Openstack之二:服务认证keystone

一:keystone介绍及安装:

OpenStack的身份服务提供了集成的管理身份验证,授权和服务目录服务的单点,其他的OpenStack服务使用的身份服务作为一个通用统一的API,此外,提供有关用户的信息,但该服务不包括开栈(如LDAP服务)可以被集成到一个预先存在的基础设施,为了从身份服务中受益,其他的OpenStack服务需要与它合作。当一个开栈服务从用户接收请求时,它检查与用户是否被授权作出该请求的标识服务。

身份服务包含以下组件:

服务器:中央服务器提供了一种使用RESTful接口验证和授权服务。
驱动程序:驱动程序或服务后端被集成到中央服务器。它们被用于在库外的OpenStack访问身份信息,并且可以在开栈中部署(例如,SQL数据库或LDAP服务器)的基础设施已经存在。
模块:中间件模块中正在使用该标识服务的开栈组件的地址空间中运行。这些模块拦截服务请求,提取用户凭据,并将它们发送到中央服务器进行授权。中间件模块和OpenStack的组件之间的集成使用Python的Web服务器网关接口。
当安装OpenStack的身份服务,您必须在您的OpenStack安装注册的每个服务。然后身份服务可以跟踪安装哪些开栈的服务,并且它们的位置在网络上。
OpenStack的身份服务提供了集成的管理身份验证,授权和服务目录服务的单点。
用户与认证:用户权限与用户登录密码认证等。。
服务目录:提供一个服务目录,记录所有服务对应的IP地址信息。

user:用户,即登录账号
project:项目,按照项目划分公司,一个项目可以有多个用户。
token:令牌,使用用户密码访问之后分配给访问者一个令牌,使用令牌即可进行操作。
role:角色,项目中每个用户拥有不同的权限。

用户目录两大名词:
service:服务,比如nova/galce/swift都是服务,就是记录服务的作用,每个服务都需要在keystone进行注册标示改服务的作用。
endpoint:端点,可以理解为服务对外暴露的URL地址,并且具有public、private和admin

二、配置数据库

1、创建数据库,并授权

1、在数据库创建数据库,并在数据库中授权

[ ~]# mysql -pcentos
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 10
Server version: 10.3.10-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement.

MariaDB [(none)]> CREATE DATABASE keystone;
Query OK, 1 row affected (0.078 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO ‘keystone‘@‘%‘ IDENTIFIED BY ‘centos‘;
Query OK, 0 rows affected (0.124 sec)

MariaDB [(none)]>

 2、在控制端服务安装mysql客户端验证

[ ~]# yum install mysql -y

在控制端将VIP地址进行域名解析,有几个控制端,就写几个hosts文件,为了后期维护好维护:vim  /etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.7.248  openstack-vip.net

开始远程连接数据库,此时可以看到已经连接进来。

[ ~]# mysql -ukeystone -pcentos -hopenstack-vip.net
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 14
Server version: 10.3.10-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| keystone           |
+--------------------+
2 rows in set (0.001 sec)

三、在控制端安装组件  

 1、运行以下命令来安装包,有几个控制端,都将安装此包

# yum install openstack-keystone httpd mod_wsgi

2、编辑文件 <span>/etc/keystone/keystone.conf</span> 并完成如下动作:  

   在 <span>[database]</span> 部分,配置数据库访问:vim  <span>/etc/keystone/keystone.conf</span> 

[database]
connection = mysql+pymysql://keystone:/keystone   #centos为数据库密码,openstack-vip.net为VIP地址的域名解析

 3、在``[token]``部分,配置Fernet UUID令牌的提供者

[token]
provider = fernet

4、随机生成10进制数字,绕过keystone管理员密码验证,直接拥有管理员权限。

[ ~]# openssl rand -hex 10
f0c29329cb611ddd407b

vim  /etc/keystone/keystone.conf  #修改配置文件
admin_token =  f0c29329cb611ddd407b

5、 在控制端初始化身份认证服务的数据库: 

[tack-1 ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone

6、初始化Fernet key:  

# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

 7、需要修改配置文件:vim /usr/share/keystone/wsgi-keystone.conf,保证其监听5000端口和35357端口。

Listen 5000
Listen 35357

<VirtualHost *:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    LimitRequestBody 114688
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/httpd/keystone.log
    CustomLog /var/log/httpd/keystone_access.log combined

    <Directory /usr/bin>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>
</VirtualHost>

<VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    LimitRequestBody 114688
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/httpd/keystone.log
    CustomLog /var/log/httpd/keystone_access.log combined
<Directory /usr/bin>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>
</VirtualHost>

