Shulou(Shulou.com)05/31 Report--

This article introduces the relevant knowledge of "how to use the keystone architecture of openstack cloud computing". Many people will encounter such a dilemma in the operation of actual cases, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Keystone architecture

Keystone API

Keystone API, like the API of other Openstack services, is also implemented based on ReSTFul HTTP.

Keystone API is divided into Admin API and Public API:

Public API not only realizes the operation of obtaining version and corresponding extension information, but also includes the operation of obtaining Token and Token tenant information.

Admin API is mainly used by service developers, not only to complete the operation of Public API, but also to manage User, Tenant, Role and Service Endpoint.

Router

Keystone Router mainly implements the mapping and conversion functions between upper API and underlying services, including four Router types.

(1) AdminRouter is responsible for mapping Admin API requests to corresponding behavioral operations and forwarding them to the underlying corresponding services for execution.

(2) PublicRouter is similar to AdminRouter

(3) PublicVersionRouter maps the request API of the system version

(4) AdminVersionRouter is similar to PublicVersionRouter.

Services

Keystone Service receives operation requests from different Router in the upper layer, and completes the corresponding operations according to different backend drivers, mainly including four types.

(1) Identity Service

Identity Service provides authorization authentication and related data about users and user groups.

Keystone-10.0.0 supports two back-end drivers of ldap.core.Identity,Sql.Identity, and the system defaults to Sql.Identity

Users:

The concept of an individual API consumer is actually used to identify a user in openstack.

A user must be owned by a specific domain

All user names are not globally unique, they are unique in the same domain

Groups:

A user group is a container containing a series of users, and a group must be owned by a specific domain.

All group names are not globally unique, but are unique in the same domain category.

(2) Resource Service

The Resouse service provides data about projects and domains

Projects

Projects (called Tenants in v2.0) project represents the combination of resources in openstack

A project must be owned by a specific domain

All project are not globally unique, only project is unique in a domain

A new project does not specify domain. It will be added to the default domain, namely default.

Domains

Domains is a higher-level container containing n projects-users-groups.

The default Domains is called Default

The concept of uniqueness in v3 version

Domain name, which is globally unique in all domains

Role name. Globally unique among all domains

User name, which is only unique in its own domain

Project name, which is only unique in its own domain

Group name, which is only unique in its own domain

Based on these container structures, domains represents the way openstack resources are managed. As long as an assignment (project-user-role) is granted permission, a user in one domain can access resources in another domain.

(3) Assignment Service

Assignment Service provides role and role assignments data

Roles

The role role identifies the level of permissions that a user can get.

Role can be granted at the domain or project level.

Can be assigned to a single user or group level role.

The role name is globally unique.

Role Assignments

A 3-tuple that has a Role, a Resource and an Identity.

"Resource" means project.

"Identity" means user.

Role means role, that is, project-user-role.

(4) Token Service

Token Service provides the function of authenticating and managing token token. Users get token after passing credentials authentication.

Keystone-10.0.0 supports Kvs.Token,Memcache.Token for Token Service

There are four back-end drivers for Memcache_pool.Token,Sql.Token. Kvs.Token is the default for the system.

(5) Catalog Service

Catalog Service provides management operations related to service and Endpoint (service is all services of openstack, and endpont is the url that accesses each service)

Keystone-10.0.0 supports two kinds of back-end drivers for Catalog Service: Sql.Catalog and Templated.Catalog. The system defaults to templated.Catalog.

(6) Policy ServicePolicy Service

Provide a rule-based authorization driver and rule management

Keystone-10.0.0 supports two backend drivers for Policy Service: rules.Policy,sql.Policy. Sql.Policy is used by default.

Backend Driver

Backend Driver has many types, and different Service chooses different Backend Driver.

Official https://docs.openstack.org/keystone/latest/#groups

Keystone manages these concepts method component name manages object generation method saves configuration item identityuser, and user group-sql, ldap.core

[identity]

Driver = keystone.identity.backends.[ SQL | ldap.core] .Identity

Temporary tokenpki,pkiz,uuidsql, kvs,memcached of token user

[token]

Driver = keystone.token.persistence.backends. [sql | kvs | memcache | memcache_pool] .Token

Provider= keystone.token.providers.[ Pkiz | pki | uuid] .ProvidercredentialEC2 credentialsql

[credential]

Driver = keystone.credential.backends.sql.Credential

Provider= keystone.token.providers.core | fernet] .Provider

Catalogregion,service,endpointsql | templated

[catalog]

Driver = keystone.catalog.backends.[ SQL | templated] .Catalog

Assignmenttenant,domain,role and their relationship with user external, password, tokensql

[assignment]

Methods = external, password, token

Password = keystone.auth.plugins.password.Password

Trusttrustsql

[trust]

Driver = Keystone.trust.backends.[ SQL] .Trust

PolicyKeystone service user authentication policy ruels | sql

[default]

Policy_file = policy.json

[policy]

Driver = Keystone.policy.backends.[ ruels | sql] .Policy

Keystone-10.0.0 code structure display

Keystone-manage is a CLI tool that interacts with Keystone service to do things that cannot be done with Keystone REST API, including:

Db_sync: Sync the database.

