目录

前文列表

Openstack组件部署 — Overview和前期环境准备
Openstack组建部署 — Environment of Controller Node
Openstack组件部署 — Keystone功能介绍与认证实现流程

Install and configure

This section describes how to install and configure the OpenStack Identity service, code-named keystone, on the controller node.
For performance, this configuration deploys Fernet tokens and the Apache HTTP server to handle requests.

这一节记录了怎样在Controller Node上安装和配置Openstack的认证服务，代号为Keystone。在性能上，这个配置使用了Fernet Tokens和Apache HTTP服务器去处理请求。

Fernet Tokens：是K版本的更新内容，区别于UUID tokens只能持久化存入数据库，Fernet tokens完全不需要持久化。部署人员可以通过设置keystone.conf中的[token] provider = keystone.token.providers.fernet.Provider来启用Fernet token，这也是我们一会需要配置的参数项。Fernet tokens需要symmetric encryption keys(对称加密密钥)，这些keys可以使用keystone-manage fernet_setup建立， 并且使用keystone-manage fernet_rotate周期性地轮换。这些keys必须被在一个multi-node(或者multi-region)部署中的所有Keystone nodes共享，这样就能使一个node生成的tokens可以立即被其他节点验证。

Prerequisites 先决条件

Before you configure the OpenStack Identity service, you must create a database and an administration token.
在配置Openstack认证服务之前，你需要先创建一个keystone数据库和一个用于初始化keystone期间的临时管理token。

Create the database for identity service

这个数据库用于存放Keystone组件(User、Tenant、Roles等)的相关信息。
Step1.进入MySQL

mysql -u root -pfanguiju

Step2.创建数据库keystone

CREATE DATABASE keystone;

Step3.创建keystone数据库用户并授予适当的访问权限
创建keystone数据库用户，使其可以对keystone数据库有完全控制权限。

GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'fanguiju'; #fanguiju为用户keystone的密码 GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'fanguiju';

Step4.退出MySQL

MariaDB [(none)]> exit Bye

生成一个随机数

Generate a random value to use as the administration token during initial configuration
生成一个用于初始化keystone期间的临时管理token

[root@controller Desktop]# openssl rand -hex 10 c44048d3212d3f977643

Install and configure components

Note：This guide uses the Apache HTTP server with mod_wsgi to serve Identity service requests on ports 5000 and 35357. By default, the keystone service still listens on these ports. Therefore, this guide manually disables the keystone service.
注意：该指南使用Apache Http服务器的mod_wsgi(Python Web Server Gateway Interface)动态访问模块来支持认证服务在5000和35357端口上的请求。keystone service默认就会监听这两个端口，所以，该指南手动的禁用keystone service。

WSGI：Python Web服务器网关接口（Python Web Server Gateway Interface，缩写为WSGI)，是Python应用程序或框架和Web服务器之间的一种接口，已经被广泛接受, 它已基本达成它的可移植性方面的目标。

Step1.安装openstack-keystone、HTTP、mod_wsgi模块

yum install openstack-keystone httpd mod_wsgi -y

Step2.Edit the /etc/keystone/keystone.conf file and complete the following actions:
vim /etc/keystone/keystone.conf

#1. In the [DEFAULT] section, define the value of the initial administration token: [DEFAULT] admin_token = c44048d3212d3f977643 #刚刚使用openssl指令生成的随机数 #2. In the [database] section, configure database access: [database] connection = mysql+pymysql://keystone:fanguiju@controller.jmilk.com/keystone #数据库连接配置 --> 使用mysql+pymysql协议://访问keystone用户:密码为范桂飓@数据库服务器hostname/访问keystone数据库;必要时可能需要使用IP代替hostname #3. In the [token] section, configure the Fernet token provider: [token] provider = fernet

