keystone认证服务
Posted djlsunshine
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了keystone认证服务相关的知识,希望对你有一定的参考价值。
实验操作平台:OpenStack单节点操作
一、相关概念
1、认证(authentication)
认证是确认允许一个用户访问的进程
2、证书(credentials)
用于确认用户身份的数据
3、令牌(token)
通常指的是一串比特值或者字符串,用来作为访问资源的记号。(令牌的有效期是有限的,可以随时被撤回)
4、租户(tenant)
早期版本又称为project,它是各服务中的一些可以访问的资源集合
平台构建完毕会产生admin、service和demo三个租户。
admin租户代表管理组,拥有平台的最高权限,可以更新、删除和修改系统的任何数据。
service代表平台内所有的服务的总集合,平台安装的所有服务默认会加入到此租户中,为后期的统一管理提供帮助,此租户可以修改当期租户下所有服务的配置信息,提交租户的内容以及修改。
demo则是一个演示测试租户
5、用户(user)
使用服务的用户,可以是人、服务或系统使用OpenStack相关服务的一个组织
6、角色(role)
代表一组用户可以访问的资源权限
平台构建完毕,系统会创建_member_、admin两个用户权限,
_member_表示系统的普通用户的权限,拥有系统的正常使用和对当前租户的管理权限
admin角色是代表系统的管理员身份,对系统又绝对的管理权限
7、关系
OpenStack中项目(project)、用户(user)和角色(role)3者的关系如下:
项目是用户的集合,项目又称为租户或accounts,用户可以属于一个或多个项目,角色决定了用户的权限,可以分配角色给user-project组
8、认证服务流程
用户请求云主机的流程涉及认证Keystone服务、计算Nova服务、镜像Glance服务,在服务流程中,令牌(Token)作为流程认证传递,具体服务申请认证机制流程,如图:
服务申请认证机制流程
二、配置keystone应用环境
管理用户的环境变量:admin-openrc.sh
来管理最终的凭证和终端
主配置文件位置
[[email protected] ~]# cd /etc/keystone/ [[email protected] keystone]# ls admin-openrc.sh default_catalog.templates keystone.conf logging.conf policy.json ssl
请求身份令牌来验证服务
[[email protected] ~]# keystone --os-username=admin --os-password=000000 --os-auth-url=http://192.168.100.10:35357/v2.0 token-get +-----------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Property | Value | +-----------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2019-01-24T17:05:36Z | | id | MIIM0gYJKoZIhvcNAQcCoIIMwzCCDL8CAQExCTAHBgUrDgMCGjCCCygGCSqGSIb3DQEHAaCCCxkEggsVeyJhY2Nlc3MiOiB7InRva2VuIjogeyJpc3N1ZWRfYXQiOiAiMjAxOS0wMS0yNFQxNjowNTozNi40MDE4NDIiLCAiZXhwaXJlcyI6ICIyMDE5LTAxLTI0VDE3OjA1OjM2WiIsICJpZCI6ICJwbGFjZWhvbGRlciIsICJ0ZW5hbnQiOiB7ImRlc2NyaXB0aW9uIjogIkFkbWluIFRlbmFudCIsICJlbmFibGVkIjogdHJ1ZSwgImlkIjogIjE4ZTM4NTQ1YTIwZjRmYmI4ZGJhODk0NDExOGQ0M2JjIiwgIm5hbWUiOiAiYWRtaW4ifX0sICJzZXJ2aWNlQ2F0YWxvZyI6IFt7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly9jb250cm9sbGVyOjg3NzQvdjIvMThlMzg1NDVhMjBmNGZiYjhkYmE4OTQ0MTE4ZDQzYmMiLCAicmVnaW9uIjogInJlZ2lvbk9uZSIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vY29udHJvbGxlcjo4Nzc0L3YyLzE4ZTM4NTQ1YTIwZjRmYmI4ZGJhODk0NDExOGQ0M2JjIiwgImlkIjogIjQ1N2IzODViNzBiYzQxMDI4ZGIzOThkZGZiMmM1ODUzIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vY29udHJvbGxlcjo4Nzc0L3YyLzE4ZTM4NTQ1YTIwZjRmYmI4ZGJhODk0NDExOGQ0M2JjIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImNvbXB1dGUiLCAibmFtZSI6ICJub3ZhIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovL2NvbnRyb2xsZXI6OTY5NiIsICJyZWdpb24iOiAicmVnaW9uT25lIiwgImludGVybmFsVVJMIjogImh0dHA6Ly9jb250cm9sbGVyOjk2OTYiLCAiaWQiOiAiN2M0OWI0YjI3M2Y2NDA3ZGI1YjM2ZmZmMGUyM2ZlYTciLCAicHVibGljVVJMIjogImh0dHA6Ly9jb250cm9sbGVyOjk2OTYifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAibmV0d29yayIsICJuYW1lIjogIm5ldXRyb24ifSwgeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vY29udHJvbGxlcjo4Nzc2L3YyLzE4ZTM4NTQ1YTIwZjRmYmI4ZGJhODk0NDExOGQ0M2JjIiwgInJlZ2lvbiI6ICJyZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovL2NvbnRyb2xsZXI6ODc3Ni92Mi8xOGUzODU0NWEyMGY0ZmJiOGRiYTg5NDQxMThkNDNiYyIsICJpZCI6ICI0MmYyMDIxOTYzOWU0NzY4OGViZGMzNmZjMDAxOWJiYyIsICJwdWJsaWNVUkwiOiAiaHR0cDovL2NvbnRyb2xsZXI6ODc3Ni92Mi8xOGUzODU0NWEyMGY0ZmJiOGRiYTg5NDQxMThkNDNiYyJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJ2b2x1bWV2MiIsICJuYW1lIjogImNpbmRlcnYyIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovL2NvbnRyb2xsZXI6OTI5MiIsICJyZWdpb24iOiAicmVnaW9uT25lIiwgImludGVybmFsVVJMIjogImh0dHA6Ly9jb250cm9sbGVyOjkyOTIiLCAiaWQiOiAiMjk3MTg2MTUyZGQ4NDI1MTk3OWNkYmVhMDY1ZWM2ODgiLCAicHVibGljVVJMIjogImh0dHA6Ly9jb250cm9sbGVyOjkyOTIifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAiaW1hZ2UiLCAibmFtZSI6ICJnbGFuY2UifSwgeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vY29udHJvbGxlcjo4Nzc2L3YxLzE4ZTM4NTQ1YTIwZjRmYmI4ZGJhODk0NDExOGQ0M2JjIiwgInJlZ2lvbiI6ICJyZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovL2NvbnRyb2xsZXI6ODc3Ni92MS8xOGUzODU0NWEyMGY0ZmJiOGRiYTg5NDQxMThkNDNiYyIsICJpZCI6ICIzMTdjYWZhYTliZjA0YmE2ODU2MjkyYTJkMjRjY2IwYiIsICJwdWJsaWNVUkwiOiAiaHR0cDovL2NvbnRyb2xsZXI6ODc3Ni92MS8xOGUzODU0NWEyMGY0ZmJiOGRiYTg5NDQxMThkNDNiYyJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJ2b2x1bWUiLCAibmFtZSI6ICJjaW5kZXIifSwgeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vY29udHJvbGxlcjo4MDgwL3YyL0FVVEhfMThlMzg1NDVhMjBmNGZiYjhkYmE4OTQ0MTE4ZDQzYmMiLCAicmVnaW9uIjogInJlZ2lvbk9uZSIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vY29udHJvbGxlcjo4MDgwL3YyL0FVVEhfMThlMzg1NDVhMjBmNGZiYjhkYmE4OTQ0MTE4ZDQzYmMiLCAiaWQiOiAiM2Q5ZTVmM2JhNWJlNDgzOWFlNjVlOGYwNjQxNzA5NTEiLCAicHVibGljVVJMIjogImh0dHA6Ly9jb250cm9sbGVyOjgwODAvdjIvQVVUSF8xOGUzODU0NWEyMGY0ZmJiOGRiYTg5NDQxMThkNDNiYyJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJvYmplY3Qtc3RvcmUiLCAibmFtZSI6ICJzd2lmdCJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly9jb250cm9sbGVyOjM1MzU3L3YyLjAiLCAicmVnaW9uIjogInJlZ2lvbk9uZSIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vY29udHJvbGxlcjo1MDAwL3YyLjAiLCAiaWQiOiAiMDVjMjI1NzcwMjVhNDA5MzkzZWU2NGY0NmU5N2FjNDAiLCAicHVibGljVVJMIjogImh0dHA6Ly9jb250cm9sbGVyOjUwMDAvdjIuMCJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJpZGVudGl0eSIsICJuYW1lIjogImtleXN0b25lIn1dLCAidXNlciI6IHsidXNlcm5hbWUiOiAiYWRtaW4iLCAicm9sZXNfbGlua3MiOiBbXSwgImlkIjogIjRkZmE1NzE4MDQ0NDRiODY4NGY0MmQyNTY2N2UyZTBjIiwgInJvbGVzIjogW3sibmFtZSI6ICJfbWVtYmVyXyJ9LCB7Im5hbWUiOiAiYWRtaW4ifV0sICJuYW1lIjogImFkbWluIn0sICJtZXRhZGF0YSI6IHsiaXNfYWRtaW4iOiAwLCAicm9sZXMiOiBbIjlmZTJmZjllZTQzODRiMTg5NGE5MDg3OGQzZTkyYmFiIiwgImI1NjJkMTRlY2M5MTRlMDNiYjRjZDRiMGJhZDAwYTg4Il19fX0xggGBMIIBfQIBATBcMFcxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVVbnNldDEOMAwGA1UEBwwFVW5zZXQxDjAMBgNVBAoMBVVuc2V0MRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20CAQEwBwYFKw4DAhowDQYJKoZIhvcNAQEBBQAEggEAktxDU55tvzHyCI6x7dtYo9fhvKovjC24EsQTYOiUAFN4jNcrViNEvWX4U4Ohy6HE1p+6V2KPLR+z3-5-PEL21llnujgVm6Nvcw3AIPOmOFwVI5S5skrIWX56r1fowUmImqeeBhzc7yf98-4dVGdgtsvXCoUZFXw+1xBHLpRZvKNvvvp6w+rhn0GXIVcW+4eDgUw4yhyhOX7Skgq+vRz2u9y2masGKEwHacN9e55Hnwh6ISL8fYeE8zSk8ABUs91tk0g33T6kLA-lGZDnQ+YZ6-P0lpIAzVsYI5qqhxvilB-W2nqtXlVNBxwcQ1JyCXdfxYTiZ-Fb3nC7cG27QXfwzg== | | tenant_id | 18e38545a20f4fbb8dba8944118d43bc | | user_id | 4dfa571804444b8684f42d25667e2e0c | +-----------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ [[email protected] ~]#
以admin用户访问http://172.24.0.10:35357/v2.0地址获取token值
三、管理认证用户
1、创建用户
创建一个名称为“alice”账户,密码为“mypassword123”,邮箱为“[email protected]”
# keystone user-create --name=alice --pass=mypassword123 [email protected]
格式如下
keystone user-create --name <user-name> --tenant <tenant> --pass <pass> --email <email> --enabled <true|false>
参数 <tenant>代表绑定租户
[[email protected] ~]# keystone user-create --name=alice --pass=mypassword123 --email=[email protected] +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | [email protected] | | enabled | True | | id | cf126a8e69574dd6ba48acff29046951 | | name | alice | | username | alice | +----------+----------------------------------+
查看
2、创建租户
创建一个名为“acme”租户
其他参数:
租户描述名:[--description <tenant-description>]
[--enabled <true|false>]
# keystone tenant-create --name=acme
[[email protected] ~]# keystone tenant-create --name=acme +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | | | enabled | True | | id | 12ad967d5d6742328f007749917cc5b1 | | name | acme | +-------------+----------------------------------+
3、创建角色
角色限定了用户的操作权限。例如,创建一个角色“compute-user”。
# keystone role-create --name=compute-user
[[email protected] ~]# keystone role-create --name=compute-user +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | id | c26db3d217044f32a3f27fa88874eba6 | | name | compute-user | +----------+----------------------------------+
4、绑定用户和租户权限
把用户关联绑定到对应的租户和角色
给用户“alice”分配“acme”租户下的“compute-user”角色
# keystone user-role-add --user=alice --role=compute-user --tenant-id=12ad967d5d6742328f007749917cc5b1
[[email protected] ~]# keystone user-role-add --user=alice --role=compute-user --tenant-id=12ad967d5d6742328f007749917cc5b1 [[email protected] ~]#
end
以上是关于keystone认证服务的主要内容,如果未能解决你的问题,请参考以下文章