Article directory
OpenStack (T version)—Identity Authentication (Keystone) service introduction and installation
Introduction to Keystone
Keystone official document introduction
OpenStack is a cloud computing platform project, in which Keystone is an identity authentication service component that provides authentication, authorization and directory services. Other OpenStack service components need to use Keystone to verify the user's identity and permissions, and need to cooperate with each other. 当一个OpenStack服务组件接收到用户的请求时,它会先将请求交给Keystone身份认证服务组件,以检查该用户是否有足够的权限来完成请求。Therefore, the Keystone identity authentication service component is the only service component in the entire OpenStack project that can provide identity authentication.
Keystone identity authentication service components include the following parts
-
Server: uses a program interface to provide user authentication and authorization services
-
Drivers: Integrated into the server and used to access authentication information for programs outside the Openstack project and already within the project (SQL Database)
-
Modules: run in OpenStack service components that use authentication services, listen to service requests, extract user credentials, and send these information to the server for verification and authorization
Keystone installation
Official document installation process
Install and configure the Keystone identity authentication service component on the control node
(1)Create database
① Connect to the database in the operating system terminal
root@controller ~]# mysql -uroot -p000000
Because we are logged in as the root user, when entering the password, press the Enter key to establish the connection.
②Create Keystone database
MariaDB [(none)]> CREATE DATABASE keystone;
Query OK, 1 row affected (0.001 sec)
③Keystone database access permission settings
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '000000';
# 将数据库"keystone"的所有权限授予用户"keystone"
# 并设置密码为"000000",允许用户从任何主机进行访问。
# GRANT [privileges] ON [database_name].[table_name] TO '[username]'@'[host]' IDENTIFIED BY '[password]';
# privileges:表示授予的权限
# database_name.table_name:表示要授权的数据库和数据表,如果是授权所有数据库和表,则使用通配符 *
# username:表示要授权的用户名。
# host:表示允许访问的主机名或 IP 地址,如果是允许所有主机,则使用通配符 %。
④Exit the database
MariaDB [(none)]> exit
Bye
(2)Install software package
[root@controller ~]# yum install -y openstack-keystone httpd mod_wsgi
(3) Modify the file /etc/keystone/keystone.conf and add the following content
In the [database] section, configure database access:
[root@controller ~]# vim /etc/keystone/keystone.conf
# Keystone配置文件中的数据库连接配置,用于连接MySQL数据库。
[database]
connection = mysql+pymysql://keystone:000000@controller/keystone
# connection:表示数据库连接字符串,它是一个URI格式的字符串,由以下几个部分组成:
# mysql+pymysql:表示使用MySQL数据库,并使用PyMySQL驱动程序进行访问。
# keystone:表示数据库名称。
# keystone:000000:表示数据库用户名和密码,其中用户名为 "keystone",密码为 000000。
# controller:表示MySQL数据库所在的主机名或IP地址。
# "/keystone" 表示要连接的具体数据库名称。
In the [token] section, add the following options
# Keystone服务的配置文件中的[token]部分
# 它指定了Keystone服务在生成和验证访问令牌时使用的令牌提供程序。
[token]
provider = fernet
# "provider = fernet" 表示Keystone服务使用fernet加密算法来加密和解密token
Synchronize Keystone identity authentication service information to Keystone database
[root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
# su:表示切换用户的命令。
# -s /bin/sh:表示切换后使用/bin/sh作为新用户的shell环境。
# -c "keystone-manage db_sync":表示执行 "keystone-manage db_sync" 命令。
# keystone:表示要切换到的用户。
Test to see if synchronization is in place in the database
[root@controller ~]# mysql -uroot -p000000
MariaDB [(none)]> use keystone;
MariaDB [keystone]> show tables;
