openstack-M version, learning notes 3

Keywords: OpenStack

The notes are learned according to the old boy Video + official documents and recorded. If there are mistakes and omissions, those in a good mood can point out them.
Video address: https://www.bilibili.com/video/BV1LJ411Y7og?p=12  

Certification services (keystone)

Authentication service mainly has three functions: authentication management, authorization management and service directory

  1. Authentication management: provides an authentication mechanism (account and password) for the interaction of various components
  2. Authorization management: authorize other components to interact with each other.
  3. Service Directory: it is convenient for other services to access each other. It will summarize and manage the URLs of all services. (it can be understood that keystone is a browser, and the service URL is the favorite address of the page; after opening the browser, if you want to quickly access the website, you only need to open the favorite address, without entering the address repeatedly, etc.)

Creative library authorization

[root@controller01 ~]# mysql -uroot -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 10.1.20-MariaDB MariaDB Server

Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> create database keystone;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> grant all privileges on keystone.* to 'keystone'@'localhost' identified by 'kbI2PxpvAYKF0Ob1X2B2';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> grant all privileges on keystone.* to 'keystone'@'%' identified by 'kbI2PxpvAYKF0Ob1X2B2';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| keystone           |
| mysql              |
| performance_schema |
+--------------------+
4 rows in set (0.00 sec)
MariaDB [(none)]>

Install keystone package

yum install openstack-keystone httpd mod_wsgi 

PS: mod_wsgi is an extension module of apache. Many modules of apache start with mod; python for apache connection

Modify profile

In order to facilitate configuration and reading, back up the configuration file of the source keystone in advance, and filter the configuration without comments back to the configuration file

root@controller01 ~]# cd /etc/keystone/
[root@controller01 keystone]# ls
default_catalog.templates  keystone.conf  keystone-paste.ini  logging.conf  policy.json  sso_callback_template.html
[root@controller01 keystone]# cp keystone.conf keystone.conf.bak
[root@controller01 keystone]# grep -Ev '^$|#' keystone.conf.bak
[DEFAULT]
[assignment]
[auth]
[cache]
[catalog]
[cors]
[cors.subdomain]
[credential]
[database]
[domain_config]
[endpoint_filter]
[endpoint_policy]
[eventlet_server]
[eventlet_server_ssl]
[federation]
[fernet_tokens]
[identity]
[identity_mapping]
[kvs]
[ldap]
[matchmaker_redis]
[memcache]
[oauth1]
[os_inherit]
[oslo_messaging_amqp]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_middleware]
[oslo_policy]
[paste_deploy]
[policy]
[resource]
[revoke]
[role]
[saml]
[shadow_users]
[signing]
[ssl]
[token]
[tokenless_auth]
[trust]
[root@controller01 keystone]# grep -Ev '^$|#' keystone.conf.bak >keystone.conf

Start modifying configuration

1. In the [DEFAULT] section, define the value of the initial management token:

[DEFAULT]
...
admin_token = wYRv9PbPlZZzCV49lr6g

When keystone does not have a user, the default administrator token is used for management operations.

2. In the [database] section, configure database access:

[database]
...
connection = mysql+pymysql://keystone:kbI2PxpvAYKF0Ob1X2B2@controller01/keystone
#Key name mysql access protocol keystone user and password access host access library

Since the accessed host is defined as controller in the configuration, the purpose of configuring / etc/hosts to resolve the name is reflected at the beginning. Refer to note ①

3. In the [token] section, configure the provider of the Fernet UUID token. In other words, it is to select the way and method of generating tokens.

[token]
...
provider = fernet

Refer to the figure below to understand the token authentication method of keystone

Picture source: Huawei officially certified PPT material + my notes during study.

 

Generate database

View database

[root@controller01 keystone]# mysql -uroot -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 5
Server version: 10.1.20-MariaDB MariaDB Server
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> use keystone;
Database changed
MariaDB [keystone]> show tables;
Empty set (0.00 sec)

It can be seen that the database is empty at present.

