How to add Authentication Service in OpenStack deployment of juno Edition 01/17 Update SLTechnology News&Howtos

How to add Authentication Service in OpenStack deployment of juno Edition

2025-01-17 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Shulou(Shulou.com)05/31 Report--

This article introduces how to add authentication services in juno OpenStack deployment. The content is very detailed. Interested friends can use it for reference. I hope it will be helpful to you.

Introduction to keystone

Keystone is mainly designed to implement the following key functions:

Track users and manage their permissions

Provides a directory of accessible services and an API endpoint (API endpoints) that provides services.

Brief introduction of some basic Concepts in keystone

Users (User) can use the digital image of individuals, systems, or services provided by OpenStack cloud services. (Digital representation of a person, system, or service who uses OpenStack cloud services. )

Certificate (Credentials) is the data used to confirm the identity of the user.

Authentication (Authentication) confirms the authentication process of a user's identity.

Token (Token) A text consisting of letters and numbers used to access the API and resources of OpenStack.

A Tenant is a collection used to group or isolate resources. Tenants can also be used to group or isolate authentication objects. Depending on the service operator, a tenant can correspond to a customer, an account, an organization, or a project. (A container used to group or isolate resources. Tenants also group or isolate identity objects. Depending on the service operator, a tenant may map to a customer, account, organization, or project.)

Services (Service) OpenStack services for Compute (nova), Object Storage (swift) or Image Service (glance), etc. It provides one or more endpoints (endpoint) for users to access resources and implement operations.

An Endpoint is an address that can access a service over a network, usually an URL address.

A Role is a defined personal characteristic that has the authority to perform a specific operation.

The keystone client (Keystone Client) is a command line interface for OpenStack authentication API.

Installation and configuration

The keystone service is installed on the controller node.

# # configure the database used by keystone to enter the database using root identity (the password is set when you install the database):

After entering the database interface, $mysql-u root-p``` creates a database that belongs to keystone:

CREATE DATABASE keystone; ```

Give access to the keystone database to a user named keystone from any host address, and set the access password to KEYSTONE_DBPASS (replace with the appropriate password):

GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY' KEYSTONE_DBPASS';GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY' KEYSTONE_DBPASS'; ```can change KEYSTONE_DBPASS to an appropriate password. Exit the database client. # # install configuration component 1. Install the Keystone package: apt-get install keystone python- Keystoneclient```

Edit ```

Vi / etc/keystone/ keystone.conf``` file:

In the [DEFAULT] section, define initial administration token:

[DEFAULT]... Admin_token = ADMIN_ token``` where replace ADMIN_TOKEN with the appropriate value, which can be generated by ```# openssl rand-hex 10```. Continue to turn on the option of "output detailed logging" in the section ```[default]```:

[DEFAULT]... Verbose = True```

In the [database] section, set the database access options:

[database]... Connection = mysql://keystone:KEYSTONE_DBPASS@controller/ keystone``` replace KEYSTONE_DBPASS with the password authorized when the keystone database was created. Configure database connections that use SQL by default, which need to be commented out or deleted. In the section ``[ token] ```, configure UUID token provider and SQL driver:

[token]... Provider = keystone.token.providers.uuid.Provider driver = Keystone.token.persistence.backends.sql.Token```

In the [revoke] section, configure SQL revocation driver:

[revoke]... Driver = keystone.contrib.authenticke.backends.sql.Revoke```Sync service database: keystone-manage db_ sync``` to complete the final installation

Restart the authentication service:

# service keystone Ubuntu generates a SQLite database by default, which can be deleted: rm-f / var/lib/keystone/ keystone.db```

By default, the authentication service stores expired token indefinitely, which will result in a significant increase in database footprint and reduce the performance of the authentication service. You can periodically clear expired token with the following command:

# (crontab-l-u keystone 2 > & 1 | grep-Q token_flush) | |\ echo'@ hourly / usr/bin/keystone-manage token_flush > / var/log/keystone/keystone-tokenflush.log 2 > & 1'\ > > / var/spool/cron/crontabs/ Keystone``` # create tenants, users and roles # # configure the required environment variables before using the keystone command You need to use a temporary administration token (that is, the ADMIN_TOKEN set in the ```/ etc/keystone/ keystone.conf``` file) and manually configure the address (endpoint) of the authentication service. Write administration token to the environment variable:

$export OS_SERVICE_TOKEN=ADMIN_ token``` writes endpoint to the environment variable:

$export OS_SERVICE_ENDPOINT= http://controller:35357/v2.0```## creates tenants, users and roles 1. Create administrative tenants, administrative users, and administrative roles with administrative operation functions. Create ```admin``` tenant:

Create a ```admin```` user:

Create an admin role:

The command $keystone user-role-add-- user admin-- tenant admin-- role admin``` does not produce an output display.

