OpenStack Certification Service KeyStone [II] 03/28 Update SLTechnology News&Howtos

OpenStack Certification Service KeyStone [II]

2025-03-28 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Database >

Shulou(Shulou.com)06/01 Report--

OpenStack Certification Service KeyStone [II]

Openstack

Time: November 23, 2016

Introduction of openstack Certification Service Keystone

Keystone function:

1. User and authentication: user rights and user behavior tracking

two。 Service catalog: provides a service catalog, including breakpoints for all service items and related Api

3.SOA related knowledge

Keystone main two main functions user authentication service directory (equivalent to a registry)

Introduction of several nouns of user authentication

User: user

It uses a number to represent a person, system, or service that uses an openstack cloud service. The authentication service will validate incoming requests that the user declares to be invoked

A tenant can have multiple users

A user can belong to one or more tenants

The user's rights to the tenant and operation are determined by the user's role in the tenant.

Project: project

It is a collection of resources, or resource groups, that can be accessed in each service. It is a container that organizes and isolates resources, or identifies objects.

Token: token

Role: roles

Represents a set of resource permissions that users can access, such as virtual machines in Nova, images in Glance

Introduction to two nouns of service catalogue

Service: servic

Service as a service, such as Nova, Glance, Swift. Based on the first three concepts (User,Tenant and Role), a service can confirm whether the current user has access to their resources. But when a user tries to access a service within its tenant, he must know if the service exists and how to access the service.

Endpoint: endpoint

Endpoint translates as "endpoint". We can understand that it is an access point exposed by a service, and if you need to access a service, you must know its endpoint. Each URL of Endpoint corresponds to the access address of a service instance and has public, orivate and admin permissions. Pubic url can be completely accessed globally, private url can only be accessed by local area network, and admin url is separated from regular access.

Install KeyStone

Install the Openstack Authentication Service KeyStone

[root@linux-node1 ~] # yum install-y openstack-keystone httpd mod_wsgi memcached python-memcached

Tip: wsgi is a cgi interface for python (keystone needs to be run using httpd)

Be careful!

Edit the file / etc/keystone/keystone.conf, we only need to modify the configuration file of keystone to manage keystone.

In the configuration file, the content in [xxx] is called the configuration column (similar to the mysql configuration file [mysqld] below)

In the [DEFAULT] section, define the value of the initial management token:

We use openssl to generate a random value

[root@linux-node1 ~] # openssl rand-hex 101b0abfc7e9a314a0fd7f [root@linux-node1 ~] # vim / etc/keystone/ keystone.confs [default] admin_token = 1b0abfc7e9a314a0fd7f

Keystone has no users by default, so you need to create users. In this way, we add admin_token to the configuration file, which can be accessed using admin_token without a user. You can also set not to use a user name and password. To put it simply, admin_token is the user of Super Admin at initialization.

In the [database] section, configure database access:

[database] connection = mysql+pymysql://keystone:keystone@192.168.56.11/keystone

User name: password: database address: database name

Because we need to save the user's password to the database, we need to configure the database

Configure the provider of the Fernet UUID token

There are four ways to provide tokens [fernet | pkiz | pki | uuid] default to uuid

[token] provider = fernetdriver = memcache

It is stored in sql by default, and we need to modify it to memcache.

Tip: we can refer to the following article about why we chose fernet

Analysis of several ways of generating token in Keystone

Http://blog.csdn.net/miss_yang_cloud/article/details/49633719

Configure memcached

[memcache] servers = 192.168.56.11purl 11211

Tip: the official default is localhost, but if it is a formal production environment, it may be on another server.

Summary keystone has the following configuration

[root@linux-node1 ~] # grep'^ [Amurz]'/ etc/keystone/ Keystone.confession [default] admin_token = 1b0abfc7e9a314a0fd7f [database] connection = mysql + pymysql://keystone:keystone@192.168.56.11/ Keystone [Memcached] servers = 192.168.56.11: 11211 [token] provider = fernetdriver = memcache

Initialize the database

[root@linux-node1] # su-s / bin/sh-c "keystone-manage db_sync" keystone

Will automatically find the mysql connection in the keystone configuration file to help us create tables in the database

Question: why should we use keystone users to synchronize the database?

Because the synchronous database will write a log at / var/log/keystone, if you use root permission, keystone will read the log when it starts, then it will not be able to read and there will be a startup error.

