1.keystone Introduction
OpenStack is one of the keystone component that provides a unified authentication services to other components of OpenStack family members, including authentication, token issuance and verification, the list of services, the definition of user rights, and so on. Cloud environment authorization and authentication between all services need to go through keystone. So keystone is the first cloud platform that is required to install the service.
As OpenStack-based support services, Keystone below do these things:
(1) manage users and their rights
(2) maintenance of OpenStack Services Endpoint
(3) Authentication (authentication) and Authorization (authentication)
Several concepts in 2.keystone
1)User
User means any entity can use OpenStack, which can be a real user, may be other systems or services.
When User Access OpenStack, keystone will be verified.
admin: super administrator openstack platform, responsible for openstack service management and access rights
demo: conventional (non-management) tasks use a non-privileged users and projects, all to create a demo project and demo users.
In addition to admin and demo, OpenStack also nova, cinder, glance, neutron service creates the corresponding User.
2)Credentials
Credentials User information is used to prove their identity, they can be:
(1) username / password
(2)Token
(3)API Key
(4) other advanced ways
3)Authentication
Keystone Authentication is the process of verifying the identity of the User. User submitted username and password in the form of Credentials to access the Keystone OpenStack, Keystone verification will be issued a User Credential Token as a follow-up visit after the adoption.
4)Token
Token is a string of numbers and letters, Keystone Token generated after successful User Authentication and assigned to the User.
(1) Token Credential used to access the Service
(2) Service checks the validity of the Token by Keystone
(3) Token valid default is 24 hours
5)Project
Project for OpenStack resources (computing, storage and network) and the spacer group. Depending on whom OpenStack services, Project can be a client (public clouds, also known as tenants), department or project team (private cloud).
note:
(1) ownership of the resource is part of Project instead of User.
(2) In the OpenStack interface and documentation, Tenant / Project / Account these terms are common, but the long term will tend to use Project
(3) each User (including admin) must be hung in the Project in order to access the resources of the Project. A User can belong to multiple Project.
(4) admin is equivalent to the root user with the highest authority
6)Service
The Service includes OpenStack Compute (Nova), Block Storage (Cinder), Object Storage (Swift), Image Service (Glance), Networking Service (Neutron) and so on. Each Service will provide a number of Endpoint, User access resources and perform actions by Endpoint.
7)Endpoint
Endpoint address is accessible on a network, typically a URL. Service Endpoint by exposing their API. Keystone responsible for the management and maintenance of each Endpoint Service.
You can use the following command to view the Endpoint:
openstack catalog list [root@node1 ~]# openstack catalog list +----------+----------+-----------------------------------+ | Name | Type | Endpoints | +----------+----------+-----------------------------------+ | keystone | identity | RegionOne | | | | admin: http://node1:35357/v3/ | | | | RegionOne | | | | public: http://node1:5000/v3/ | | | | RegionOne | | | | internal: http://node1:5000/v3/ | | | | | +----------+----------+-----------------------------------+
8)Role
Security consists of two parts: Authentication (authentication) and Authorization (authentication)
Authentication solution is to "Who are you?" Question
Authorization to address is "What can you do?" Question
Keystone With Role achieve Authorization:
Keystone defined Role
You can assign one or more Role for the User, Service decided to do something each Role Service access control Role through their policy.json file. Here is an example of Nova service /etc/nova/policy.json:
The meaning of the above configuration is: to create, attach_network and attach_volume operation, any Role of User can perform; but only the admin can perform the Role of User forced_host operation.
OpenStack default configuration only distinction between admin and non-admin Role. If you need to authorize specific Role, you can modify policy.json.
Openstack addition to verification of User Authentication, User need to identify whether there is an access to the Service. Policy corresponds to what is used to define what role the authority. Keystone is on, Policy actually a JSON file, the default is /etc/keystone/policy.json. By Policy, Keystone realized the permission of the management of the User.