总览：

[root@controller ~]# cat /etc/keystone/keystone.conf | grep -v ^# | grep -v ^$ [DEFAULT] admin_token = c44048d3212d3f977643 [assignment] [auth] [cache] [catalog] [cors] [cors.subdomain] [credential] [database] connection = mysql+pymysql://keystone:fanguiju@controller.jmilk.com/keystone [domain_config] [endpoint_filter] [endpoint_policy] [eventlet_server] [eventlet_server_ssl] [federation] [fernet_tokens] [identity] [identity_mapping] [kvs] [ldap] [matchmaker_redis] [memcache] [oauth1] [os_inherit] [oslo_messaging_amqp] [oslo_messaging_notifications] [oslo_messaging_rabbit] [oslo_middleware] [oslo_policy] [paste_deploy] [policy] [resource] [revoke] [role] [saml] [shadow_users] [signing] [ssl] [token] provider = fernet [tokenless_auth] [trust]

注意：从总览的内容可以看出，在最新的版本中，第一次安装Keystone组件的时候，配置文件中的节点内容都是空的。但如果是使用该指南来安装其他版本Keystone的话，需要注意，我们应该是添加该指南的参数项到配置文件中，而不需要删除原来就已经存在的参数项。

Step3.Populate the Identity service database:

su -s /bin/sh -c "keystone-manage db_sync" keystone #使用sh执行keystone数据库初始化填充指令

查看数据库表是否创建成功：

[root@controller Desktop]# mysql -u keystone -pfanguiju Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 3 Server version: 10.1.12-MariaDB MariaDB Server Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | keystone | +--------------------+ 2 rows in set (0.03 sec) MariaDB [(none)]> use keystone; Database changed MariaDB [keystone]> show tables; +------------------------+ | Tables_in_keystone | +------------------------+ | access_token | | assignment | | config_register | | consumer | | credential | | domain | | endpoint | | endpoint_group | | federated_user | | federation_protocol | | group | | id_mapping | | identity_provider | | idp_remote_ids | | implied_role | | local_user | | mapping | | migrate_version | | password | | policy | | policy_association | | project | | project_endpoint | | project_endpoint_group | | region | | request_token | | revocation_event | | role | | sensitive_config | | service | | service_provider | | token | | trust | | trust_role | | user | | user_group_membership | | whitelisted_config | +------------------------+ 37 rows in set (0.00 sec)

注意：执行此指令之后，忽略所有的deprecation messages。但是如果一直卡在这一步的话，我建议从新查看一下keystone.conf配置文件是否能够成功连接到数据库。

Step4.Initialize Fernet keys:
前文有过描述：Fernet tokens需要symmetric encryption keys，而这个keys就是使用keystone-manage fernet_setup来创建。

keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone

Configure the Apache HTTP server

Step1.Edit the /etc/httpd/conf/httpd.conf file and configure the ServerName option to reference the controller node:
vim /etc/httpd/conf/httpd.conf

#指定Apache HTTP Server的hostname ServerName controller.jmilk.com

Step2.Create the /etc/httpd/conf.d/wsgi-keystone.conf file with the following content:
开启两个监听端口，并配置两个Virtualhost-Port虚拟主机。
vim /etc/httpd/conf.d/wsgi-keystone.conf

Listen 5000 Listen 35357 <VirtualHost *:5000> WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined <Directory /usr/bin> Require all granted </Directory> </VirtualHost> <VirtualHost *:35357> WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / /usr/bin/keystone-wsgi-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined <Directory /usr/bin> Require all granted </Directory> </VirtualHost>

Step3.Start the Apache HTTP service and configure it to start when the system boots:

systemctl start httpd.service systemctl enable httpd.service

到此为止，Keystone的安装已经完成了。

Create the service entity and API endpoints

The Identity service provides a catalog of services and their locations. Each service that you add to your OpenStack environment requires a service entity and several API endpoints in the catalog.
认证服务提供了一个服务目录，需要为每一个加入到Openstack环境中的openstack service的service entity和若干个API endpoints添加到该服务目录中。