Synchronize database

su -s /bin/sh -c "keystone-manage db_sync" keystone

su's full name is Switch User
-s shell or -- shell=shell specifies the shell to execute (bash, CSH, tcsh, etc.), where / bin/sh is specified  
/bin/sh -c : command   Followed by a string, which can be the command we normally execute. For example, sh -c "ls -l" is equivalent to directly executing ls -l;
To sum up, the command here is equivalent to specifying an environment variable / bin/sh/   Execute keystone manage dB_ Sync this command, and the parameter is specified as keystone library

  • An error was reported when executing this command! When configuring keystone database connection at that time, the host name controller was configured, which was inconsistent with the host name parsed by the previously configured hosts, resulting in an error
2021-10-14 12:00:25.941 4480 CRITICAL keystone [-] DBConnectionError: (pymysql.err.OperationalError) (2003, "Can't connect to MySQL server on 'controller' ([Errno -2] Name or service not known)")

Then change the host name, and then re execute the command, and it is successful.
After executing the command, check whether the database table is generated correctly.

[root@controller01 ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
[root@controller01 ~]# mysql -uroot -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 17
Server version: 10.1.20-MariaDB MariaDB Server
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> use keystone;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [keystone]> show tables;
+------------------------+
| Tables_in_keystone     |
+------------------------+
| access_token           |
| assignment             |
| config_register        |
| consumer               |
| credential             |
| domain                 |
| endpoint               |
| endpoint_group         |
| federated_user         |
| federation_protocol    |
| group                  |
| id_mapping             |
| identity_provider      |
| idp_remote_ids         |
| implied_role           |
| local_user             |
| mapping                |
| migrate_version        |
| password               |
| policy                 |
| policy_association     |
| project                |
| project_endpoint       |
| project_endpoint_group |
| region                 |
| request_token          |
| revocation_event       |
| role                   |
| sensitive_config       |
| service                |
| service_provider       |
| token                  |
| trust                  |
| trust_role             |
| user                   |
| user_group_membership  |
| whitelisted_config     |
+------------------------+
37 rows in set (0.00 sec)

The table has been generated correctly. Indicates that the command was executed successfully.

Initialize the database for the authentication service

Before initialization, there is no directory under / etc/keystone /.

keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@controller01 ~]# ll /etc/keystone
total 104
-rw-r----- 1 root     keystone  2303 Feb  1  2017 default_catalog.templates
-rw-r----- 1 root     keystone   677 Oct 14 13:00 keystone.conf
-rw-r----- 1 root     root     73101 Oct 14 11:04 keystone.conf.bak
-rw-r----- 1 root     keystone  2400 Feb  1  2017 keystone-paste.ini
-rw-r----- 1 root     keystone  1046 Feb  1  2017 logging.conf
-rw-r----- 1 keystone keystone  9699 Feb  1  2017 policy.json
-rw-r----- 1 keystone keystone   665 Feb  1  2017 sso_callback_template.html
[root@controller01 ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@controller01 ~]# !ll
ll /etc/keystone
total 104
-rw-r----- 1 root     keystone  2303 Feb  1  2017 default_catalog.templates
drwx------ 2 keystone keystone    24 Oct 14 15:25 fernet-keys    #After initialization, this directory will be generated
-rw-r----- 1 root     keystone   677 Oct 14 13:00 keystone.conf
-rw-r----- 1 root     root     73101 Oct 14 11:04 keystone.conf.bak
-rw-r----- 1 root     keystone  2400 Feb  1  2017 keystone-paste.ini
-rw-r----- 1 root     keystone  1046 Feb  1  2017 logging.conf
-rw-r----- 1 keystone keystone  9699 Feb  1  2017 policy.json
-rw-r----- 1 keystone keystone   665 Feb  1  2017 sso_callback_template.html

Configure httpd

  • Edit the / etc/httpd/conf/httpd.conf file and configure the ServerName option as the control node:
echo "ServerName controller01" >> /etc/httpd/conf/httpd.conf

Create the file / etc/httpd/conf.d/wsgi-keystone.conf with the following.

