General Contents
Details and installation of Keystone
1. Component description
Keystone is the name of the OpenStack Identity Service. It is a component responsible for Identity management and authorization. Implements user identity authentication, role-based permission management, and access address and security policy management for other openstack components
Why is Keystone needed? The Keystone project is designed to provide services to all components of openstack (such as Nova, Cinder, Glance…). Provides a unified authentication mode
⚫ User management Account Authentication Identity Authentication Authorization Authorization
⚫ Service catalog management
User The digital representation of a person, system, or service in OpenStack. Logged-out users are assigned token rings to access resources. Users can be directly assigned to specific tenants, as if belonging to each group. Credentials Data used to authenticate the user. Example: user name and password, user name and API key, or Authentication token provided by Authentication service Authentication the process of confirming a user's identity. Token An alphanumeric string used to access Stackapi and resources. A temporary Tenant can be revoked at any time and remains valid for a period of time. Tenant a container for an organization or isolated resource. Tenants and can organize or quarantine authentication objects. Depending on the requirements of service operations, a tenant can be mapped to a customer, account, organization, or project. Service OpenStack services, such as Nova, Swift, or Glance. It provides one or more endpoints for users to access resources and perform actions. A network accessible address, usually a URL, that is used to access a service. Role A customized permission set that contains specific user rights and privileges. Keystone Client A Keystone command-line tool. With this tool you can create users, roles, services and endpoints...Copy the code
Example Understanding: User: Zhang SAN Credentials: ID authentication: ID authentication Token: room card Tenant: hotel services: accommodations and meals Endpoint: Path Role: VIP Keystone Client (Keystone command line tool) A command line tool of Keystone. With this tool you can create users, roles, services and endpoints…
2. Communication between components
1. User authentication process
2. Interaction between components
3. User role service interaction process
You can leave me a message if you don’t understand
3. Construct experiments
Install Mariadb on the controller node
1Install the mariadb software package. Yum -y install mariadb mariadb-server mysql-python net-tools vim2Edit the /etc/yum. CNF software and set the binding IP address and default database engine and character set to UTF-8[root@controller ~]# vim /etc/my.cnf [mysqld] ... . . bind-address =192.168222.. 5
default-storage-engine = innodb
innodb_file_per_table
collation-server = utf8_general_ci
init-connect = 'SET NAMES utf8'character-set-server = utf8 ... .3Restart the service systemctl restart mariadb systemctl enable mariadb mysql_secure_installationCopy the code
1. Functions: Coordinate operations and status information services
2, the common message agent software RabbitMQ Qpid ZeroMQ
3. Install and configure RabbitMQ on the controller
[root@controller ~]# yum -y install rabbitmq-server
[root@controller ~]# systemctl enable rabbitmq-server && systemctl start rabbitmq-server
ln -s '/usr/lib/systemd/system/rabbitmq-server.service' '/etc/systemd/system/multi-user.target.wants/rabbitmq-server.service'
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@The '%' IDENTIFIED BY 'KEYSTONE_DBPASS'; Generate a random value as a management token in the initial configuration of OpenSSLRand - HEX10: 69ee876515186f15d6e2 Installation package yum install openstack- Keystone Python-KeystoneclientCopy the code
vim /etc/keystone/keystone.conf [DEFAULT] ... Admin_token = Random value generated [database]... connection =mysql://keystone:[email protected]/keystone
[token]
...
provider = keystone.token.providers.uuid.Providerdriver = keystone.token.persistence.backends.sql.Token
[DEFAULT]
...