+------------------------------------+
| Tables_in_keystone |
+------------------------------------+
| access_rule |
| access_token |
| application_credential |
| application_credential_access_rule |
| application_credential_role |
| assignment |
| config_register |
| consumer |
| credential |
| endpoint |
| endpoint_group |
| federated_user |
| federation_protocol |
| group |
| id_mapping |
| identity_provider |
| idp_remote_ids |
| implied_role |
| limit |
| local_user |
| mapping |
| migrate_version |
| nonlocal_user |
| password |
| policy |
| policy_association |
| project |
| project_endpoint |
| project_endpoint_group |
| project_option |
| project_tag |
| region |
| registered_limit |
| request_token |
| revocation_event |
| role |
| role_option |
| sensitive_config |
| service |
| service_provider |
| system_assignment |
| token |
| trust |
| trust_role |
| user |
| user_group_membership |
| user_option |
| whitelisted_config |
+------------------------------------+
# 同步成功!
(4)Create token
# 用于生成fernet token加密所需的密钥文件和签名文件
[root@controller ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
# 用于生成用于加密和签名credential的密钥文件和签名文件
[root@controller ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
(5) Boot identity service
[root@controller ~]# keystone-manage bootstrap --bootstrap-password 000000 --bootstrap-admin-url http://controller:5000/v3/ --bootstrap-internal-url http://controller:5000/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne
# keystone-manage:Keystone服务的管理工具。
# bootstrap:表示使用bootstrap方式来初始化Keystone服务。
# --bootstrap-password ADMIN_PASS:表示设置管理员用户 "admin" 的密码为 "000000"
# --bootstrap-admin-url http://controller:5000/v3/
# 表示设置管理员用户 "admin" 的认证地址为 "http://controller:5000/v3/"
# --bootstrap-internal-url http://controller:5000/v3/
# 表示设置Keystone服务的内部API地址为 "http://controller:5000/v3/"
# --bootstrap-public-url http://controller:5000/v3/
# 表示设置Keystone服务的公共API地址为 "http://controller:5000/v3/"。
# --bootstrap-region-id RegionOne
# 表示设置Keystone服务的region名称为 "RegionOne"。
(6) Configure Apache HTTP server
- Edit
/etc/httpd/conf/httpd.confthe file and configureServerNameoptions that reference the controller node:
[root@controller ~]# vim /etc/httpd/conf/httpd.conf
ServerName controller:80
- Create a link to the file
/usr/share/keystone/wsgi-keystone.conf:
[root@controller ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
(7)Complete installation
Start the Apache HTTP service and set it to start automatically at boot
[root@controller ~]# systemctl start httpd.service && systemctl enable httpd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
Configure management account
[root@controller ~]# vim admin.sh
#!/bin/bash
export OS_USERNAME=admin
export OS_PASSWORD=000000
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
[root@controller ~]# source admin.sh
Keystone: Create domains, projects, users and roles
(1)Create a new domain
[root@controller ~]# openstack domain create --description "An Example Domain" example
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | An Example Domain |
| enabled | True |
| id | eca80f9ed6cf4c59b60d6f0f7a990a4c |
| name | example |
| options | {
} |
| tags | [] |
+-------------+----------------------------------+
(2)Create service project
[root@controller ~]# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | c04317f643bb4065a25d9f0dca99aa5a |
| is_domain | False |
| name | service |
| options | {
} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
(3) Create a non-administrator project, user and role
Create project
[root@controller ~]# openstack project create --domain default --description "Demo Project" myproject
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | 8102fbf519bd4d11875c77846bca665a |
| is_domain | False |
| name | myproject |
| options | {
} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
create user
[root@controller ~]# openstack user create --domain default --password-prompt myuser
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 04f0b33b14e1441882e227c8ac59d822 |
| name | myuser |
| options | {
} |
| password_expires_at | None |
+---------------------+----------------------------------+
# --password-prompt:表示使用交互式的方式来设置该user的密码。
Creating a Role
[root@controller ~]# openstack role create myrole
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | None |
| domain_id | None |
| id | 5dcb93a78f2a4d64bececbc3bd564ac5 |
| name | myrole |
| options | {
} |
+-------------+----------------------------------+
Add myroleroles to myprojectprojects and myuserusers
[root@controller ~]# openstack role add --project myproject --user myuser myrole
Verify operation
Verify that the identity service is running before installing other services.