Db_version: Print the current migration version of the database.

Mapping_purge: Purge the identity mapping table.

Pki_setup: Initialize the certificates used to sign tokens.

Saml_idp_metadata: Generate identity provider metadata.

Ssl_setup: Generate certificates for SSL.

Token_flush: Purge expired tokens.

Each Keystone component, such as catalog, token, and so on, has a separate directory.

In each component directory:

Routes.py defines the routes of the component (routes see exploring OpenStack (11): cinder-api Service startup process analysis and introduction to WSGI / Paste deploy / Router, etc.).

Identity and assignment define the routes used by admin and public respectively, for admin service and public service respectively.

The controller.py file defines the objects managed by the component. For example, assignment's controller.py file defines Tenant, Role, Project, and so on.

Core.py subscribes two classes, Manager and Driver. The Manager class provides the method entry for the component to operate on specific objects.

The Driver class defines the interface that the component needs to be provided by its Driver implementation class.

Each file in the backend directory is the implementation of each specific driver

Download keystone-10.0.0 demo https://www.openstack.org/

Keystone service startup

Keystone is an HTTP front-end to several services. Like other OpenStack applications, this is done using python WSGI interfaces and applications are configured together usingPaste. The application's HTTP endpoints are made up of pipelines of WSGI middleware .

For details, see: https://docs.openstack.org/keystone/latest/

/ usr/bin/keystone-all starts two service:admin and main of keystone, which correspond to the two composite in the / etc/keystone/keystone-paste.ini file:

It can be seen that admin service is provided for administrator use; main is provided for public use.

They are available in version 2. 0 and version 3 respectively, but the current keystone Cli only supports version 2. 0. Compare admin with public:

Name middlewaresfactory function distinguishes admin has more s3_extensionkeystone.service:public_app_factory than public

From the point of view of the factory function, admin service has more identity management functions than public service, as well as the admin/public difference of assignment:

1. Admin has added support for GET/users/ {user_id}, get_all_projects,get_project,get_user_roles and other functions.

2. Keystone provides admin extensions for admin service, such as OS-KSADM, and public extensions for public service.

To sum up, public service mainly provides authentication and directory service functions; admin service adds management functions of tenant, user, role, and user group.

Public

Sizelimit url_normalize build_auth_context token_auth admin_token_auth xml_body_v2

Json_body ec2_extension user_crud_extension

Keystone.service:admin_app_factory

/ usr/bin/keystone-all starts two service, admin and public, and binds different host and ports, respectively.

By default, the binding host is 0.0.0.0

The binding port is 35357 (admin_port) for admin and 5000 (public_port) for public.

Therefore, the OS_AUTH_URL for admin is http://controller:35357/v2.0

OS_AUTH_URL= http://controller:5000/v2.0 for public

Keystone details

The parent process of WSGI server (process 50511) opens two socket to listen on ports 5000 and 35357 of this environment, respectively.

Port 5000 is provided for WSGI server of main and port 35357 is provided for WSGI server of admin.

That is, when the parent process of WSGI server receives a HTTP request from port 5000, it will forward the request to the WSGI server opened for main for processing.

When the parent process of WSGI server receives the HTTP request from port 35357, it will forward the request to the WSGI server opened for admin for processing.

Vim / etc/keystone/keystone-paste.ini

Log 2016-09-14 1115 53 req-07b28d5b-084c-467e-b45a-a4c8a52b7e969ff041112e454cca9b54bf117a80ca29 15426931fe4746d08736c5e5c1da6b1c 01.037 12698 INFO keystone.common.wsgi [req-07b28d5b-084c-467e-b45a-a4c8a52b7e969ff041112e454cca9b54bf117a80ca29 15426931fe4746d08736c5e5c1da6b1c-6e495643fb014e5e8a3992c69d80d234 6e495643fb014e5e8a3992c69d80d234] GET http://controller02:35357/v3/auth/tokens

(1) type = composite

This type of section distributes the URL request to the corresponding Application,use to indicate the specific distribution method. For example, "egg:Paste#urlmap" indicates the use of the urlmap module in the Paste package, and other lines in this section, such as "key = value", are parameters for distribution using urlmap.

(2) type = app

An app is a specific WSGI Application.

(3) type = filter-app

After receiving a request, the app specified by use in filter-app is first called for filtering. If the request is not filtered, it is forwarded to the app specified by next for further processing.

(4) type = filter

The only difference from the filter-app type is that there is no next.

(5) type = pipeline

Pipeline consists of a series of filter.

At the end of this filter chain is an app. The pipeline type is mainly a simplification of filter-app, otherwise, if there is more than one filter, you need multiple filter-app, and then use next to connect. Configuration file of deploy for paste of OpenStack

The pipeline method is mainly adopted.

Because url is http://192.168.118.1:5000/v2.0/tokens, and because the information followed by the basic url is / v2.0, you will go to the section of public_api to do the corresponding operation.

This is the end of the content of "how to use openstack Cloud Computing keystone Architecture". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.