2. Prepare OpenStack environment
1) Installation environment openstack
yum install python-openstackclient
yum install openstack-selinux
2) Preparing the Database
yum install mariadb mariadb-server python2-PyMySQL vim /etc/my.cnf.d/openstack.cnf [mysqld] bind-address = 192.168.52.101 default-storage-engine = innodb innodb_file_per_table = on max_connections = 4096 collation-server = utf8_general_ci character-set-server = utf8 systemctl enable mariadb.service systemctl start mariadb.service mysql_secure_installation #进行数据库初始化
3) build service message queue
yum install rabbitmq-server systemctl restart rabbitmq-server.service systemctl enable rabbitmq-server.service 创建openstack用户 rabbitmqctl add_user openstack openstack rabbitmqctl set_permissions openstack ".*" ".*" ".*"
4) Create a caching service
yum install memcached python-memcached vim /etc/sysconfig/memcached OPTIONS="-l 127.0.0.1,::1,controller,node1" systemctl restart memcached.service systemctl enable memcached.service
3. Deploy Keystone Service
1) Installation and Configuration
(1) Log database
-uroot-MySQL - the p- MariaDB [(none)] > the Create Database keystone; # Create a keystone database . MariaDB [(none)]> Grant * All privileges ON keystone to ' keystone ' @ ' localhost ' IDENTIFIED by ' KEYSTONE_DBPASS ' ; # grant user rights and password, allowing the machine to log in grant All privileges oN * to Keystone. ' Keystone ' @ ' % ' IDENTIFIED by ' KEYSTONE_DBPASS ' ; # granting user rights and set a password that allows any host to log in
(2) Installation and configuration package keystone
yum install openstack-keystone httpd mod_wsgi vim /etc/keystone/keystone.conf [database] connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone [token] provider = fernet
Or set according to the following method
/etc/keystone/keystone.conf /etc/keystone/keystone.conf.bak -a cp # backup configuration file vim /etc/keystone/keystone.conf # to delete the contents of the configuration file and add the following to all [DEFAULT] [Assignment] [the auth] [Cache] [Catalog] [CORS] [cors.subdomain] [Credential] [Database] Connection = MySQL + pymysql: // Keystone: KEYSTONE_DBPASS @ Controller / Keystone [domain_config] [endpoint_filter] [endpoint_policy] [eventlet_server] [Federation] [fernet_tokens] [Healthcheck] [identity] [identity_mapping] [kvs] [ldap] [matchmaker_redis] [memcache] [oauth1] [oslo_messaging_amqp] [oslo_messaging_kafka] [oslo_messaging_notifications] [oslo_messaging_rabbit] [oslo_messaging_zmq] [oslo_middleware] [oslo_policy] [paste_deploy] [policy] [profiler] [resource] [revoke] [role] [saml] [security_compliance] [shadow_users] [signing] [token] provider = fernet [tokenless_auth] [trust]
(3) loading data into the database
su -s /bin/sh -c "keystone-manage db_sync" keystone
(4) the initialization fernet secret key repository
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
(5) boot authentication service
keystone-manage bootstrap --bootstrap-password admin \ > --bootstrap-admin-url http://node1:35357/v3/ \ > --bootstrap-internal-url http://node1:5000/v3/ \ > --bootstrap-public-url http://node1:5000/v3/ \ > --bootstrap-region-id RegionOne
(6) Configuration httpd service
vim / etc / httpd / conf / the httpd.conf ServerName node1 # modify only here LN -s /usr/share/keystone/wsgi-keystone.conf the /etc/httpd/conf.d/ # Create a soft link [root @ node1 ~] # CD /etc/httpd/conf.d [the root @ node1 the conf.d] # LS -l total volume of 16 -rw-R & lt - r-- the root the root. 1. 11 2926 2018 dated. 5 autoindex.conf -RW- r - r-- 1 root root 366. 11 dated 2018. 5 the README -rw-R & lt - r-- the root the root. 1 1252 2018 Oct 30 userdir.conf -rw-R & lt - r--. 1 October the root the root 824 2018 30 welcome.conf lrwxrwxrwx1 root root 38 7月 29 14:47 wsgi-keystone.conf -> /usr/share/keystone/wsgi-keystone.conf systemctl restart httpd.service systemctl enable httpd.service
(7) Set the logon information
vim openrc export OS_USERNAME=admin export OS_PASSWORD=admin export OS_PROJECT_NAME=admin export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_DOMAIN_NAME=Default export OS_AUTH_URL=http://node1:35357/v3 export OS_IDENTITY_API_VERSION=3 source openrc在命令行模式下登入openstack
2) create a domain, projects, users, roles
