The notes are learned according to the old boy Video + official documents and recorded. If there are mistakes and omissions, those in a good mood can point out them.
Video address: https://www.bilibili.com/video/BV1LJ411Y7og?p=12
Certification services (keystone)
Authentication service mainly has three functions: authentication management, authorization management and service directory
- Authentication management: provides an authentication mechanism (account and password) for the interaction of various components
- Authorization management: authorize other components to interact with each other.
- Service Directory: it is convenient for other services to access each other. It will summarize and manage the URLs of all services. (it can be understood that keystone is a browser, and the service URL is the favorite address of the page; after opening the browser, if you want to quickly access the website, you only need to open the favorite address, without entering the address repeatedly, etc.)
Creative library authorization
[root@controller01 ~]# mysql -uroot -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 3 Server version: 10.1.20-MariaDB MariaDB Server Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> create database keystone; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> grant all privileges on keystone.* to 'keystone'@'localhost' identified by 'kbI2PxpvAYKF0Ob1X2B2'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> grant all privileges on keystone.* to 'keystone'@'%' identified by 'kbI2PxpvAYKF0Ob1X2B2'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | keystone | | mysql | | performance_schema | +--------------------+ 4 rows in set (0.00 sec) MariaDB [(none)]>
Install keystone package
yum install openstack-keystone httpd mod_wsgi
PS: mod_wsgi is an extension module of apache. Many modules of apache start with mod; python for apache connection
Modify profile
In order to facilitate configuration and reading, back up the configuration file of the source keystone in advance, and filter the configuration without comments back to the configuration file
root@controller01 ~]# cd /etc/keystone/ [root@controller01 keystone]# ls default_catalog.templates keystone.conf keystone-paste.ini logging.conf policy.json sso_callback_template.html [root@controller01 keystone]# cp keystone.conf keystone.conf.bak [root@controller01 keystone]# grep -Ev '^$|#' keystone.conf.bak [DEFAULT] [assignment] [auth] [cache] [catalog] [cors] [cors.subdomain] [credential] [database] [domain_config] [endpoint_filter] [endpoint_policy] [eventlet_server] [eventlet_server_ssl] [federation] [fernet_tokens] [identity] [identity_mapping] [kvs] [ldap] [matchmaker_redis] [memcache] [oauth1] [os_inherit] [oslo_messaging_amqp] [oslo_messaging_notifications] [oslo_messaging_rabbit] [oslo_middleware] [oslo_policy] [paste_deploy] [policy] [resource] [revoke] [role] [saml] [shadow_users] [signing] [ssl] [token] [tokenless_auth] [trust] [root@controller01 keystone]# grep -Ev '^$|#' keystone.conf.bak >keystone.conf
Start modifying configuration
1. In the [DEFAULT] section, define the value of the initial management token:
[DEFAULT] ... admin_token = wYRv9PbPlZZzCV49lr6g
When keystone does not have a user, the default administrator token is used for management operations.
2. In the [database] section, configure database access:
[database] ... connection = mysql+pymysql://keystone:kbI2PxpvAYKF0Ob1X2B2@controller01/keystone #Key name mysql access protocol keystone user and password access host access library
Since the accessed host is defined as controller in the configuration, the purpose of configuring / etc/hosts to resolve the name is reflected at the beginning. Refer to note ①
3. In the [token] section, configure the provider of the Fernet UUID token. In other words, it is to select the way and method of generating tokens.
[token] ... provider = fernet
Refer to the figure below to understand the token authentication method of keystone
Picture source: Huawei officially certified PPT material + my notes during study.
Generate database
View database
[root@controller01 keystone]# mysql -uroot -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 5 Server version: 10.1.20-MariaDB MariaDB Server Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> use keystone; Database changed MariaDB [keystone]> show tables; Empty set (0.00 sec)
It can be seen that the database is empty at present.
