OpenStack-Keystone component deployment
- One, keystone identity service
- Two, the main function of keystone
- Three, keystone related concepts
- Four, keystone certification process
- Five, OpenStack-Keystone component deployment steps
- Deployment steps
- One, create a database instance and database user
- Two, install and configure keystone, database, Apache
-
- Install keystone, httpd, mod_wsgi
- Initialize the authentication service database
- Configure bootstrap authentication service
- Configure Apache HTTP server
- Create a configuration file
- Open service
- Configure environment variables for the administrator account
- By configuring environment variables, you can use openstack commands to perform some operations
- 3. Create OpenStack domains, projects, users, and roles
- Summary:
One, keystone identity service
- Keystone (openstack identity service) is an independent module in openstack that provides security authentication. It is mainly responsible for openstack user identity authentication, token management, service catalogs that provide access to resources, and access control based on user roles
- Keystone is similar to a service bus, or the registry of the entire openstack framework. Other services use Keystone to register their service endpoints (service access URLs). Any calls between services need to be authenticated by Keystone to obtain the target. Service Endpoint to find the target service
- Summary: Keystone provides multiple authentication and authorization methods to guide the backend endpoint
Two, the main function of keystone
- Authentication: Issuance and verification of tokens
- User authorization (Authorization): to grant users the permissions in a service
- User Management (Account): Manage user accounts
- Service Catalog: Provide API endpoints for available services
Three, keystone related concepts
user:指使用openstack service的用户
Project(Tenant):可以理解为一个人或者服务所拥有的资源集合
Role:用户划分权限。通过给user指定role,使user获得role对应操作权限
Authentication:确定用户身份的过程
Token:是一个字符串表示,作为访问资源的令牌。Token包含了在指定范围和有效时间内,可以被访问的资源
Credentials:用于确认用户身份的凭证,用户的用户名和密码,或者是用户名和API密钥,或者身份管理服务提供的认证令牌
Service:openstack service,即openstack中运行的组件服务,如nova、swif、glance、neutron、cinder等
Endpoint:一个可以通过网络来访问和定位某个openstack service的地址,通常是一个URL
- Summary: Because the point-to-point interaction of components is done through API, the API is carried by Apache, and Apache provides a URL, so the docking of API and API can also be considered as the docking of URL and URL.
Four, keystone certification process
- Simple understanding: the virtual machine has been created as an example: to
create a virtual machine, you need to log in to the user authentication first, and the user authenticates to Keystone. After the authentication is no problem, log in. The user needs to send a request to nova for instructions to install the virtual machine, and nove returns the request to Keyston again. Verification, verification is successful, the creation of a virtual machine requires resources such as glance image resources and neutron network, then nova will want to keystone to request verification to obtain resources, and the verification will be carried out if there is no problem with the creation of the VM. After the creation is successful, the message will be returned to the user.
Five, OpenStack-Keystone component deployment steps
Pay attention to the order when installing openstack components
1、Keystone (apache) 2、glance 3、nova 4、neutron
部署openstack组件时,需先行安装认证服务(keystone),而认证服务是使用Apache运行的,安装完成后才可以创建、管理账号,然后安装镜像服务(glance)、计算服务(nova)、网络服务(neutron)
其中计算服务和网络服务分为管理端和客户端,所以需要在openstack的管理端安装计算服务和网络服务的管理端,在创建虚拟机的node节点上安装计算服务和网络服务的客户端,最后安装dashboard服务,openstack各种组件的API都是通过apache运行的;
openstack的管理端负责创建、管理虚拟机过程的调度
通过openstack管理端创建虚拟机的相关数据最终都会记录到mysql(mariadb)中;node节点没有权限往数据库中写数据,只有控制端有权限,并且node节点与控制端通讯是通过rabbitmq间接通讯,node节点会监听rabbitmq,控制端也会监听rabbitmq,控制端把创建虚拟机的指令发送到rabbitmq,由监听rabbitmq指定队列的node节点接收消息并创建虚拟机;
Deployment steps
One, create a database instance and database user
mysql -u root -p
create database keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS';
flush privileges;
quit
Two, install and configure keystone, database, Apache
Install keystone, httpd, mod_wsgi
The function of the #mod_wsgi package is to enable apache to proxy the components of the python program; all components of openstack, including the API, are written in python, but the access is apache, and apache will forward the request to python for processing. These packages are only installed in controler node
yum -y install openstack-keystone httpd mod_wsgi
cp -a /etc/keystone/keystone.conf{,.bak}
#通过pymysql模块访问mysql,指定用户名密码、数据库的域名、数据库名
grep -Ev "^$|#" /etc/keystone/keystone.conf.bak > /etc/keystone/keystone.conf
