OpenStack——Keystone
-
-
- One, keystone identity service
- Two, the main function of keystone
- Three, keystone related concepts
- Four, keystone deployment steps
-
- 1. Create a database instance and database user
- 2. Install and configure keystone, database, Apache
-
- ① Install the keystone software package
- ② Initialize the authentication service database
- ③Initialize the fernet key storage library
- ④ Configure bootstrap identity authentication service
- ⑤ Configure Apache server
- ⑥Create a configuration file
- ⑦Configure the environment variables of the administrator account
- ⑧Create OpenStack domains, projects, users and roles
- ⑨Create a role (you can use the openstack role list to view)
One, keystone identity service
Keystone (openstack identity service) is an independent module in openstack that provides security authentication. It is mainly responsible for openstack user identity authentication, token management, service catalogs that provide access to resources, and access control based on user roles
Keystone is similar to a service bus, or the registry of the entire openstack framework. Other services use Keystone to register their service endpoints (service access URLs). Any calls between services need to be authenticated by Keystone to obtain the target. Service Endpoint to find the target service
Two, the main function of keystone
Authentication: Issuance and verification of tokens
User authorization (Authorization): to grant users the permissions in a service
User Management (Account): Manage user accounts
Service Catalog: Provide API endpoints for available services
Three, keystone related concepts
user: refers to the user who uses the openstack service
Project (Tenant): can be understood as a collection of resources owned by a person or service
Role: User division authority. By assigning a role to the user, the user can obtain the corresponding operation authority of the role
Authentication: The process of determining the identity of a user
Token: is a string representation, used as a token for accessing resources. Token contains the resources that can be accessed within the specified range and valid time
Credentials: Credentials used to confirm the identity of the user, the user's user name and password, or the user name and API key, or the authentication token provided by the identity management service
Service: openstack service, that is, component services running in openstack, such as nova, swif, glance, neutron, cinder, etc.
Endpoint: An address that can access and locate an openstack service through the network, usually a URL
Four, keystone deployment steps
1. Create a database instance and database user
[root@ct ~]# mysql -u root -p
MariaDB [(none)]> create database keystone;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO ‘keystone’@‘localhost’ IDENTIFIED BY ‘KEYSTONE_DBPASS’;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO ‘keystone’@’%’ IDENTIFIED BY ‘KEYSTONE_DBPASS’;
MariaDB [(none)]> flush privileges;
2. Install and configure keystone, database, Apache
① Install the keystone software package
[root@ct ~]# yum -y install openstack-keystone httpd mod_wsgi
[root@ct ~]# cp -a /etc/keystone/keystone.conf{,.bak}
[root@ct keystone]# grep -Ev “^$|#” /etc/keystone/keystone.conf.bak> /etc/keystone/keystone.conf #Filter the blank lines in the source file and those beginning with the # sign, then Enter into the /etc/keystone/keystone.conf file
[root@ct keystone]# openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:KEYSTONE_DBPASS@ct/keystone #Use mysql+pymysql to connect to the database, use the keystone user identity, Use the password KEYSTONE_DBPASS to log in to keystone on the ct node
[root@ct keystone]# openstack-config --set /etc/keystone/keystone.conf token provider fernet #The provider of the specified token is the keystone itself. Fernet is a secure message transmission format
② Initialize the authentication service database
[root@ct keystone]# su -s /bin/sh -c “keystone-manage db_sync” keystone
③Initialize the fernet key storage library
[root@ct keystone]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@ct keystone]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
④ Configure bootstrap identity authentication service
[root@ct keystone]# keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
bootstrap-admin-url http://ct:5000/v3/
bootstrap-internal-url http://ct:5000/v3/
bootstrap-public-url http://ct:5000/v3/
bootstrap-region-id RegionOne
This step is to initialize openstack, the information of the admin user of openstack will be written into the user table of mysql, and other information such as url will be written into the related table of mysql;
admin-url is the management network (such as the internal openstack management of the public cloud) Network), used to manage the expansion or deletion of virtual machines; if the shared network and the management network are the same network, when the business volume is large, it will be impossible to expand the virtual machine through the control end of openstack, so a management network is required;
internal- URL is an internal network for data transmission, such as virtual machines accessing storage and database, zookeeper and other middleware. This network cannot be accessed by external networks and can only be used for internal access to the enterprise.
Public-url is a shared network that can be accessed by users的(如公有云) #But if there are no such networks in this environment, the same network is public.
Port 5000 is the port that Keystone provides authentication.
#Need to add a listen on the haproxy server #The
urls of various networks need to specify the domain name of the controller node, generally It is the domain name of haproxy's vip (high availability mode)
⑤ Configure Apache server
[root@ct keystone]# echo “ServerName controller” >> /etc/httpd/conf/httpd.conf
⑥Create a configuration file
#After installing the mod_wsgi package, the wsgi-keystone.conf file will be generated. The virtual host is configured and port 5000 is monitored in the file. Mod_wsgi is the gateway of python
[root@ct keystone]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
[root@ct keystone]# systemctl enable httpd
[root@ct keystone]# systemctl start httpd
⑦Configure the environment variables of the administrator account
These environment variables are used to create roles and projects, but the creation of roles and projects requires authentication information, so authentication information such as user names and passwords are declared through environment variables to deceive openstack to have logged in and passed authentication, so that projects and roles can be created; also It is to pass the authentication information of the admin user to openstack for verification by declaring environment variables to realize non-interactive operation for openstack
[root@ct keystone]# cat >> ~/.bashrc << EOF
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://ct:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
EOF
[root@ct keystone]# source ~/.bashrc
[root@ct keystone]# openstack user list
⑧Create OpenStack domains, projects, users and roles
Create a project (project), create it in the specified domain (domain), specify the description information, the project name is service (you can use the openstack domain list to query)
[root@ct keystone]# openstack project create --domain default --description “Service Project” service
⑨Create a role (you can use the openstack role list to view)
[root@ct keystone]# openstack role create user
[root@ct keystone]# openstack role list
[root@ct keystone]# openstack token issue
#Check whether token information can be obtained without specifying a password (verification and authentication service)