Shulou(Shulou.com)06/01 Report--

This article is about how to install Identity services in openstack-mitaka. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Identity service installation

Overview of Identity Servic

OpenStack's Identity services provide a single point of integration for managing authentication, authorization, and service catalog services. Other OpenStack services use Identity services as a common unified API. In addition, information about users is provided, but the service is not included in OpenStack (such as LDAP services) that can be integrated into a pre-existing infrastructure.

In order to benefit from Identity services, other OpenStack services need to coordinate with it. When an OpenStack service receives a request from a user, it uses the Identity service to check whether the user is authorized by request.

The Identity service includes the following components:

Server

A centralized server uses the RESTful interface to provide authentication and authorization services.

Drivers

Can be integrated into the driver or service backend of the central server. They are used to access identity information in the OpenStack extension library and already exist in the infrastructure where OpenStack is deployed (for example, SQL databases or LDAP services).

Modules

Is a middleware module that runs in the address space where the identity service OpenStack component is being used. These modules intercept service requests, extract user credentials, and send them to the central server for authorization. The integration between middleware modules and OpenStack components uses Python's Web server gateway interface.

When installing OpenStack's Identity service, you must register each service with your OpenStack installation. Identity services can track OpenStack service installations and locate their network.

Installation and configuration

This section describes how to install and configure OpenStack's Identity service (code name keystone) on the controller node. For performance reasons, this configuration deploys Fernet tokens and Apache HTTP servers to process requests.

precondition

Before configuring the Identity service for OpenStack, you must create a database and manage tokens.

1. To create a database, you need to complete the following steps

Log in to the database with root account

Mysql-u root-p

L create a keystone database

CREATE DATABASE keystone

L authorize the keystone database

GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY' KEYSTONE_DBPASS';GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY' KEYSTONE_DBPASS'

Replace KEYSTONE_DBPASS with the appropriate password

L exit the database

two。 Generate random numbers to function as management tokens, which are used when initializing the configuration

Openssl rand-hex 10 installation and configuration components

1. Run the following command to install the package

Yum install openstack-keystone httpd mod_wsgi

two。 Edit the / etc/keystone/keystone.conf file and complete the following steps

L in [DEFAULT], define the management token

[DEFAULT]... admin_token = ADMIN_TOKEN

Replace ADMIN_TOKEN with a previously generated random number

L configure the database connection in [database]

[database]... connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone

Replace KEYSTONE_DBPASS with the correct database password (database password cannot have special symbols)

L configure the Fernet token provider in [token]

[token]... provider = fernet

3. Populate the Identity service database

Su-s / bin/sh-c "keystone-manage db_sync" keystone

Note: ignore any deprecation information output here.

4. Initialize Fernet keys

Keystone-manage fernet_setup-- keystone-user keystone--keystone-group keystone configure Apache HTTP server

1. Edit / etc/httpd/conf/httpd.conf, configure the ServerName option to point to the controller node

ServerName controller

two。 Create the / etc/httpd/conf.d/wsgi-keystone.conf file and add the following

Listen 5000Listen 35357

WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=% {GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / / usr/bin/keystone-wsgi-public WSGIApplicationGroup% {GLOBAL} WSGIPassAuthorization On ErrorLogFormat "% {cu} t% M" ErrorLog / var/log/httpd/keystone-error.log CustomLog / var/log/httpd/keystone-access.log combined

Require all granted

WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=% {GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / / usr/bin/keystone-wsgi-admin WSGIApplicationGroup% {GLOBAL} WSGIPassAuthorization On ErrorLogFormat "{cu} t% M" ErrorLog / var/log/httpd/keystone-error.log CustomLog / var/log/httpd/keystone-access.log combined

Require all granted completes installation

Start the Apached HTTP service and configure boot self-startup

Systemctl enable httpd.servicesystemctl start httpd.service creates service entity and API endpoints

Identity services provide service catalogs and their locations. Each service added to the OpenStack environment requires a service entity and several API endpoints in the directory.

precondition

By default, the Identity database does not contain any information to support traditional authentication and directory services. You must initialize the service entity and the API endpoint with the temporary identity token you created earlier.

You must pass the authentication token to OpenStack through the command with the-os-token parameter or by setting the OS_TOKEN environment variable. Similarly, you must pass the Identity service URL to OpenStack through a command with the-os-url parameter or by setting the OS_URL environment variable. The following steps are done by setting environment variables.

Warning: for security reasons, do not initialize the Identity service for a long time with a temporary authentication token

1. Configure authentication token

Export OS_TOKEN=ADMIN_TOKEN

Replace ADMIN_TOKEN with a previously generated random number

two。 Configure endpoint URL

Export OS_URL= http://controller:35357/v3

3. Configure the Identity API version

Export OS_IDENTITY_API_VERSION=3 creates service entity and API endpoints

1. The Identity service manages a directory service in an OpenStack environment. Services use directories to identify other services available in the environment.

