Shulou(Shulou.com)06/02 Report--

The    Openstack authentication service provides a single point of integration to manage authentication, authorization, and service directories. Authentication services are usually the first service when users interact. Once authenticated, other openstack services use authentication services to ensure who the user is and discover the location of other services in the deployment. Identity services can also use external user management systems (such as LDAP).

   uses a service directory, and users and services managed by authentication services can locate other services. As the name implies, a service directory is a collection of services available in an OpenStack deployment. Each service can have one or more endpoints, and each endpoint can be one of three types: admin, internal, or public. In a production environment, different endpoint types may be on different networks exposed to different types of users for security reasons. For example, the public API network can be seen on Internet so that customers can manage their cloud. Admin API networks may be limited to operators in organizations that manage cloud infrastructure. Internal API networks may be limited to hosts that contain OpenStack services.

   also supports multiple areas in order to achieve scalability, and for simplicity, this column uses a management network for all endpoint types and default RegionOne areas. The regions, services, and endpoints created in the identity service make up the deployed service catalog. Each OpenStack service in the deployment requires a service entry and a corresponding endpoint to be stored in the identity service. This can be done after the authentication service is installed and configured.

The    authentication service consists of the following components:

Server

A centralized use of RESTful interface to provide authentication and authorization services. Drivers

The driver or service backend is integrated into a centralized server. They are used to access identity information in OpenStack external repositories and may already exist in the infrastructure where OpenStack is deployed (for example, a SQL database or LDAP server) .Modules

The middleware module runs in the address space of the OpenStack component that uses the identity service. These modules intercept service requests, extract user credentials, and send them to the central server for authorization. The integration between middleware modules and OpenStack components uses the Python Web server gateway interface. When you are ready to connect to the database, you can use the local or mysql client connection $mysql-u root-proot123 to establish the keystone database MariaDB [(none)] > CREATE DATABASE keystone; grant the corresponding permissions to the keystone database. The password is unified as the user name followed by 123MariaDB [(none)] > GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY' keystone123'. Install and configure the component installation package # yum install openstack-keystone httpd mod_wsgi edit file / etc/keystone/keystone.conf and add the following configuration # vi / etc/keystone/keystone.conf [database] #... connection = mysql+pymysql://keystone:keystone123@dbs.flex.net/keystoneIn the [token] section Configure the Fernet token provider: [token] #... provider = fernet build database # su-s / bin/sh-c "keystone-manage db_sync" keystone initialization Fernet keylibrary # keystone-manage fernet_setup-- keystone-user keystone--keystone-group keystone# keystone-manage credential_setup-- keystone-user keystone--keystone-group keystone boot identification service # keystone-manage bootstrap--bootstrap-password admin123\-- bootstrap-admin-url http://stack.flex.net : 5000/v3/\-- bootstrap-internal-url http://stack.flex.net:5000/v3/\-- bootstrap-public-url http://stack.flex.net:5000/v3/\-- bootstrap-region-id RegionOne if this step goes wrong If you write the wrong domain name or port, you will not be able to create the following domain, projects, users and roles. Reconfiguration cannot be solved. It will not overwrite the previous configuration. The solution is as follows: ○ deletes the endpoint configuration in mysql and reconfigures: MariaDB [keystone] > select * from endpoint. +- -+ | id | legacy_endpoint_id | interface | service_id | url | extra | enabled | region_id | +- -+ | 0b6dd3a784... | | NULL | internal | ad298 … | | | http://192.168.137.5:35357/v3/ | {} | 1 | RegionOne | | 4f7fdb8fc6 … | | | NULL | public | ad298 … | | | http://192.168.137.5:5000/v3/ | {} | 1 | RegionOne | | 8451f154c7 … | | | NULL | admin | ad298 … | | | http://192.168.137.5:35357/v3/ | {} | 1 | RegionOne | +-- | -- + 3 rows in set (0.15 sec) MariaDB [keystone] > delete from endpoint where url like '7.5%' # mismatched url or host Query OK, 3 rows affected (0.02 sec) MariaDB [keystone] > commit After the ○ processing is completed Reconfigure the steps above to configure the Apache Server modification file / etc/httpd/conf/httpd.conf configuration server name to control the name of the node server ServerName controller1 establish a soft link file under / etc/httpd/conf.d to point to / usr/share/keystone/wsgi-keystone.conf# ln-s / usr/share/keystone/wsgi-keystone.conf / etc/httpd/conf.d/ complete the installation allows the service to start automatically when the system boots and Start the apache service # systemctl enable httpd.service# systemctl start httpd.service

Configure the management account admin, you can write this file as a script, and source the script

# cat admin-openrcexport OS_USERNAME=adminexport OS_PASSWORD=admin123export OS_PROJECT_NAME=adminexport OS_USER_DOMAIN_NAME=Defaultexport OS_PROJECT_DOMAIN_NAME=Defaultexport OS_AUTH_URL= http://stack.flex.net:5000/v3export OS_IDENTITY_API_VERSION=3# source admin-openrc to establish domains, projects, users and roles

Authentication services provide user authorization services for each OpenStack service, using a combination of domains, projects, users, and roles