Synchronize database
su -s /bin/sh -c "keystone-manage db_sync" keystone
su's full name is Switch User
-s shell or -- shell=shell specifies the shell to execute (bash, CSH, tcsh, etc.), where / bin/sh is specified
/bin/sh -c : command Followed by a string, which can be the command we normally execute. For example, sh -c "ls -l" is equivalent to directly executing ls -l;
To sum up, the command here is equivalent to specifying an environment variable / bin/sh/ Execute keystone manage dB_ Sync this command, and the parameter is specified as keystone library
- An error was reported when executing this command! When configuring keystone database connection at that time, the host name controller was configured, which was inconsistent with the host name parsed by the previously configured hosts, resulting in an error
2021-10-14 12:00:25.941 4480 CRITICAL keystone [-] DBConnectionError: (pymysql.err.OperationalError) (2003, "Can't connect to MySQL server on 'controller' ([Errno -2] Name or service not known)")
Then change the host name, and then re execute the command, and it is successful.
After executing the command, check whether the database table is generated correctly.
[root@controller01 ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone [root@controller01 ~]# mysql -uroot -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 17 Server version: 10.1.20-MariaDB MariaDB Server Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> use keystone; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MariaDB [keystone]> show tables; +------------------------+ | Tables_in_keystone | +------------------------+ | access_token | | assignment | | config_register | | consumer | | credential | | domain | | endpoint | | endpoint_group | | federated_user | | federation_protocol | | group | | id_mapping | | identity_provider | | idp_remote_ids | | implied_role | | local_user | | mapping | | migrate_version | | password | | policy | | policy_association | | project | | project_endpoint | | project_endpoint_group | | region | | request_token | | revocation_event | | role | | sensitive_config | | service | | service_provider | | token | | trust | | trust_role | | user | | user_group_membership | | whitelisted_config | +------------------------+ 37 rows in set (0.00 sec)
The table has been generated correctly. Indicates that the command was executed successfully.
Initialize the database for the authentication service
Before initialization, there is no directory under / etc/keystone /.
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@controller01 ~]# ll /etc/keystone total 104 -rw-r----- 1 root keystone 2303 Feb 1 2017 default_catalog.templates -rw-r----- 1 root keystone 677 Oct 14 13:00 keystone.conf -rw-r----- 1 root root 73101 Oct 14 11:04 keystone.conf.bak -rw-r----- 1 root keystone 2400 Feb 1 2017 keystone-paste.ini -rw-r----- 1 root keystone 1046 Feb 1 2017 logging.conf -rw-r----- 1 keystone keystone 9699 Feb 1 2017 policy.json -rw-r----- 1 keystone keystone 665 Feb 1 2017 sso_callback_template.html [root@controller01 ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone [root@controller01 ~]# !ll ll /etc/keystone total 104 -rw-r----- 1 root keystone 2303 Feb 1 2017 default_catalog.templates drwx------ 2 keystone keystone 24 Oct 14 15:25 fernet-keys #After initialization, this directory will be generated -rw-r----- 1 root keystone 677 Oct 14 13:00 keystone.conf -rw-r----- 1 root root 73101 Oct 14 11:04 keystone.conf.bak -rw-r----- 1 root keystone 2400 Feb 1 2017 keystone-paste.ini -rw-r----- 1 root keystone 1046 Feb 1 2017 logging.conf -rw-r----- 1 keystone keystone 9699 Feb 1 2017 policy.json -rw-r----- 1 keystone keystone 665 Feb 1 2017 sso_callback_template.html
Configure httpd
- Edit the / etc/httpd/conf/httpd.conf file and configure the ServerName option as the control node:
echo "ServerName controller01" >> /etc/httpd/conf/httpd.conf
Create the file / etc/httpd/conf.d/wsgi-keystone.conf with the following.