Listen 5000
Listen 35357
<VirtualHost *:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined
    <Directory /usr/bin>
        Require all granted
    </Directory>
</VirtualHost>
<VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined
    <Directory /usr/bin>
        Require all granted
    </Directory>
</VirtualHost>

Start service

systemctl enable httpd.service
systemctl start httpd.service

Creating and registering service APIs

If there is no user, you need to use admin_token to create a user

Configure the authentication TOKEN. The value of TOKEN is defined in keystone configuration
export OS_TOKEN=wYRv9PbPlZZzCV49lr6g

  • Configure endpoint URL
    export OS_URL=http://controller01:35357/v3
  • The purpose of configuring authentication API versions and defining multiple versions is to be compatible with historical versions. In fact, three versions v1, v2 and v3 can be used at the same time
    export OS_IDENTITY_API_VERSION=3
[root@controller01 ~]# export OS_TOKEN=wYRv9PbPlZZzCV49lr6g
[root@controller01 ~]# export OS_URL=http://controller01:35357/v3
[root@controller01 ~]# export OS_IDENTITY_API_VERSION=3
[root@controller01 ~]# env |grep OS    #After adding, you can check whether there are corresponding variables in the environment variables
HOSTNAME=controller01
OS_IDENTITY_API_VERSION=3
OS_TOKEN=wYRv9PbPlZZzCV49lr6g
OS_URL=http://controller01:35357/v3

Create service entities and authentication services:

  1. Create service
[root@controller01 ~]# openstack service create \
>   --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | OpenStack Identity               |
| enabled     | True                             |
| id          | 5ec2d8fd92f147c2bb8520f51c3d800a |
| name        | keystone                         |
| type        | identity                         |
+-------------+----------------------------------+
#--description "OpenStack Identity" is a description, which can be adjusted according to your understanding
  1. Create API endpoint for authentication service

The corresponding URL can only be created after the service is available, which is called endpoint here
PS: note that controller01 I use here is the host name specified for the resolution I configured at the beginning. If it is configured as another host name, please use another host name

[root@controller01 ~]# openstack endpoint create --region RegionOne \
>   identity public http://controller01:5000/v3
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | c1f58d7efc744e9a8b17e4f5c2dc0c9a |
| interface    | public                           |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 5ec2d8fd92f147c2bb8520f51c3d800a |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://controller01:5000/v3      |
+--------------+----------------------------------+
  
[root@controller01 ~]# openstack endpoint create --region RegionOne \
>   identity internal http://controller01:5000/v3
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 86a037ae5a1c4154a03b6dadbb91910a |
| interface    | internal                         |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 5ec2d8fd92f147c2bb8520f51c3d800a |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://controller01:5000/v3      |
+--------------+----------------------------------+

[root@controller01 ~]# openstack endpoint create --region RegionOne \
>   identity admin http://controller01:35357/v3
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 745d8e46a62d405594154a2a5d5a3689 |
| interface    | admin                            |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 5ec2d8fd92f147c2bb8520f51c3d800a |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://controller01:35357/v3     |
+--------------+----------------------------------+
  • The URLs created here use different URLs, which can be understood as: the channel used by ordinary employees and managers is controller01:5000; The channel used by the chairman is controller 01:357
  • Public is public, internal is internal, and admin is administrator

Create domain, project, user, role

  1. The concept of domain can be understood as region or region. This is similar to the region of the selected virtual machine when the cloud manufacturer purchases the virtual machine.
  2. The project (called tenant in the old version) also borrows the concept of cloud vendor. A logged in user is a project. For example, your current login user is xxx; Virtual machines of different projects are isolated
  3. Users can be understood as users or sub users under the project
  4. Roles are understood as different managers in sub-users, some with high permissions and some with low permissions. In openstack, roles are written dead. There are only two roles, one is admin and the other is user
  • Create domain:
[root@controller01 ~]# openstack domain create --description "Default Domain" default
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Default Domain                   |
| enabled     | True                             |
| id          | 8cba1e7341c14ab993124909c705919a |
| name        | default                          |
+-------------+----------------------------------+
  • Create admin project
[root@controller01 ~]# openstack project create --domain default \
>   --description "Admin Project" admin
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Admin Project                    |
| domain_id   | 8cba1e7341c14ab993124909c705919a |
| enabled     | True                             |
| id          | cfb654cc503f4da8aaed7fde4a01c1f7 |
| is_domain   | False                            |
| name        | admin                            |
| parent_id   | 8cba1e7341c14ab993124909c705919a |
+-------------+----------------------------------+
  • Create admin user