创建service项目 openstack project create --domain default --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | default | | enabled | True | | id | a1710fdff32a4605a8ab549f8680dd45 | | is_domain | False | | name | service | | parent_id | default | +-------------+----------------------------------+ 创建demo项目 openstack project create --domain default --description "Demo Project" demo +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Demo Project | | domain_id | default | | enabled | True | | id | 9f4f23f099bb4da3bc41c99f7a8a4f20 | | is_domain | False | | name | demo | | parent_id | default | +-------------+----------------------------------+ 查看项目 openstack project list +----------------------------------+---------+ | ID | Name | +----------------------------------+---------+ | 7d3f0cd56a104c60a36196675f62428e | admin | | 9f4f23f099bb4da3bc41c99f7a8a4f20 | demo | | a1710fdff32a4605a8ab549f8680dd45 | service | +----------------------------------+---------+
(2) create user demo and password
openstack user create --domain default --password-prompt demo手动输入密码 或: openstack user create --domain default --password=demo demo +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | default | | enabled | True | | id | e880cc125bb541128c9bc47233d91732 | | name | demo | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+ 查看用户 openstack user list +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | cd9ce1eb589b445e9b98c53a36bdc8d8 | admin | | e880cc125bb541128c9bc47233d91732 | demo | +----------------------------------+-------+
(3) create user roles
openstack role create user +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | 348324e7aee745229551eb412fd96a18 | | name | user | +-----------+----------------------------------+ 查看角色 openstack role list +----------------------------------+----------+ | ID | Name | +----------------------------------+----------+ | 348324e7aee745229551eb412fd96a18 | user | | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | | c6b4ab1a75d041e298f59570bd7dd46e | admin | +----------------------------------+----------+
(4) users in the demo demo project is set to user roles
openstack role add --project demo --user demo user
3) Verify the logon information
(1) cancel environment variable value
unset OS_AUTH_URL OS_PASSWORD
(2) Enter the admin user login information
openstack --os-auth-url http://node1:35357/v3 \ > --os-project-domain-name default \ > --os-user-domain-name default \ > --os-project-name admin \ > --os-username admin token issue Password: +------------+-------------------------------------------------------------------------------------------+ | Field | Value | +------------+-------------------------------------------------------------------------------------------+ | expires | 2019-07-29T09:44:06+0000 | | id | gAAAAABdPrHWXAwrKHKnU3CMr5odqMjYwK90C5bD6rdPEfoJzTuAh-G3YZcb0SHzr8ek8qaS5zgN4haULRxpgcrli | | | XJ32hhKvmN8UZTSRgW58l_Nu1e1l4gjDjxXyUS25a4krWJ46brr4qpq3AvUu40_B9ccw9Z_7vjiDA_- | | | FTKpmqFnRNrAH-k | | project_id | 7d3f0cd56a104c60a36196675f62428e | | user_id | cd9ce1eb589b445e9b98c53a36bdc8d8 | +------------+-------------------------------------------------------------------------------------------+
4.Troubleshoot
OpenStack troubleshooting method depends mainly on the log, each service has its own log file.
Keystone has two main log: keystone.log and keystone_access.log, stored in / var / log / keystone and / var / log / httpd / directory.
vim /var/log/keystone/keystone.log 2019-07-29 14:36:47.607 43150 INFO migrate.versioning.api [-] 66 -> 67... 2019-07-29 14:36:48.060 43150 INFO migrate.versioning.api [-] done 2019-07-29 14:36:48.060 43150 INFO migrate.versioning.api [-] 67 -> 68... 2019-07-29 14:36:48.065 43150 INFO migrate.versioning.api [-] done 2019-07-29 14:36:48.065 43150 INFO migrate.versioning.api [-] 68 -> 69... 2019-07-29 14:36:48.069 43150 INFO migrate.versioning.api [-] done 2019-07-29 14:36:48.069 43150 INFO migrate.versioning.api [-] 69 -> 70... 2019-07-29 14:36:48.073 43150 INFO migrate.versioning.api [-] done
vim /var/log/httpd/keystone_access.log 192.168.52.101 - - [29/Jul/2019:15:01:40 +0800] "GET /v3 HTTP/1.1" 200 245 "-" "osc-lib/1.3.1 keystoneauth1/2.18.0 python-requests/2.11.1 CPython/2.7.5" 192.168.52.101 - - [29/Jul/2019:15:01:42 +0800] "POST /v3/auth/tokens HTTP/1.1" 201 1082 "-" "osc-lib/1.3.1 keystoneauth1/2.18.0 python-requests/2.11.1 CPython/2.7.5" 192.168.52.101 - - [29/Jul/2019:15:02:21 +0800] "GET /v3 HTTP/1.1" 200 245 "-" "osc-lib/1.3.1 keystoneauth1/2.18.0 python-requests/2.11.1 CPython/2.7.5" 192.168.52.101 - - [29/Jul/2019:15:02:23 +0800] "POST /v3/auth/tokens HTTP/1.1" 201 1082 "-" "osc-lib/1.3.1 keystoneauth1/2.18.0 python-requests/2.11.1 CPython/2.7.5"
If you need detailed log information in the configuration file debug option opens
vim /etc/keystone/keystone.conf
[DEFAULT]
debug=True