The eight core components of OpenStack-keystone

1. Keystone Identity Service

1. Definition

Keystone (OpenStack Identity Service) is an independent module that provides security authentication in OpenStack. It is mainly responsible for the identity authentication of openstack users, token management, service catalogs that provide access to resources, and access control based on user roles.

Keystone is similar to a service bus, or the registry of the entire Openstack framework. Other services use Keystone to register their service endpoints (service access URLs). Any mutual calls between services need to be authenticated by Keystone. The Endpoint of the target service to find the target service.

2. Main functions

• Authentication: Issuance and verification of tokens

• User authorization (Authorization): Grant users the permissions in a service

• User Management (Account): Manage user accounts

• Service Catalog: Provide API endpoints for available services

2. Related concepts

• User: Refers to the user who uses the Openstack service.
• Project (Tenant): It can be understood as a collection of resources owned by a person or service.
• Role: Used to divide permissions. By assigning a Role to the User, the User can obtain the corresponding operation authority of the Role
• Authentication: The process of determining the identity of a user.
• Token: is a string representation, used as a token for accessing resources. Token contains the resources that can be accessed within the specified range and valid time.
• Credentials: Credentials used to confirm the identity of the user. The user name and password of the user, or the user name and API key, or the authentication token provided by the identity management service.
• Service: Openstack service, which is the component service running in Openstack. Such as nova, swift, glance, neutron, cinder, etc.
• Endpoint: An address that can access and locate an Openstack service through the network, usually a URL.
• Credentials: Credentials used to confirm the identity of the user. The user name and password of the user, or the user name and API key, or the authentication token provided by the identity management service.
• Service: Openstack service, which is the component service running in Openstack. Such as nova, swift, glance, neutron, cinder, etc.
• Endpoint: An address that can access and locate an Openstack service through the network. The communication is often a URL.

因为组件点到点的交互是通过 API 来完成的，API 由 Apache 所承载，Apache 提供了一个URL，所以 API 和 API 的对
接也可以认为是 URL 和 URL 的对接。

OpenStack中核心、辅助组件的用户是在"yum install" 的时候创建的，OpenStack中关键的就是组件、服务之间的对接配
置

Three, keystone work flow chart

To create a virtual machine, you first need to log in to user authentication. The user authenticates to Keystone. After the authentication is no problem, log in. The user needs to send a request to Nova to request the instruction to install the virtual machine. Nove returns to Keyston again to request verification. The verification is successful. Glance image resources and neutron network and other resources, then nova will ask keystone to request verification to obtain resources. If the verification is correct, the VM will be created. After the creation is successful, information will be returned to the user.

Four, keystone deployment

Precautions
● The installation sequence of OpenStack components
1, Keystone (apache)
2, glance
3, nova
4, neutron

When deploying openstack components, you need to install the authentication service (keystone) first, and the authentication service is run by Apache. After the installation is complete, you can create and manage accounts, and then install the mirror service (glance), computing service (nova), and network service ( Neutron)
where computing services and network services are divided into management and client, so it is necessary to install computing services and network service management on the management side of openstack, and install computing services and network service clients on the node node where the virtual machine is created. Finally, the dashboard service is installed. The APIs of various components of openstack are run through apache;
the management end of openstack is responsible for the scheduling of the process of creating and managing virtual machines
. The relevant data of creating virtual machines through the openstack management end will eventually be recorded to mysql (mariadb) Medium; the node node does not have the authority to write data to the database, only the control end has the authority, and the communication between the node node and the control end is indirect communication through rabbitmq, the node node will listen to rabbitmq, the control end will also listen to rabbitmq, and the control end will create a virtual machine The command is sent to rabbitmq, and the node node that monitors the queue specified by rabbitmq receives the message and creates a virtual machine

1. Create a database instance and database user

[root@ct ~]# mysql -u root -p
Enter password:       #输入密码，我之前设置的密码是ABC123
MariaDB [(none)]> create database keystone;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS';
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit

2. Install and configure keystone, database, Apache

①, install keystone, httpd, mod_wsgi

#mod_wsgi包的作用是让apache能够代理python程序的组件；openstack的各个组件，包括API都是用python写的，但访问的是apache，apache会把请求转发给python去处理,这些包只安装在controler节点
[root@ct ~]# yum -y install openstack-keystone httpd mod_wsgi
[root@ct ~]# cp -a /etc/keystone/keystone.conf{
    
    ,.bak}
[root@ct ~]# grep -Ev "^$|#" /etc/keystone/keystone.conf.bak > /etc/keystone/keystone.conf
#通过pymysql模块访问mysql，指定用户名密码、数据库的域名、数据库名
[root@ct ~]# openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:KEYSTONE_DBPASS@ct/keystone
#指定token的提供者；提供者就是keystone自己本身
[root@ct ~]# openstack-config --set /etc/keystone/keystone.conf token provider fernet
Fernet：一种安全的消息传递格式

② Initialize the authentication service database

[root@ct ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone

③. Initialize the fernet key repository (the following command will generate two keys, and the generated keys are placed in the /etc/keystone/ directory to encrypt data)

[root@ct keystone]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@ct keystone]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