Create a demo tenant with specific permissions, demo user

To create a demo tenant:

Configuration scheme of OpenStack service

OpenStack services need to be given the nature of tenants, users, and roles to interact with other services. Each service needs to create one or more independent users who are assigned the admin role and belong to the service tenant.

To create a service tenant:

$keystone tenant-create-- name service-- description "Service Tenant" +-+-+ | Property | Value | +-+-- -+ | description | Service Tenant | | enabled | True | | id | e4288b01bc084a29ad6133f882a58732 | | name | service | +-- -+ ```# create service entities and API endpoints (service entity and API endpoint) # # configure the required environment variables as described in the previous step. # # create a service entity and API endpoint 1. Creating a service entity authentication service registers all services in the OpenStack environment in a directory through which all services locate other services in the environment. Create a service entity for the certification service:

$keystone service-create-name keystone-type identity

Creating a service API endpoint authentication service registers the API endpoint corresponding to each service in the OpenStack environment in a directory that will be used to support communication between services.

Create an API endpoint for the authentication service:

$keystone endpoint-create\-service-id $(keystone service-list | awk'/ identity / {print $2}')\-- publicurl http://controller:5000/v2.0\-- internalurl http://controller:5000/v2.0\-- adminurl http://controller:35357/v2.0\-- region regionOne+-+- -+ | Property | Value | +-+-+ | adminurl | http://controller:35357/v2.0 | | id | 32fb8b8934024c30bd1f0b7795a51220 | | internalurl | http://controller:5000/v2.0 | | publicurl | Http://controller:5000/v2.0 | | region | regionOne | | service_id | d7bbd538857b4caa9f7f9730a74b98ca | +-+-- + ```# Verification operation 1. Reset environment variables:

$unset OS_SERVICE_TOKEN OS_SERVICE_ endpoint ```

As the admin tenant and user, request an authentication token:

$keystone-os-tenant-name admin-os-username admin-os-password ADMIN_PASS

As an admin tenant and user, make a list of users:

$keystone-os-tenant-name admin-os-username admin-os-password ADMIN_PASS

-- os-auth-url http://controller:35357/v2.0 role-list +-- +-+ | id | name | +-+-+ | 9fe2ff9ee4384b1894a90878d3e92bab | member | | 61286483662e40ba8f0a48b05fc8a451 | admin | +-- +-+ ADMIN_PASS is the previously set admin``` user password. The origin of _ member_ is as follows: when creating a user: Using the-- tenant option automatically assigns the member role to a user. This option will also create the member role if it does not exist. (the command used when creating is keystone user-create-- name demo-- tenant demo-- pass DEMO_PASS-- email EMAIL_ADDRESS)

As the demo tenant and user, request an authentication token:

$keystone-os-tenant-name demo-os-username demo-os-password DEMO_PASS

-os-auth-url http://controller:35357/v2.0 user-list You are not authorized to perform the requested action: admin_required (HTTP 403) ```

Create OpenStack client environment script create script

Create the file admin-openrc.sh and enter the following:

Export OS_TENANT_NAME=adminexport OS_USERNAME=adminexport OS_PASSWORD=ADMIN_PASSexport OS_AUTH_URL= http://controller:35357/v2.0```ADMIN_PASS is the previously configured ``admin``` user password. two。 Create the file ```demo- openrc.sh``` and enter the following:

Export OS_TENANT_NAME=demo export OS_USERNAME=demo export OS_PASSWORD=DEMO_PASS export OS_AUTH_URL= http://controller:5000/v2.0 DEMO_PASS is the demo```` user password that was previously set.

* * Note: * * Port 35357 is for operations with administrative permissions, and port 5000 is for ordinary user operations.

Start the client environment script

Execute $source admin-openrc.sh or $source demo-openrc.sh depending on the tenant and user.

Problems during installation and their solutions

After installing keystone, there was a "Unable to establish connection to http://controller:35357/v2.0/tenants" error" when creating "Admin Tenant". It may be that keystone was not fully installed, reinstalled and updated. This occurs during the authentication step (HTTP 401), which may be due to configuration errors such as passwords, resulting in limited access and re-checking the configuration files and the passwords of individual users.

This is the end of how to add authentication services to the deployment of juno version of OpenStack. I hope the above content can be of some help and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.