20:51 controller systemd[1]: Started The Apache HTTP Server.8.配置管理账户admin
1-7步是我们的准备工作,下面需要我们去创建账户。
导入环境变量:
export OS_USERNAME=admin
export OS_PASSWORD=000000
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3这里的用户名密码要和第6步的引导身份的时候的一致
9.创建example域
官方文档:https://docs.openstack.org/keystone/queens/install/keystone-users-rdo.html openstack domain create --description "An Example Domain" example
检查:
[root@controller ~]# openstack domain list
+----------------------------------+---------+---------+--------------------+
| ID | Name | Enabled | Description |
+----------------------------------+---------+---------+--------------------+
| 4940c451ffcc4294b915994266c2cea8 | example | True | An Example Domain |
| default | Default | True | The default domain |
+----------------------------------+---------+---------+--------------------+这里有一个默认的default域,还有一个我们刚刚创建的example
10.创建service project(组)
这个组我们需要准备一些资源放入这个组,这个组属于我们的default域 openstack project create --domain default --description "Service Project" service
返回:
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 426fd4ca40f94eabadc9f84500a776d7 |
| is_domain | False |
| name | service |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+11.创建demo project
这个组是给普通用户存放一些资源 openstack project create --domain default --description "Demo Project" demo
返回:
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | 62ac86a6213f4081a9a3f5acc493955f |
| is_domain | False |
| name | demo |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+12.创建demo user(属于default域,demo组)
openstack user create --domain default --password-prompt demo
[root@controller ~]# openstack user create --domain default --password-prompt demo
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | f3abffd7bada4c54b5eca6100d2d33ab |
| name | demo |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+13.创建 user role
openstack role create user
返回:
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 299b5828bbb74c8586c9b88daedf7a19 |
| name | user |
+-----------+----------------------------------+我们查看角色列表:
[root@controller ~]# openstack role list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 299b5828bbb74c8586c9b88daedf7a19 | user |
| 555f2e50cdf2421ba09babfc562fda09 | admin |
+----------------------------------+-------+
可以看到默认有一个admin角色14.赋予demo用户user角色
openstack role add --project demo --user demo user
至此我们创建了域、组、用户、角色,现在我们要理清这些概念:
这里的endpoint类似于url,当访问资源时,用户需要携带请求信息(如http版本,身份信息,用户名密码)访问url
任何用户在访问endpoint获取资源之前,都需要经历一个认证过程:判断用户名和密码是否合法,如果合法就返回一个token。
15.创建admin用户的客户端环境脚本
这个环境变量的配置文件,可以让你快捷获得用户的权限,之后我们切换角色的时候,可以直接选择配置文件,然后就可以切换用户权限,从而可以使用不同的权限。[root@controller ~]# touch admin-openrc[root@controller ~]# vim admin-openrc
添加环境变量:
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=000000
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=216.创建demo用户的客户端环境脚本
[root@controller ~]# touch demo-openrc[root@controller ~]# vim demo-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=000000
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=217.测试验证
source admin-openrc: 切换用户名
openstack token issue: 获取对应用户名的token
如果获取失败返回401,说明验证失败,查看对应配置文件是否正确。
<注释1> [root@controller ~]# source admin-openrc && openstack token issue
返回:
[root@controller ~]# source admin-openrc && openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2020-05-14T07:46:30+0000 |
| id | gAAAAABevOlG6sWigyKQH9ziawH59XK_eIJU8lqvvL5UTLw5jjQScOwYr1fp_ktc9VYxpXfNjw11dkNe5SC0VT-z-O2KcvRi1v4MNYWkYt80Ab_bR7OLEmK7ZYx5JjO-ovs_QdRwFxEB79su6ipN3yf-OABwternlW5udJRK542ChMh6qxQpbIg |
| project_id | 0c2f860c54b94c158aa945e1683bf644 |
| user_id | ea8e3d161fd04d09a0ea104417357cd3 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ [root@controller ~]# source demo-openrc && openstack token issue
返回:
[root@controller ~]# source demo-openrc && openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2020-05-14T07:47:28+0000 |
| id | gAAAAABevOmAgXGpB_kSPt_je-yVqWu7i3Daw0G7wLj7b4ovTMJqelGaJ4SYaNQFQRdK-CoFUFVlPiQi57gae8Yb9WepXNxP46Nk5JoQ_a1iMkddjnhSwMmRmnckBToHIXUiBbnzHXBLKZIH241Ii_3z9Ex3nu0pLHywS9TxBKURD_y6UjGR7Cs |
| project_id | 62ac86a6213f4081a9a3f5acc493955f |
| user_id | f3abffd7bada4c54b5eca6100d2d33ab |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+注释
<注释1>
source命令用法:source FileName
作用:在当前bash环境下读取并执行FileName中的命令。
此处评论已关闭