Prerequisites 先决条件

By default, the Identity service database contains no information to support conventional authentication and catalog services. You must use a temporary authentication token that you created in the section called Install and configure to initialize the service entity and API endpoint for the Identity service.
默认的，新建的认证服务数据库并没有包含任何支持authentication 和catalog services的信息。你必须使用在上文中创建的临时的authentication token——admin_token去初始化service entity和API endpoint。

Step1.创建临时authentication token文件
vim ~/auth_token

#1. Configure the authentication token(OS_TOKEN = keystone.conf中的参数项admin_token的值) export OS_TOKEN=c44048d3212d3f977643 #2. Configure the endpoint URL(使用35357号Port) export OS_URL=http://controller.jmilk.com:35357/v3 #3. Configure the Identity API version export OS_IDENTITY_API_VERSION=3

加载auth_token文件的环境变量

source ~/auth_token

Create the service entity and API endpoints

Step1.Create the service entity服务实体 for the Identity service:
The Identity service manages a catalog of services in your OpenStack environment. Services use this catalog to determine the other services available in your environment.
认证服务在Openstack中管理着一个服务目录，Openstack services是通过服务目录来定位其他的service。

[root@controller Desktop]# openstack service create --name keystone --description "OpenStack Identity" identity +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | OpenStack Identity | | enabled | True | | id | c89a25e54e5b4ca3b277b15ec0d75853 | | name | keystone | | type | identity | +-------------+----------------------------------+

ERROR： An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-7e447b64-0ab1-4add-b0f9-ccb29de79156)
这是一个非常常见的错误，尤其对于入门Openstack的小伙伴而言，很多人就卡在这个ERROR上。这里给出一些解决的方案：
1. 一定要检查Keystone的表是否成功创建
2. 确保环境变量正确，尤其是OS_TOKEN与admin_token的值是一致的，建议使用Copy，因为常见参数值后面带有空格，导致不一致的情况。
3. 确保Hostname和IP能够成功解析
4. 确保Port：35357已经开启
5. 确保HTTP服务正常运行
6. 查看openstack-keystone服务是否打开，如果是M版本就无所谓了
7. 实在不行，建议重启主机试试(放大招了)

Step2.Create the Identity service API endpoints:
The Identity service manages a catalog of API endpoints associated with the services in your OpenStack environment. Services use this catalog to determine how to communicate with other services in your environment.OpenStack uses three API endpoint variants for each service: admin, internal, and public.

认证服务还管理着一个服务相关的API endpoints目录，Services使用endpoints目录确定怎么与其他Services通信。每一个Openstack service提供了三种形式的API endpoint：admin管理, internal内部, and public外部.

[root@controller Desktop]# openstack endpoint create --region RegionOne identity public http://controller.jmilk.com:5000/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 670ccbe782ba4e788c681f532d540177 | | interface | public | | region | RegionOne | | region_id | RegionOne | | service_id | c89a25e54e5b4ca3b277b15ec0d75853 | | service_name | keystone | | service_type | identity | | url | http://192.168.1.5:5000/v3 | +--------------+----------------------------------+ [root@controller Desktop]# openstack endpoint create --region RegionOne identity internal http://controller.jmilk.com:5000/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | c1d4504fc49741f4968d0c28ee66cbbc | | interface | internal | | region | RegionOne | | region_id | RegionOne | | service_id | c89a25e54e5b4ca3b277b15ec0d75853 | | service_name | keystone | | service_type | identity | | url | http://192.168.1.5:5000/v3 | +--------------+----------------------------------+ [root@controller Desktop]# openstack endpoint create --region RegionOne identity admin http://controller.jmilk.com:35357/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | b0a761a6365941d2a5db215c36883b4f | | interface | admin | | region | RegionOne | | region_id | RegionOne | | service_id | c89a25e54e5b4ca3b277b15ec0d75853 | | service_name | keystone | | service_type | identity | | url | http://192.168.1.5:35357/v3 | +--------------+----------------------------------+