Alias /identity /usr/bin/keystone-wsgi-public
<Location /identity>
    SetHandler wsgi-script
    Options +ExecCGI

    WSGIProcessGroup keystone-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
</Location>

Alias /identity_admin /usr/bin/keystone-wsgi-admin
<Location /identity_admin>
    SetHandler wsgi-script
    Options +ExecCGI

    WSGIProcessGroup keystone-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
</Location>

8、创建软链接  /usr/share/keystone/wsgi-keystone.conf

# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

9、安装httpd服务,并启动,查看端口是否监听到5000和35357端口

[ keystone]#yum install httpd -y
[ keystone]# systemctl start httpd
[ keystone]# systemctl enable httpd
[ keystone]# ss -ntl
State       Recv-Q Send-Q                           Local Address:Port                                          Peer Address:Port              
LISTEN      0      100                                  127.0.0.1:25                                                       *:*                  
LISTEN      0      128                                          *:22                                                       *:*                  
LISTEN      0      100                                      [::1]:25                                                    [::]:*                  
LISTEN      0      511                                       [::]:35357                                                 [::]:*                  
LISTEN      0      511                                       [::]:5000                                                  [::]:*                  
LISTEN      0      511                                       [::]:80                                                    [::]:*                  
LISTEN      0      128                                       [::]:22                                                    [::]:*

 10、通过admin的token设置环境变量进行操作,直接绕过token管理员权限。

[ ~]# export OS_TOKEN=f0c29329cb611ddd407b    #上面创建的admin_token随机数
[ ~]# export OS_URL=http://192.168.7.100:35357/v3
[ ~]# export OS_IDENTITY_API_VERSION=3

四、在控制端创建域、项目、用户和角色

1、创建默认域

一定要在上一步设置完成环境变量的前提下 方可 操作成功,否则会提示未认证 。
#命令格式为: openstack domain create description " 描述信息 " 域名

1、在控制端创建domain域

[ ~]# openstack domain create --description "Default Domain" default
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Default Domain                   |
| enabled     | True                             |
| id          | 8e295428192547d3a70b364676eb14ec |
| name        | default                          |
| tags        | []                               |
+-------------+----------------------------------+

 2、删除默认域的命令,创建好就不要删除了

[ ~]# openstack domain delete 8e295428192547d3a70b364676eb14ec

2、创建一个项目

[ ~]# openstack project create --domain default --description "Admin Project" admin
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Admin Project                    |
| domain_id   | 8e295428192547d3a70b364676eb14ec |
| enabled     | True                             |
| id          | 7f3a9cccf0714a02a20c48006e1aa681 |
| is_domain   | False                            |
| name        | admin                            |
| parent_id   | 8e295428192547d3a70b364676eb14ec |
| tags        | []                               |
+-------------+----------------------------------+

 3、创建一个用户账号和密码,账号和密码都是admin。

[ ~]# openstack user create --domain default --password-prompt admin
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | 8e295428192547d3a70b364676eb14ec |
| enabled             | True                             |
| id                  | 545853265f0346b88a0624061ebaa6c0 |
| name                | admin                            |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+

 查看此时创建的用户名,可以看到账号是admin

[ ~]# openstack user list
+----------------------------------+-------+
| ID                               | Name  |
+----------------------------------+-------+
| 545853265f0346b88a0624061ebaa6c0 | admin |
+----------------------------------+-------+

 4、给admin创建角色

[ ~]# openstack role create admin
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | None                             |
| domain_id   | None                             |
| id          | b84435b0ec1d428cbfcad4eaaaaa4a36 |
| name        | admin                            |
+-------------+----------------------------------+

5、给admin用户授权

此时创建的域、用户、角色及项目都已完成。

将admin用户授予admin项目的admin角色,即给admin项目添加一个用户叫admin,并将其添加至admin角色,角色是权限的一种集合:

[ ~]# openstack role add --project admin --user admin admin

下面是演示部分,可以在此部分做实验 

1、创建demo项目

[ ~]# openstack project create --domain default --description "Demo Project" demo
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Demo Project                     |
| domain_id   | 8e295428192547d3a70b364676eb14ec |
| enabled     | True                             |
| id          | 4df34d7e5fa641c48256855f9732c988 |
| is_domain   | False                            |
| name        | demo                             |
| parent_id   | 8e295428192547d3a70b364676eb14ec |
| tags        | []                               |
+-------------+----------------------------------+