PS: it should be noted here that the -- password prompt command is used to enter the password for the dark text, that is, the password that is not displayed
The password I configured is wYRv9PbPlZZzCV49lr6g, which is consistent with the default admintoken on keystone

[root@controller01 ~]# openstack user create --domain default \
>   --password-prompt admin
User Password:
Repeat User Password:
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | 8cba1e7341c14ab993124909c705919a |
| enabled   | True                             |
| id        | 8e411763aa0541a9b302247f21c487c9 |
| name      | admin                            |
+-----------+----------------------------------+
  • Create admin role
[root@controller01 ~]# openstack role create admin
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | edf8fc933a084d518c6cc8695e6f61c8 |
| name      | admin                            |
+-----------+----------------------------------+

Because the items, users, and roles of the previously created admin are not associated, use the command here to associate the three admins
PS: the command is understood as giving the admin user the admin role on the admin project

[root@controller01 ~]# openstack role add --project admin --user admin admin

Create a project for each component of the system; When other components are installed later, their users will be added to the project.

[root@controller01 ~]# openstack project create --domain default \
> --description "Service Project" service
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Service Project                  |
| domain_id   | 8cba1e7341c14ab993124909c705919a |
| enabled     | True                             |
| id          | 46bc148e34444f83b2641ca2a41f19c9 |
| is_domain   | False                            |
| name        | service                          |
| parent_id   | 8cba1e7341c14ab993124909c705919a |
+-------------+----------------------------------+

keystone   Service validation

Because we use the environment variables configured on keystone by default, errors will appear when using some commands.

[root@controller01 ~]# env |grep OS
HOSTNAME=controller01
OS_IDENTITY_API_VERSION=3
OS_TOKEN=wYRv9PbPlZZzCV49lr6g
OS_URL=http://controller01:35357/v3
[root@controller01 ~]# openstack token issue
'NoneType' object has no attribute 'service_catalog'

So you need to reconfigure a new environment variable

In the official document, "for security reasons, turn off the temporary authentication token mechanism:"

Edit the / etc/keystone/keystone-paste.ini file and delete admin from the [pipeline:public_api], [pipeline:admin_api] and [pipeline:api_v3] sections_ token_ auth .
Reset OS_TOKEN and OS_URL environment variable:

$ unset OS_TOKEN OS_URL

As an admin user, request an authentication token

$ openstack --os-auth-url http://controller:35357/v3 \
  --os-project-domain-name default --os-user-domain-name default \
  --os-project-name admin --os-username admin token issue
Password:
+------------+-----------------------------------------------------------------+
| Field      | Value                                                           |
+------------+-----------------------------------------------------------------+
| expires    | 2016-02-12T20:14:07.056119Z                                     |
| id         | gAAAAABWvi7_B8kKQD9wdXac8MoZiQldmjEO643d-e_j-XXq9AmIegIbA7UHGPv |
|            | atnN21qtOMjCFWX7BReJEQnVOAj3nclRQgAYRsfSU_MrsuWb4EDtnjU7HEpoBb4 |
|            | o6ozsA_NmFWEpLeKy0uNn_WeKbAhYygrsmQGA49dclHVnz-OMVLiyM9ws       |
| project_id | 343d245e850143a096806dfaefa9afdc                                |
| user_id    | ac3377633149401296f6c0d92d79dc16                                |
+------------+-----------------------------------------------------------------+
  1. This command specifies the access endpoint, the access domain, the access domain user, the access user, and the access role. Last token   issue is to get a token. After execution, you will be asked to enter the user's password;
  2. That is, the previous large section is loaded parameters. If you do not load environment variables, you must load this large section in the command every time you execute, and you can enter the command you need to execute at the end, which is too troublesome.

However, this operation command will be more complex, and it is easy to make mistakes. At the same time, we also have a learning environment here

Therefore, it is convenient to use the following methods:
Re edit an environment variable for the newly created admin
vim admin-openrc

[root@controller01 ~]# cat admin-openrc
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=wYRv9PbPlZZzCV49lr6g
export OS_AUTH_URL=http://controller01:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

After each login, check whether the environment variable exists. If it does not exist, execute the environment variable

source admin-openrc

 

Posted by a2bardeals on Tue, 30 Nov 2021 20:47:54 -0800