Execute the following command to create the service entity

Openstack service create-name keystone-description "OpenStack Identity" identity

two。 In the OpenStack environment, the Identity service manages the directory of the related service API endpoints. Services use this directory to determine how to communicate with other services in the environment.

OpenStack provides three API endpoint:admin, internal, and public for each service. By default, admin API endpoint can modify users and tenants, but public and internal APIs do not allow these operations. In a production environment, these variables may reside on different networks and serve different types of users for security reasons. For example, the Public API network may be accessed on the Internet, so customers can manage their cloud. Admin API networks may be limited to operating within the organization that manages the cloud infrastructure. The Internal API network may be limited to hosts that contain OpenStack services. In addition, OpenStack supports scalable multiple areas. For simplicity, this tutorial manages the network for all endpoint uses and sets the default area to RegionOne.

Create an API endpoints for the Identity service

Openstack endpoint create-- region RegionOne identity public http://controller:5000/v3

Openstack endpoint create-- region RegionOne identity internal http://controller:5000/v3

Openstack endpoint create-- region RegionOne identity admin http://controller:35357/v3

Create domain, projects users and roles

The Identity service provides authentication services for each OpenStack service. Authentication services combine domains, projects (tenants), users, and roles.

1. Create a default domain

Openstack domain create-description "Default Domain" default

two。 Create a management project, user, and role for administrative operations in your environment

L create an admin project

Openstack project create-domain default-description "Admin Project" admin

L create admin user

Openstack user create-domain default-password-prompt admin

L create an admin role

Openstack role create admin

L add administrator roles to administrative projects and users

Openstack role add-project admin-user admin admin

3. This guide uses a service item that contains only one user for each service usage that you add to the environment.

Create a service item

Openstack project create-domain default-description "Service Project" service

4. Regular (non-administrator) tasks should use a normal project and user. As an example, this guide will create a demo project and user.

L create a demo project

Openstack project create-domain default-description "Demo Project" demo

Note: do not repeat this step when creating additional users for this project.

L create demo user

Openstack user create-domain default-password-prompt demo

L create user roles

Openstack role create user

L add user roles to demo projects and users

Openstack role add-- project demo-- user demo user verification operation

Verify that the Identity service is installed properly before starting to install other services.

The following operations are performed on the controller node

1. For security purposes, disable the temporary authentication token mechanism:

Edit the / etc/keystone/keystone-paste.ini file, and then remove admin_token_auth from the [pipeline:public_api], [pipeline:admin_api], and [pipeline:api_v3] sections

two。 Undo temporary OS_TOKEN and OS_URL environment variables

Unset OS_TOKEN OS_URL

3. As the admin user, request an authentication token

Openstack-os-auth-url http://controller:35357/v3-os-project-domain-name default-os-user-domain-name default-os-project-name admin-os-username admin token issue

4. As the demo user, request an authentication token

Openstack-os-auth-url http://controller:5000/v3-os-project-domain-name default-os-user-domain-name default-os-project-name demo-os-username demo token issue

Create OpenStack client environment script

The previous section uses a combination of environment variables and command-line options to interact with the Identity service through the OpenStack client. To improve operational efficiency, OpenStack supports simple client environment scripts such as openrc files. These scripts usually contain common options for all clients, but also support unique options. For more information, see OpenStack End User Guide.

Create script

Create client environment scripts for admin and demo projects and users

1. Edit the admin-openrc and add the following

Export OS_PROJECT_DOMAIN_NAME=defaultexport OS_USER_DOMAIN_NAME=defaultexport OS_PROJECT_NAME=adminexport OS_USERNAME=adminexport OS_PASSWORD=ADMIN_PASSexport OS_AUTH_URL= http://controller:35357/v3export OS_IDENTITY_API_VERSION=3export OS_IMAGE_API_VERSION=2

Replace ADMIN_PASS with the correct password

two。 Edit the demo-openrc and add the following

Export OS_PROJECT_DOMAIN_NAME=defaultexport OS_USER_DOMAIN_NAME=defaultexport OS_PROJECT_NAME=demoexport OS_USERNAME=demoexport OS_PASSWORD=DEMO_PASSexport OS_AUTH_URL= http://controller:5000/v3export OS_IDENTITY_API_VERSION=3export OS_IMAGE_API_VERSION=2

Replace DEMO_PASS with the correct password

Use script

As a specific project and user to run the client, you can simply load the relevant client environment script before running them. For example:

1. Load admin-openrc Fil

. Admin-openrc

two。 Request an authentication token

Openstack token issue, thank you for your reading! This is the end of the article on "how to install Identity services in openstack-mitaka". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.