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
Start service
systemctl enable httpd.service systemctl start httpd.service
Creating and registering service APIs
If there is no user, you need to use admin_token to create a user
Configure the authentication TOKEN. The value of TOKEN is defined in keystone configuration
export OS_TOKEN=wYRv9PbPlZZzCV49lr6g
- Configure endpoint URL
export OS_URL=http://controller01:35357/v3 - The purpose of configuring authentication API versions and defining multiple versions is to be compatible with historical versions. In fact, three versions v1, v2 and v3 can be used at the same time
export OS_IDENTITY_API_VERSION=3
[root@controller01 ~]# export OS_TOKEN=wYRv9PbPlZZzCV49lr6g [root@controller01 ~]# export OS_URL=http://controller01:35357/v3 [root@controller01 ~]# export OS_IDENTITY_API_VERSION=3 [root@controller01 ~]# env |grep OS #After adding, you can check whether there are corresponding variables in the environment variables HOSTNAME=controller01 OS_IDENTITY_API_VERSION=3 OS_TOKEN=wYRv9PbPlZZzCV49lr6g OS_URL=http://controller01:35357/v3
Create service entities and authentication services:
- Create service
[root@controller01 ~]# openstack service create \ > --name keystone --description "OpenStack Identity" identity +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | OpenStack Identity | | enabled | True | | id | 5ec2d8fd92f147c2bb8520f51c3d800a | | name | keystone | | type | identity | +-------------+----------------------------------+ #--description "OpenStack Identity" is a description, which can be adjusted according to your understanding
- Create API endpoint for authentication service
The corresponding URL can only be created after the service is available, which is called endpoint here
PS: note that controller01 I use here is the host name specified for the resolution I configured at the beginning. If it is configured as another host name, please use another host name
[root@controller01 ~]# openstack endpoint create --region RegionOne \ > identity public http://controller01:5000/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | c1f58d7efc744e9a8b17e4f5c2dc0c9a | | interface | public | | region | RegionOne | | region_id | RegionOne | | service_id | 5ec2d8fd92f147c2bb8520f51c3d800a | | service_name | keystone | | service_type | identity | | url | http://controller01:5000/v3 | +--------------+----------------------------------+ [root@controller01 ~]# openstack endpoint create --region RegionOne \ > identity internal http://controller01:5000/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 86a037ae5a1c4154a03b6dadbb91910a | | interface | internal | | region | RegionOne | | region_id | RegionOne | | service_id | 5ec2d8fd92f147c2bb8520f51c3d800a | | service_name | keystone | | service_type | identity | | url | http://controller01:5000/v3 | +--------------+----------------------------------+ [root@controller01 ~]# openstack endpoint create --region RegionOne \ > identity admin http://controller01:35357/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 745d8e46a62d405594154a2a5d5a3689 | | interface | admin | | region | RegionOne | | region_id | RegionOne | | service_id | 5ec2d8fd92f147c2bb8520f51c3d800a | | service_name | keystone | | service_type | identity | | url | http://controller01:35357/v3 | +--------------+----------------------------------+
- The URLs created here use different URLs, which can be understood as: the channel used by ordinary employees and managers is controller01:5000; The channel used by the chairman is controller 01:357
- Public is public, internal is internal, and admin is administrator
Create domain, project, user, role
- The concept of domain can be understood as region or region. This is similar to the region of the selected virtual machine when the cloud manufacturer purchases the virtual machine.