 2、创建demo用户并设置密码为demo

[ ~]# openstack user create --domain default --password-prompt demo
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | 8e295428192547d3a70b364676eb14ec |
| enabled             | True                             |
| id                  | 50c33973910e4594af2299fb3bea0ff2 |
| name                | demo                             |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+

3、创建一个 user角色

[ ~]# openstack role create user
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | None                             |
| domain_id   | None                             |
| id          | 88815f7cc0b249008bdcf32ae81e4b2b |
| name        | user                             |
+-------------+----------------------------------+

4、把 demo用户添加到demo项目:

[ ~]# openstack role add --project demo --user demo user

五、在控制端注册服务

 1、创建一个keystone认证服务:

1、将keystone服务地址注册到openstack,创建一个 keystone 认证服务:

[ ~]# openstack service create --name keystone --description "OpenStack  Identity" identity

+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | OpenStack  Identity              |
| enabled     | True                             |
| id          | 53231b516cdd47ebbe991ed998861c59 |
| name        | keystone                         |
| type        | identity                         |
+-------------+----------------------------------+

2、创建endpoint

[ ~]# openstack endpoint create --region RegionOne identity internal http://openstack-vip.net:5000/v3 # 私有端点
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 6aea541fb7964bdbb7d261e1ad7a64a2 |
| interface    | internal                         |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 53231b516cdd47ebbe991ed998861c59 |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://openstack-vip.net:5000/v3 |
+--------------+----------------------------------+
[ ~]# openstack endpoint create --region RegionOne identity public http://openstack-vip.net:5000/v3  #公有端点
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | c830d8e3ef8c49688e453c6ec3037420 |
| interface    | public                           |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 53231b516cdd47ebbe991ed998861c59 |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://openstack-vip.net:5000/v3 |
+--------------+----------------------------------+
[ ~]# openstack endpoint create --region RegionOne identity admin http://openstack-vip.net:35357/v3 # 管理端点
+--------------+-----------------------------------+
| Field        | Value                             |
+--------------+-----------------------------------+
| enabled      | True                              |
| id           | f4c9d8b557304a7183f4e65ed89099d7  |
| interface    | admin                             |
| region       | RegionOne                         |
| region_id    | RegionOne                         |
| service_id   | 53231b516cdd47ebbe991ed998861c59  |
| service_name | keystone                          |
| service_type | identity                          |
| url          | http://openstack-vip.net:35357/v3 |
+--------------+-----------------------------------+

 查看创建结果

[ ~]# openstack endpoint list
+----------------------------------+-----------+--------------+--------------+---------+-----------+-----------------------------------+
| ID                               | Region    | Service Name | Service Type | Enabled | Interface | URL                               |
+----------------------------------+-----------+--------------+--------------+---------+-----------+-----------------------------------+
| 6aea541fb7964bdbb7d261e1ad7a64a2 | RegionOne | keystone     | identity     | True    | internal  | http://openstack-vip.net:5000/v3  |
| c830d8e3ef8c49688e453c6ec3037420 | RegionOne | keystone     | identity     | True    | public    | http://openstack-vip.net:5000/v3  |
| f4c9d8b557304a7183f4e65ed89099d7 | RegionOne | keystone     | identity     | True    | admin     | http://openstack-vip.net:35357/v3 |
+----------------------------------+-----------+--------------+--------------+---------+-----------+-----------------------------------+

 六、再次配置haproxy服务器

1、修改配置文件,监听keystone的5000端口和35357端口,前面的端口都已经监听过,这里不再细说,且配置文件中都只是监听部分文件,其他部分见openstack之一详解。

 vim  /etc/haproxy/haproxy.cfg

listen openstack_web_port
    bind 192.168.7.248:3306
    mode tcp
    log global
    server 192.168.7.106 192.168.7.106:3306 check inter 3000 fall 3 rise 5

listen openstack_rabbitmq_port
    bind 192.168.7.248:5672
    mode tcp
    log global
    server 192.168.7.106 192.168.7.106:5672 check inter 3000 fall 3 rise 5
    server 192.168.7.107 192.168.7.107:5672 check inter 3000 fall 3 rise 5 backup

[ ~]# vim /etc/haproxy/haproxy.cfg
listen openstack_rabbitmq_port
    bind 192.168.7.248:11211
    mode tcp
    log global
    server 192.168.7.106 192.168.7.106:11211 check inter 3000 fall 3 rise 5
    server 192.168.7.107 192.168.7.107:11211 check inter 3000 fall 3 rise 5 backup
        

listen openstack_keystone_port_5000
    bind 192.168.7.248:5000
    mode tcp
    log global
    server 192.168.7.100 192.168.7.100:5000 check inter 3000 fall 3 rise 5

listen openstack_keystone_port_35357
    bind 192.168.7.248:35357
    mode tcp
    log global
    server 192.168.7.100 192.168.7.100:35357 check inter 3000 fall 3 rise 5