④, configure bootstrap identity authentication service

[root@ct ~]# keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
--bootstrap-admin-url http://ct:5000/v3/ \
--bootstrap-internal-url http://ct:5000/v3/ \
--bootstrap-public-url http://ct:5000/v3/ \
--bootstrap-region-id RegionOne		#指定一个区域名称
#此步骤是初始化openstack，会把openstack的admin用户的信息写入到mysql的user表中，以及url等其他信息写入到mysql的相关表中； 
#admin-url是管理网(如公有云内部openstack管理网络)，用于管理虚拟机的扩容或删除；如果共有网络和管理网是一个网络，则当业务量大时，会造成无法通过openstack的控制端扩容虚拟机，所以需要一个管理网； 
#internal-url是内部网络，进行数据传输，如虚拟机访问存储和数据库、zookeeper等中间件，这个网络是不能被外网访问的，只能用于企业内部访问 
#public-url是共有网络，可以给用户访问的(如公有云) #但是此环境没有这些网络，则公用同一个网络 
#5000端口是keystone提供认证的端口 
#需要在haproxy服务器上添加一条listen 
#各种网络的url需要指定controler节点的域名，一般是haproxy的vip的域名（高可用模式）

⑤, configure Apache HTTP server

[root@ct ~]# echo "ServerName controller" >> /etc/httpd/conf/httpd.conf

⑥, create a configuration file

#安装完mod_wsgi包后，会生成 wsgi-keystone.conf 这个文件，文件中配置了虚拟主机及监听了5000端口，mod_wsgi就是python的网关
[root@ct ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

⑦、Open service

[root@ct conf.d]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@ct conf.d]# systemctl start httpd

⑧, configure the environment variables of the administrator account

#这些环境变量用于创建角色和项目使用，但是创建角色和项目需要有认证信息，所以通过环境变量声明用户名和密码等认证信息，欺骗openstack已经登录且通过认证，这样就可以创建项目和角色；也就是把admin用户的验证信息通过声明环境变量的方式传递给openstack进行验证，实现针对openstack的非交互式操作
[root@ct ~]# cat >> ~/.bashrc << EOF
export OS_USERNAME=admin			#控制台登陆用户名
export OS_PASSWORD=ADMIN_PASS	#控制台登陆密码
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://ct:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
EOF
[root@ct ~]# source ~/.bashrc

⑨. By configuring environment variables, you can use openstack commands to perform some operations, examples:

[root@ct ~]# openstack user list
+----------------------------------+-------+
| ID                               | Name  |
+----------------------------------+-------+
| cdbc2d192f704775a435d503172ea5a5 | admin |
+----------------------------------+-------+

Five, create OpenStack domains, projects, users and roles

1. Create a project (project), create it in the specified domain (domain), specify the description information, the project name is service (you can use the openstack domain list to query)

[root@ct ~]# openstack project create --domain default --description "Service Project" service 
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Service Project                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | f3863f70abf446ac9a56acb24ceca604 |
| is_domain   | False                            |
| name        | service                          |
| options     | {
    
    }                               |
| parent_id   | default                          |
| tags        | []                               |
+-------------+----------------------------------+

2. Create a role (you can use the openstack role list to view)

[root@ct ~]# openstack role create user
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | None                             |
| domain_id   | None                             |
| id          | 84ae6881e8f044c58ee21a9eedf4b82c |
| name        | user                             |
| options     | {
    
    }                               |
+-------------+----------------------------------+

3. View the list of openstack roles

[root@ct ~]# openstack role list
+----------------------------------+--------+
| ID                               | Name   |
+----------------------------------+--------+
| 1e452a4b42634ba8890e600c3818fe25 | reader |
| 84ae6881e8f044c58ee21a9eedf4b82c | user   |
| a2142821bf384f23b28fa462e6f05582 | member |
| b6388e491ac744e085f0988ffafdff7b | admin  |
+----------------------------------+--------+

# admin为管理员
# member为 租户
# user：用户

● 查看是否可以不指定密码就可以获取到token信息（验证认证服务）
[root@ct ~]#  openstack token issue

4. Summary

The Keystone component is used as a unified authentication and authorization module in the OpenStack cluster. Its core function is to control User (user), tenant (tenant), Role (role), Token (token/certificate) (manual compilation and deployment is around Expanded by this function)
User: The user who uses openstack.
Tenant: Tenant can be understood as a collection of resources owned by a person, project or organization. There can be many users in a tenant, and these users can use the resources in the tenant according to the division of permissions.
Role: Role, used to assign operation permissions. A role can be assigned to a user, so that the user obtains the operation authority corresponding to the role.
Token: Refers to a string of bit values ​​or strings used as a token for accessing resources. Token contains the range of accessible resources and valid time. Token is a kind of user's credential. You need to apply for the Keystone service with the correct user name and password to get the token.

5. The idea of ​​using manual deployment to build OpenStack:

1. Sub-module deployment
2. The basic environment for deploying the keystone module (download dependency packages, component packages, third-party tools/plugins)
3. Create and enable the function of this module (take Keystone as an example, create and initialize the authentication database, modify the configuration File, initialization key-fernet format, configuration of identity authentication service)
4. Verification