- The project (called tenant in the old version) also borrows the concept of cloud vendor. A logged in user is a project. For example, your current login user is xxx; Virtual machines of different projects are isolated
- Users can be understood as users or sub users under the project
- Roles are understood as different managers in sub-users, some with high permissions and some with low permissions. In openstack, roles are written dead. There are only two roles, one is admin and the other is user
- Create domain:
[root@controller01 ~]# openstack domain create --description "Default Domain" default +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Default Domain | | enabled | True | | id | 8cba1e7341c14ab993124909c705919a | | name | default | +-------------+----------------------------------+
- Create admin project
[root@controller01 ~]# openstack project create --domain default \ > --description "Admin Project" admin +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Admin Project | | domain_id | 8cba1e7341c14ab993124909c705919a | | enabled | True | | id | cfb654cc503f4da8aaed7fde4a01c1f7 | | is_domain | False | | name | admin | | parent_id | 8cba1e7341c14ab993124909c705919a | +-------------+----------------------------------+
- Create admin user
PS: it should be noted here that the -- password prompt command is used to enter the password for the dark text, that is, the password that is not displayed
The password I configured is wYRv9PbPlZZzCV49lr6g, which is consistent with the default admintoken on keystone
[root@controller01 ~]# openstack user create --domain default \ > --password-prompt admin User Password: Repeat User Password: +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | 8cba1e7341c14ab993124909c705919a | | enabled | True | | id | 8e411763aa0541a9b302247f21c487c9 | | name | admin | +-----------+----------------------------------+
- Create admin role
[root@controller01 ~]# openstack role create admin +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | edf8fc933a084d518c6cc8695e6f61c8 | | name | admin | +-----------+----------------------------------+
Because the items, users, and roles of the previously created admin are not associated, use the command here to associate the three admins
PS: the command is understood as giving the admin user the admin role on the admin project
[root@controller01 ~]# openstack role add --project admin --user admin admin
Create a project for each component of the system; When other components are installed later, their users will be added to the project.
[root@controller01 ~]# openstack project create --domain default \ > --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | 8cba1e7341c14ab993124909c705919a | | enabled | True | | id | 46bc148e34444f83b2641ca2a41f19c9 | | is_domain | False | | name | service | | parent_id | 8cba1e7341c14ab993124909c705919a | +-------------+----------------------------------+
keystone Service validation
Because we use the environment variables configured on keystone by default, errors will appear when using some commands.
[root@controller01 ~]# env |grep OS HOSTNAME=controller01 OS_IDENTITY_API_VERSION=3 OS_TOKEN=wYRv9PbPlZZzCV49lr6g OS_URL=http://controller01:35357/v3 [root@controller01 ~]# openstack token issue 'NoneType' object has no attribute 'service_catalog'
So you need to reconfigure a new environment variable
In the official document, "for security reasons, turn off the temporary authentication token mechanism:"
Edit the / etc/keystone/keystone-paste.ini file and delete admin from the [pipeline:public_api], [pipeline:admin_api] and [pipeline:api_v3] sections_ token_ auth .
Reset OS_TOKEN and OS_URL environment variable:
$ unset OS_TOKEN OS_URL
As an admin user, request an authentication token
$ openstack --os-auth-url http://controller:35357/v3 \ --os-project-domain-name default --os-user-domain-name default \ --os-project-name admin --os-username admin token issue Password: +------------+-----------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------+ | expires | 2016-02-12T20:14:07.056119Z | | id | gAAAAABWvi7_B8kKQD9wdXac8MoZiQldmjEO643d-e_j-XXq9AmIegIbA7UHGPv | | | atnN21qtOMjCFWX7BReJEQnVOAj3nclRQgAYRsfSU_MrsuWb4EDtnjU7HEpoBb4 | | | o6ozsA_NmFWEpLeKy0uNn_WeKbAhYygrsmQGA49dclHVnz-OMVLiyM9ws | | project_id | 343d245e850143a096806dfaefa9afdc | | user_id | ac3377633149401296f6c0d92d79dc16 | +------------+-----------------------------------------------------------------+
- This command specifies the access endpoint, the access domain, the access domain user, the access user, and the access role. Last token issue is to get a token. After execution, you will be asked to enter the user's password;
- That is, the previous large section is loaded parameters. If you do not load environment variables, you must load this large section in the command every time you execute, and you can enter the command you need to execute at the end, which is too troublesome.
However, this operation command will be more complex, and it is easy to make mistakes. At the same time, we also have a learning environment here
Therefore, it is convenient to use the following methods:
Re edit an environment variable for the newly created admin
vim admin-openrc
[root@controller01 ~]# cat admin-openrc export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=wYRv9PbPlZZzCV49lr6g export OS_AUTH_URL=http://controller01:35357/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2
After each login, check whether the environment variable exists. If it does not exist, execute the environment variable
source admin-openrc