verbose = True
Copy the code
4. Configure Keystone Users, Tenants, and Roles ()
[root@controller ~]# keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
[root@controller ~]# chown -R keystone:keystone /var/log/keystone/
[root@controller ~]# chown -R keystone:keystone /etc/keystone/ssl/
[root@controller ~]# chmod -R o-rwx /etc/keystone/ssl/
[root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync"[root@controller ~]# systemctl enable openstack- keyston. service ln -s'/usr/lib/systemd/system/openstack-keystone.service' '/etc/systemd/system/multi-user.target.wants/openstack-keystone.service'[root@controller ~]# systemctl start openstack- keystone-service schedule task, Delete expired tokens every hour [root@controller ~]# (crontab-l -u Keystone2> &1 | grep -q token_flush) || echo '@hourly /usr/bin/keystone-manage token_flush>/var/log/keystone/
keystone-tokenflush.log 2>&1' >> /var/Spool /cron/ Keystone Configure administrator tokens and endpoints [root@controller ~]#export OS_SERVICE_TOKEN=69ee876515186f15d6e2
[root@controller ~]# export OS_SERVICE_ENDPOINT=http:/ / controller.nice.com: 35357 / v2.0Create tenants, users, and roles for management1Create tenant admin [root@controller ~]# keystone tenant-create --name admin --description"Admin Tenant"
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Admin Tenant |
| enabled | True |
| id | dc4de4d7ecda4ed898b5e0d82809d2ad |
| name | admin |
+-------------+----------------------------------+
2Create user admin [root@controller ~]# keystone user-create --name admin --pass ADMIN_PASS --email EMAIL_ADDRESS +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | EMAIL_ADDRESS | | enabled | True | | id | 4486fd5b469945de95c8b98fc66f4eb5 | | name | admin | | username | admin | +----------+----------------------------------+3Create the admin role/root @ controller ~ # keystone role - create -- the name admin + -- -- -- -- -- -- -- -- -- - + -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- + | Property | Value | +----------+----------------------------------+ | id | 09f18f69a9ad44648660189411af5448 | | name | admin | +----------+----------------------------------+4Add tenant and user admin to role admin [root@controller ~]# keystone user-role-add --tenant admin --user admin --role admin5Example Create the _member_ role [root@controller ~]# keystone role-create --name _member_ for dashboard access +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | id | bec56706ca954a17ab5ffd81e042d7e0 | | name | _member_ | +----------+----------------------------------+6Add tenant admin and user admin to _member_ role [root@controller ~]# keystone user-role-add --tenant admin --user admin --role _member_ 2. Create demo for demonstration1Create a demo tenant and user [root@controller ~]# keystone tenant-create --name demo --description"Demo Tenant"
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Demo Tenant |
| enabled | True |
| id | ab56bdec367e478cbdfbd1769f9c1649 |
| name | demo |
+-------------+----------------------------------+
2The demo user [root@controller ~]# keystone user-create --name demo --pass DEMO_PASS --email EMAIL_ADDRESS is created +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | EMAIL_ADDRESS | | enabled | True | | id | 47adadf9db2d4ac98c2c9af7a28555bd | | name | demo | | username | demo | +----------+----------------------------------+3Add demo tenants and users to _member_ role [root@controller ~]# keystone user-role-add --tenant demo --user demo --role _member_ The OpenStack service industry requires a tenant. Users and roles interact with other services. So we create a service tenant [root@controller ~]# keystone tenant-create --name service --description"Service Tenant"+-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Service Tenant | | enabled | True | | id | Bd2246ec33d5486dac0fc5f55fc4c50c | | name | service | + -- -- -- -- -- -- -- -- -- -- -- -- - + -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- - + 4, create a service entity, and API endpoint1Create a service entity for identity service [root@controller ~]# keystone service-create --name keystone --type identity --description"OpenStackIdentity"+-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | OpenStackIdentity | | enabled | True | | id | a66eb07187a5482d9a591c8b0381e0b9 | | name | keystone | | type | identity | + -- -- -- -- -- -- -- -- -- -- -- -- - + -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- + 2 it provides three API endpoint for each service: Admin,internal,public create API endpoint for identity service [root@controller ~]# keystone endpoint-create --service-id $(keystone service-list | awk'/ identity / {print $2}') --publicurl http:/ / controller.nice.com: 5000 / v2.0 - internalurl http://controller.nice.com:5000/v2.0 - adminurl http://controller.nice.com:35357/v2.0 - region regionOne