#指定token的提供者;提供者就是keystone自己本身
openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:KEYSTONE_DBPASS@ct/keystone
openstack-config --set /etc/keystone/keystone.conf token provider fernet
#Fernet:一种安全的消息传递格式
Initialize the authentication service database
su -s /bin/sh -c "keystone-manage db_sync" keystone
初始化fernet 密钥存储库(以下命令会生成两个密钥,生成的密钥放于/etc/keystone/目录下,用于加密数据)
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
Configure bootstrap authentication service
keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
--bootstrap-admin-url http://ct:5000/v3/ \
--bootstrap-internal-url http://ct:5000/v3/ \
--bootstrap-public-url http://ct:5000/v3/ \
--bootstrap-region-id RegionOne #指定一个区域名称
#此步骤是初始化openstack,会把openstack的admin用户的信息写入到mysql的user表中,以及url等其他信息写入到mysql的相关表中;
#admin-url是管理网(如公有云内部openstack管理网络),用于管理虚拟机的扩容或删除;如果共有网络和管理网是一个网络,则当业务量大时,会造成无法通过openstack的控制端扩容虚拟机,所以需要一个管理网;
#internal-url是内部网络,进行数据传输,如虚拟机访问存储和数据库、zookeeper等中间件,这个网络是不能被外网访问的,只能用于企业内部访问
#public-url是共有网络,可以给用户访问的(如公有云) #但是此环境没有这些网络,则公用同一个网络
#5000端口是keystone提供认证的端口
#需要在haproxy服务器上添加一条listen
#各种网络的url需要指定controler节点的域名,一般是haproxy的vip的域名(高可用模式)
Configure Apache HTTP server
echo "ServerName controller" >> /etc/httpd/conf/httpd.conf
Create a configuration file
#After installing the mod_wsgi package, the wsgi-keystone.conf file will be generated. The virtual host is configured and port 5000 is monitored in the file. Mod_wsgi is the gateway of python
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
Open service
systemctl enable httpd
systemctl start httpd
Configure environment variables for the administrator account
#These environment variables are used to create roles and projects, but the creation of roles and projects requires authentication information, so authentication information such as user names and passwords are declared through environment variables to deceive openstack to have logged in and passed authentication, so that projects and roles can be created; That is, the authentication information of the admin user is passed to openstack for verification by declaring environment variables to realize non-interactive operation for openstack
cat >> ~/.bashrc << EOF
export OS_USERNAME=admin #控制台登陆用户名
export OS_PASSWORD=ADMIN_PASS #控制台登陆密码
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://ct:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
EOF
source ~/.bashrc
By configuring environment variables, you can use openstack commands to perform some operations
openstack user list #查看用户列表
3. Create OpenStack domains, projects, users, and roles
#Create a project (project), create it in the specified domain (domain), specify the description information, the project name is service (you can use the openstack domain list to query)
openstack project create --domain default --description "Service Project" service
#Create a role (you can use the openstack role list to view)
openstack role create user
#View the list of openstack roles
openstack role list
admin is the administrator and member is the tenant user: user
#Check whether token information can be obtained without specifying a password (verification and authentication service)
openstack token issue
Summary:
-
The Keystone component is used as a unified authentication and authorization module in the OpenStack cluster. Its core function is to control User (user), tenant (tenant), Role (role), Token (token/certificate) (manual compilation and deployment is around Expanded by this function)
-
User: The user who uses openstack.
-
Tenant: Tenant can be understood as a collection of resources owned by a person, project or organization. There can be many users in a tenant, and these users can use the resources in the tenant according to the division of permissions.
-
Role: Role, used to assign operation permissions. A role can be assigned to a user, so that the user obtains the operation authority corresponding to the role.
-
Token: Refers to a string of bit values or strings used as a token for accessing resources. Token contains the range of accessible resources and valid time. Token is a kind of user's credential. You need to apply for the Keystone service with the correct user name and password to get the token.
-
The idea of using the manual deployment mode to build OpenStack:
1. Sub-module deployment
2. The basic environment for deploying the keystone module (download dependency packages, component packages, third-party tools/plugins)
3. Create and enable the function of this module (using keystone as For example, create and initialize the authentication database, modify the configuration file, initialize the key-fernet format, configure the identity authentication service)
4. Verification