Check whether the table is created successfully

[root@linux-node1] # mysql-h 192.168.56.11-ukeystone-pkeystone-e "use keystone;show tables;"

Warm Tip: if you look at the table and find that it is not, then we should check / var/log/keystone.log to ask questions in the group must first look at no questions to ask questions.

Initialize Fernet keys

Create related certificates

[root@linux-node1] # keystone-manage fernet_setup-- keystone-user keystone--keystone-group keystone

After executing the command, the fernet-keys directory will be generated under / etc/keystone, and its permission is to store these relevant certificates in keystone.

Tip: we should pay attention to the permissions of the / etc/keystone/keystone.conf file

Start memcached and set to activate activation

[root@linux-node1] # systemctl start memcached.service [root@linux-node1] # systemctl enable memcached.service Created symlink from / etc/systemd/system/multi-user.target.wants/memcached.service to / usr/lib/systemd/system/memcached.service.

Check

We need to check if there is a port of 11211 memcached

View configuration fil

[root@linux-node1 ~] # cat / etc/sysconfig/memcachedPORT= "11211" # port number USER= "memcached" # user MAXCONN= "1024" # maximum number of connections CACHESIZE= "64" # size 64 megabit options = ""

Configure Http

Because we installed an api to connect to httpd at that time, to put it simply, we need to start keystone through apache.

Configure / etc/httpd/conf/httpd.conf file, configure ServerName option to control node, if we do not modify servername, then keystone will not be able to start

[root@linux-node1 ~] # vim / etc/httpd/conf/httpd.confServerName 192.168.56.11purl 80

Create a file / etc/httod/conf.d/wsgi-keystone.conf

[root@linux-node1 ~] # cat / etc/httpd/conf.d/wsgi-keystone.confListen 5000Listen 35357 WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=% {GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / / usr/bin/keystone-wsgi-public WSGIApplicationGroup% {GLOBAL} WSGIPassAuthorization On ErrorLogFormat "% {cu} t% M" ErrorLog / var/log/httpd/keystone-error.log CustomLog / var/log/httpd/keystone-access.log combined Require all Granted WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=% {GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / / usr/bin/keystone-wsgi-admin WSGIApplicationGroup% {GLOBAL} WSGIPassAuthorization On ErrorLogFormat "% {cu} t% M" ErrorLog / var/log/httpd/keystone-error.log CustomLog / var/log/httpd/keystone-access.log combined Require all granted

Start and set up boot

[root@linux-node1 ~] # systemctl enable httpd.service Created symlink from / etc/systemd/system/multi-user.target.wants/httpd.service to / usr/lib/systemd/system/httpd.service. [root@linux-node1 ~] # systemctl start httpd.service

Check

If it is not started, we need to check / var/log/keystone/keystone.log and need to open the debug log

Enable debug log as follows:

[root@linux-node1 ~] # vim / etc/keystone/keystone.conf#debug = true change false to true will be enabled

The troubleshooting scheme is as follows: if there is an exception in the service, first open debug and then restart the service to view the log

This is the keystone installation. We also need to set up keystone.

Because we need to connect to keystone, we need to create keystone users, and keystone needs to register for its own services.

There are two ways to connect to keystone:

One is to use keystone-os-username-os-password

The other is to use environment variables.

If we want to connect to keystone, we need three environment variables

1. Set the admin_token environment variable

The value after [root@linux-node1 ~] # export OS_TOKEN=1b0abfc7e9a314a0fd7fadmin_token is written in keystone.conf.

two。 Set the address to connect to the keystone (configure the endpoint URL)

[root@linux-node1 ~] # export OS_URL= http://192.168.56.11:35357/v3 sets keystone's admin (35357) port v3 with the third version

3. Configure certified API version

[root@linux-node1 ~] # export OS_IDENTITY_API_VERSION=3

Use the token of admin to set the environment variable:

The value of token defined in [root@linux-host1 ~] # export OS_TOKEN=1b0abfc7e9a314a0fd7f # keystone configuration file [root@linux-host1 ~] # export OS_URL= http://192.168.56.11:35357/v3 # keystone address, port and authentication version, 35357 is the admin port of keystone and 5000 is the public port [root@linux-host1 ~] # export OS_IDENTITY_API_VERSION=3 # configure the API version of the environment variable to create domains, projects, users and roles

Create a default domain

Tip: this field can only be created under environment variables, and the generated ID is random.

For administrative operations, create managed projects, users, and roles

Creating an admin project is equivalent to managing, and can manage all CVMs

Create an admin user

The password is set to admin.