+-------------+---------------------------------------+
| Property | Value |
+-------------+---------------------------------------+
| adminurl | http:/ / controller.nice.com: 35357 / v2.0 |
| id | d25caf7e941d49d4a2a3d0ff98d09f97 |
| internalurl | http:/ / controller.nice.com: 5000 / v2.0 |
| publicurl | http:/ / controller.nice.com: 5000 / v2.0 || region | regionOne | | service_id | a66eb07187a5482d9a591c8b0381e0b9 | + -- -- -- -- -- -- -- -- -- -- -- -- - + -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- - + 5, confirm the operation1Unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT [root@controller ~]# unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT2[root@controller ~]# keystone --os-tenant-name admin --os-username admin --os-password ADMIN_PASS --os-auth-url http:/ / controller.nice.com: 35357 / v2.0 token - a get+-----------+----------------------------------+ | Property | Value | +-----------+----------------------------------+ | expires |2020-07-24T11:01:42Z |
| id | f8c98c7983fd46da97208caf4bcac9a8 |
| tenant_id | dc4de4d7ecda4ed898b5e0d82809d2ad |
| user_id | 4486fd5b469945de95c8b98fc66f4eb5 |
+-----------+----------------------------------+
3View the tenant list as the admin tenant and user [root@controller ~]# keystone --os-tenant-name admin --os-username admin --os-password ADMIN_PASS --os-auth-url http:/ / controller.nice.com: 35357 / v2.0 tenant - the list
+----------------------------------+---------+---------+
| id | name | enabled |
+----------------------------------+---------+---------+
| dc4de4d7ecda4ed898b5e0d82809d2ad | admin | True |
| ab56bdec367e478cbdfbd1769f9c1649 | demo | True |
| bd2246ec33d5486dac0fc5f55fc4c50c | service | True |
+----------------------------------+---------+---------+
4View the user list as the admin tenant and user [root@controller ~]# keystone --os-tenant-name admin --os-username admin --os-password ADMIN_PASS --os-auth-url http:/ / controller.nice.com: 35357 / v2.0 user - the list+----------------------------------+-------+---------+---------------+ | id | name | enabled | email | +----------------------------------+-------+---------+---------------+ | 4486fd5b469945de95c8b98fc66f4eb5 | admin | True | EMAIL_ADDRESS | | 47adadf9db2d4ac98c2c9af7a28555bd | demo | True | EMAIL_ADDRESS | +----------------------------------+-------+---------+---------------+5View the role list as the admin tenant and user [root@controller ~]# keystone --os-tenant-name admin --os-username admin --os-password ADMIN_PASS --os-auth-url http:/ / controller.nice.com: 35357 / v2.0 role - the list
+----------------------------------+----------+
| id | name |
+----------------------------------+----------+
| bec56706ca954a17ab5ffd81e042d7e0 | _member_ |
| 09f18f69a9ad44648660189411af5448 | admin |
+----------------------------------+----------+
6[root@controller ~]# keystone --os-tenant-name demo --os-username demo --os-password DEMO_PASS --os-auth-url http:/ / controller.nice.com: 35357 / v2.0 token - a get+-----------+----------------------------------+ | Property | Value | +-----------+----------------------------------+ | expires |2020-07-24T11:02:51Z |
| id | 740e933e60464fe58d84d00e4ecb9d15 |
| tenant_id | ab56bdec367e478cbdfbd1769f9c1649 |
| user_id | 47adadf9db2d4ac98c2c9af7a28555bd |
+-----------+----------------------------------+
7View the user list as the demo tenant and user [root@controller ~]# keystone --os-tenant-name demo --os-username demo --os-password DEMO_PASS --os-auth-url http:/ / controller.nice.com: 35357 / v2.0 user - the list
You are not authorized to perform the requested action: admin_required (HTTP 4036. Create an OpenStack client environment script1Shexport OS_TENANT_NAME= adminExport OS_USERNAME= adminExport OS_PASSWORD=ADMIN_PASSexport OS_AUTH_URL=http:/ / controller.nice.com: 35357 / v2.0
2Shexport OS_TENANT_NAME=demoexport OS_USERNAME=demoexport OS_PASSWORD=DEMO_PASSexport OS_AUTH_URL= HTTP:/ / controller.nice.com: 5000 / v2.0
Copy the code
The Keystong component is successfully installed