 2、重启haproxy服务,并查看是否监听了5000端口和35357端口

[ ~]# systemctl restart haproxy

 3、可以在控制端进行telnet进行测试,是否可以连接

[ keystone]# telnet 192.168.7.248 5000
[ keystone]# telnet 192.168.7.248 35357

七、在控制端测试keystone是否可以做用户验证:

1、需要新打开一个shell窗口,在没有声明环境变量的情况下执行下面命令

[ ~]# export OS_IDENTITY_API_VERSION=3

2、创建一个脚本,设置用户环境变量,以后就不需要每次都使用这么长的命令啦,创建一个admin账户和demo用户。

#官方文档:http://docs.openstack.org/mitaka/zh_CN/install-guide-rdo/keystone-openrc.html

admin账号:

#!/bin/bash
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://192.168.7.100:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

#官方文档:http://docs.openstack.org/mitaka/zh_CN/install-guide-rdo/keystone-openrc.html

demo账号:

#!/bin/bash
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://192.168.7.100:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

3、让其脚本生效,并验证效果

[ ~]# . admin.sh
[ ~]# . demo.sh
[ ~]# echo $OS_PASSWORD admin

4、执行验证命令,验证用户名,此时就不需要输入密码验证。

[ ~]# openstack --os-auth-url http://192.168.7.100:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                   |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2020-01-05T16:12:34+0000                                                                                                                                                                |
| id         | gAAAAABeEfziRVpPQbKDKadzND1hBaFgNP0cnUdj8gcxROH2jJf4hhKqSgCpN1_wSPOGID-ydaPVcnPCspjdtXTDsMtdsHz5zFTCc6NzkM41O6GwCkvuh03f69DuRzUVzJs_fYkrK_r5FQTOCOrZfBzyLHtbWyAROOW6xRWuMv5q1VaC_NELAxg |
| project_id | 7f3a9cccf0714a02a20c48006e1aa681                                                                                                                                                        |
| user_id    | 545853265f0346b88a0624061ebaa6c0                                                                                                                                                        |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

八、控制台一备份控制端keystone数据

1、备份控制端服务器数据,传给另一台控制端指定目录,就不需要再进行配置

[ ~]# cd /etc/keystone/
[ keystone]# tar -zcvf keystone-conller.tar.gz  ./*
./credential-keys/
./credential-keys/1
./credential-keys/0
./default_catalog.templates
./fernet-keys/
./fernet-keys/1
./fernet-keys/0
./keystone.conf
./logging.conf
./policy.json
./sso_callback_template.html

2、控制台二要安装httpd服务

# yum install httpd  -y

3、将备份的数据和关联的httpd监听的5000端口和35357端口的配置文件,都传递到控制台二,解压并做软连接

[ keystone]# scp keystone-conller.tar.gz  192.168.7.101:/etc/keystone/
[ conf.d]# scp /etc/httpd/conf.d/wsgi-keystone.conf  192.168.7.101:/etc/httpd/conf.d/

4、在控制端台二将备份的文件解压

[ keystone]# tar -xvf keystone-conller.tar.gz

5、在控制台二创建软链接,并启动httpd服务。

# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
# systemctl start httpd

再次配置haproxy服务

已经配置了新的控制端,在haproxy配置IP地址,主要监听的IP地址修改,其他不变。

listen openstack_keystone_port_5000
    bind 192.168.7.248:5000
    mode tcp
    log global
    server 192.168.7.100 192.168.7.100:5000 check inter 3000 fall 3 rise 5
    server 192.168.7.101 192.168.7.100:5000 check inter 3000 fall 3 rise 5 backup

listen openstack_keystone_port_35357
    bind 192.168.7.248:35357
    mode tcp
    log global
    server 192.168.7.100 192.168.7.100:35357 check inter 3000 fall 3 rise 5
    server 192.168.7.101 192.168.7.100:35357 check inter 3000 fall 3 rise 5 backup

重启haproxy服务

# systemctl restart haproxy

当我们的主机宕机之后,不知道哪个VIP跑在负载均衡服务器上,怎么办? 

我们可以通过远程连接提供服务的服务器,然后查看服务器的IP地址,就可以查看到VIP地址。 

 Openstack之二:服务认证keystone

相关推荐