At the same time, this "default" domain already exists Has been created in the keystone-manage bootstrap step Let's create a new domain named example#openstack domain create-- description "An Example Domain" example+-+--+ | Field | Value | +-+- -+ | description | An Example Domain | | enabled | True | | id | f2a3ddcdc32c411ba5d9e480c25ce8b9 | | name | example | | tags | [] | +- -+ if the configuration is wrong or the name is written wrong How to change it? the method is as follows: ○ first disable the misspelled domain # openstack domain set-disable exampl ○, and then delete the wrong domain # openstack domain delete exampl to set up a project The project creates a unique user # openstack project create-domain default-description "Service Project" service+-+--+ for each service | Field | Value | +-+- -- + | description | Service Project | | domain_id | default | | enabled | True | | id | 3e33e6c8e1d14b7b9bbf64edcafb1023 | | is_domain | False | | name | service | | parent_id | default | | tags | [] | +-- + |

Regular (non-administrator) tasks should use unprivileged projects and users. In this column, we create a myproject project and a myuser user

The ○ establishment project is named myproject # openstack project create-- domain default-- description "Demo Project" myproject +-+-+ | Field | Value | +-+ -- + | description | Demo Project | | domain_id | default | | enabled | True | | id | c9fc9f23c899402aa10eaabf0c71fff5 | | is_domain | False | | name | myproject | | parent_id | default | | tags | [] | +-- + | Note: do not repeat this step when establishing the user of this project. ○ establishes myuser user # openstack user create-- domain default-- password-prompt myuser User Password:myuser123 Repeat User Password:myuser123 +-- + | Field | | Value | +-+-+ | domain_id | default | | enabled | True | | | id | 81949d6833a04e61b79fe3a8a49cd5a5 | | name | myuser | | options | {} | | password_expires_at | None | +-| -+-- + ○ create a myrole role # openstack role create myrole +-+-+ | Field | Value | +-+-+ | description | None | | domain_id | None | | id | b49d96c43eaa43cfa9519614f0b84942 | | | name | myrole | +-+-- + ○ add myrole role to myproject project and myuser user # openstack role add-- project myproject-- user myuser myrole Note: you can repeat the above steps to create more projects and users. | Check operation

Verify that the authentication service is installed properly before installing other services, and execute the following command on the controller node.

Temporarily cancel the OS_AUTH_URL and OS_PASSWORD environment variables: $unset OS_AUTH_URL OS_PASSWORD uses the token:# openstack of admin user request authentication-- os-auth-url http://stack.flex.net:5000/v3\-- os-project-domain-name Default-- os-user-domain-name Default\-- os-project-name admin-- os-username admin token issuePassword: admin123+-+- -Field | Value | +-+- -- + | expires | 2019-08-22T05:32:10+0000 | | id | gAAAAABdXhrKNMqos25-DjAmaD5yu1dy_-PPtmch7YOgObHg25d2V0pEO... ... | | project_id | 67139b2bd6c64e1c88136955dbef56a0 | | user_id | 681e9f941cb249e4a5058414057c7866 | + -+ token:# openstack using myuser user request authentication-- os-auth-url http://stack.flex.net:5000/v3\-- os-project-domain-name Default-- os-user-domain-name Default\-- os-project-name myproject-- os-username myuser token issuePassword: myuser123+-+- -- + | Field | Value | + -- + | expires | 2019-08-22T05:34:30+0000 | | id | gAAAAABdXhtWYuSN8TlpDjFkNFtr_eElchimIc2YUHBWmImjX5ZpZm3. . | | project_id | c9fc9f23c899402aa10eaabf0c71fff5 | | user_id | 81949d6833a04e61b79fe3a8a49cd5a5 | +-+ create openstack client environment script |

Create a script

Create client environment scripts for managing and demonstrating projects as well as for users. These scripts are referenced later in this guide to load the appropriate credentials for client operations. 1. Create and edit the file admin-openrc to add the following: # cat admin-openrc export OS_USERNAME=admin export OS_PASSWORD=admin123 export OS_PROJECT_NAME=admin export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_DOMAIN_NAME=Default export OS_AUTH_URL= http://stack.flex.net:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 2. Create and edit the file demo-openrc to add the following: # cat demo-openrc export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=myproject export OS_USERNAME=myuser export OS_PASSWORD=myuser123 export OS_AUTH_URL= http://stack.flex.net:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_ VERSION=2 uses scripts to run the client as a specific project and user You just need to load the relevant client environment scripts before running them. For example: 1. Add domain admin-openrc files to build authentication services, admin projects, and environment variables for user credentials: $. Admin-openrc 2. Token requesting authorization: $openstack token issue +-+-+ | Field | Value | | +-+- -+ | expires | 2019-08-22T05:41:10+0000 | | id | gAAAAABdXhzmr94abDAnVgAtAlHIOqK_1OTs2nckP98hTfWLCSdliXvE13OGERiAlPy2SbATpj-39... | | project_id | 67139b2bd6c64e1c88136955dbef56a0 | | user_id | 681e9f941cb249e4a5058414057c7866 | +-- -- +

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.