Tip: please set the password consistent with me!

Create an admin role

A role is that there are multiple roles in a project, and we can only create roles that are set in the configuration file. Configure path / etc/keystone/policy.json

Add admin roles to admin projects and users

Add admin users to the admin project and authorize the role of admin, which is the collection of admin rights

[root@linux-node1] # openstack role add-- project admin-- user admin admin

Summary: the first three environment variables are used to connect to keystone, and the last one is to create domains, projects, users and roles, and to make an association between domains, projects, users and roles.

Create a demo project

The demo project is similar to registering an account on Aliyun. The basic process is the same as creating an admin.

Create a demo user

Create a role User

Authorization

[root@linux-node1 ~] # openstack role add-- project demo-- user demo user adds demo users to the demo project and grants the user role

Create a service project

If we need to access keystone between our services, then we need to do authentication to access keystone, and we need to create a user who belongs to a project. So we need to create a server project first, and then we need to create a separate user for each project.

Tip: we create the server project for service users. Now we need to create all the service users of the openstack component. The official openstack document is to create a user without operating a service. We directly create all the users here.

Create a glance user

Create a Nova user

Create neutron users and authorize

Create glance users and authorize

Warm reminder: if there is an error, you can use the following command to troubleshoot

User-related settings: openstack user-help

[root@linux-node1 ~] # openstack user-- helpCommand "user" matches: user create user delete user list user password set user set user show

Service related settings:

[root@linux-node1 ~] # openstack service-- helpCommand "service" matches: service create service delete service list service provider create service provider delete service provider list service provider set service provider show service set service showopenstack project list to see if there is a project openstack user list to see if there are users

The above is the user deployment of keystone

Another function of keystone is service registration. We need to register the service on it.

Service registration

Create a service

Create endpoint

Endpoint is translated as "endpoint". We can understand that it is an access point exposed by a service. If you need to access a service, you must know its endpoint. Each URL of Endpoint corresponds to the access address of a service instance and has public, orivate and admin permissions. Pubic url can be completely accessed globally, private url can only be accessed by local area network, and admin url is separated from regular access.

Create a public endpoint (public)

Create a private endpoint (internal)

Create admin

We need to change the port to 35357, because keystone is special and needs a separate port.

Check whether keystone is installed successfully

We need to delete the environment variable unset OS_TOKEN OS_URL before testing.

The account number is admin and the password is admin.

Use this user name and password to get a token. If you can get the description, it is normal. If you do not get the description, it fails.

Test demo users

The password we also set is demo.

Create script

Create admin and demo projects and users create client-side environment variable scripts for later convenience

[root@linux-node1 ~] # cat admin-openstack.shexport OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=admin export OS_USERNAME=adminexport OS_PASSWORD=adminexport OS_AUTH_URL= http://192.168.56.11:35357/v3export OS_IDENTITY_API_VERSION=3export OS_IMAGE_API_VERSION=2

Test whether the script works

After the creation is completed, the next time we want to verify the token, we can directly use the command to execute

The environment for writing demo

[root@linux-node1 ~] # cat demo-openstack.shexport OS_PROJECT_DOMAIN_NAME=defaultexport OS_USER_DOMAIN_NAME=defaultexport OS_PROJECT_NAME=demoexport OS_USERNAME=demoexport OS_PASSWORD=demoexport OS_AUTH_URL= http://192.168.56.11:5000/v3export OS_IDENTITY_API_VERSION=3export OS_IMAGE_API_VERSION= 2 [root @ linux-node1 ~] # source demo-openstack.sh [root@linux-node1 ~] # openstack token issue+-+- - -+ | Field | Value | | +-+- -+ | expires | 2016-11-17T07:54:19.996447Z | | id | gAAAAABYLVQc_H2-tIGst4GvEhpu03taLaXP9yE1Yru2foNEzvdW5zFErR_8nvyqkZ2-f8HoHSOpVcRvDPxbujk93uB4a0meYWRS6Ve5zYFZ7v74CbmMRkB-f7hThsTET1uazzKDXFP46gzBV3G135NT-xdjKp- | pQv58ZNm7BVHSXVtMIES289M | | | project_id | ff5398ee1b2e4d00bafd57f82dc150e6 | | user_ | Id | a78ec26501374df4a574bd3f8153d67f | +-+-- - -- +

In the future, we will execute the openstack command and directly execute this environment variable.

-the above is the configuration of keystone-

Warm reminder: please keep the same environment with me!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.