- Unset temporary variables
OS_AUTH_URLandOS_PASSWORDenvironment variables:
[root@controller ~]# unset OS_AUTH_URL OS_PASSWORD
- As
admina user, request an authentication token:
[root@controller ~]# openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name admin --os-username admin token issue
Password:
Password:
----------------------------------------------------------------------------------
| Field | Value
| expires | 2023-06-25T16:39:58+0000 |
| id | gAAAAABkmF_OmgOCJFRXojWqG4eJQCJIgYX-Hlce237WCFsN5VGYd8hYARzxgalCNl7bJa3qU1cBqT3iKWVb7zSAllofUClG8T6_R-569cvdYxr1mo1qle8M_TTW9QlM1JI5J8166YD8BSl0ag-W8UvlJUBHTtfZD3xpyX5sNMmPzqVOp3d2gMU |
| project_id | 682605389bcd4a2cb2978bef7ed25f1d |
| user_id | 52ba5a9d946740bb8535dcf8cd3d99d6 -----------------------------------------------------------------------------------
# --os-auth-url http://controller:5000/v3
# 表示设置Keystone服务的认证地址为 "http://controller:5000/v3"。
# --os-project-domain-name Default:表示设置项目所属的domain名称为 "Default"。
# --os-user-domain-name Default表示设置用户所属的domain名称为 "Default"
# --os-project-name admin:表示设置使用的项目名称为 "admin"
# --os-username admin:表示设置使用的用户名为 "admin"
# token issue:表示使用认证Token来获取新的Token。
# Password:表示需要输入管理员用户 "admin" 的密码来进行认证。
# 执行该命令后,OpenStack客户端命令行工具将会使用给定的用户名和密码来进行认证
# 并获取管理员用户 "admin" 的认证Token。认证Token是OpenStack中的一个重要概念
# 用于验证用户的身份和授权用户访问资源和服务
- As
myuserthe user created in the previous section, request an authentication token:
[root@controller ~]# openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name myproject --os-username myuser token issue
Password:
Password:
| Field | Value
| expires | 2023-06-25T16:45:35+0000
| id | gAAAAABkmGEfjyFXPq3xHAanyUBec8BhL2Dz5vKPIchDmSkWJKU5nVfHoikUKZGmV0IiDMBcP3qUKPOs8keRQD0phGRbJywMzH34ZcyeJApOBhSwEwht6ZtwyGMKneMv4NesiFlzoQ5Odsl__3IkdIsCwwDpHSpt7kaCATdMYZQl4SFdCjzq6Pw |
| project_id | 8102fbf519bd4d11875c77846bca665a
| user_id | 04f0b33b14e1441882e227c8ac59d822
# Password:表示需要输入用户 "myuser" 的密码来进行认证。
# 执行该命令后,OpenStack客户端命令行工具将会使用给定的用户名和密码来进行认证
# 并获取用户 "myuser" 在项目 "myproject" 中的认证Token。
Define OpenStack client environment script
To improve the efficiency of client operations, OpenStack supports simple client environment scripts (also known as OpenRC files).
Create script
Create admin project, demo project and user environment variable scripts
(1) Create and edit admin-openrcthe file and add the following content:
[root@controller ~]# vim admin-openrc.sh
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=000000
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
[root@controller ~]# source admin-openrc.sh
(2) Create the file demo-openrc.sh and add the following content
[root@controller ~]# vim demo-openrc.sh
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=myproject
export OS_USERNAME=myuser
export OS_PASSWORD=000000
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
[root@controller ~]# source demo-openrc.sh
verify
Request an authentication token:
[root@controller ~]# source admin-openrc.sh
[root@controller ~]# openstack token issue
| Field | Value |
| expires | 2023-06-25T17:01:30+0000 |
| id | gAAAAABkmGTaGJLynJgHwYQUneKhkWQpHTJ17fAdYj9uu1RlqNyGY8b1KBzK1d18iv_2nLzb39dL9L57M4MiaDGQosauVmIR6gwyJN3Yt5F0-b9vvlNmvx0s7xQ7EPTXRX-pEdnfpOGSHt-X8JZYeEpmrPVYL2vlMOBgBu2yGOgrd_dM3Srn1A0 |
| project_id | 682605389bcd4a2cb2978bef7ed25f1d |
| user_id | 52ba5a9d946740bb8535dcf8cd3d99d6
[root@controller ~]# source demo-openrc.sh
[root@controller ~]# openstack token issue
| Field | Value |
| expires | 2023-06-25T17:02:56+0000 |
| id | gAAAAABkmGUwoSmgAQpoJMC_T4AT9SyDM29wJDd8kcQ7b_s-_M0veGmebKoWa3cPAGlL7soq-P2yXzwmgxEmVvLvpz5eeupmkSasKpPeN7uC-NReLXzPuSDYqoWPVkaR-LaDcWfC5mQKXf2uZhQdL3tQdO3gDBJykzcqGeeRwFoYRD9tnvyCVe8 |
| project_id | 8102fbf519bd4d11875c77846bca665a |
| user_id | 04f0b33b14e1441882e227c8ac59d822
本文参考视频:https://www.bilibili.com/video/BV1fL4y1i7NZ?p=7&vd_source=7c7cb4224e0c273f28886e581838b110