openstack中keystone鑒權的用戶user和password信息,通常保存在mysql數據庫的keystone庫:
表local_user和表password:
keystone也支持外部LDAP Server提供用戶鑒權信息,也就是所謂的domain-specific Identity:
Keystone supports the option (disabled by default) to specify identity driver (domain-specific Identity drivers) configurations on a domain by domain basis, allowing, for example, a specific domain to have its own LDAP or SQL server.
Domain-specific Identity configuration options can be stored in domain-specific configuration files, or in the Identity SQL database using API REST calls.
詳情參見官網:
https://docs.openstack.org/keystone/rocky/admin/identity-domain-specific-config.html
https://docs.openstack.org/keystone/rocky/configuration.html (Configuring Keystone)
下面提供一個簡單的例子,描述相關步驟和openstack的配置。
(參見https://docs.openstack.org/keystone/rocky/admin/identity-integrate-with-ldap.html [Integrate Identity with LDAP])
1)安裝LDAP Server,如windows的活動目錄服務(Active Directory) (可參考相關文檔):
安裝完后,創建一個用戶和密碼,提供相關信息以供openstack集成用:
++ url信息,例如ldap://10.168.120.120:389
++ user信息,例如CN=administrator,CN=users,DC=star,DC=com,以及密碼
++ BaseDN信息,例如DC=star,DC=com
2)在openstack控制器中運行LDAP指令以驗證與LDAP Server的連接,例如:
ldapsearch -x -h 10.168.120.120 -p 389 -D "CN=administrator,CN=users,DC=star,DC=com" -w password123 -b "DC=star,DC=com"
有正常的查詢結果返回則說明openstack與LDAP Server連接成功了。
3)在openstack控制器上進行domain-specific configuration:
>> 3.1) 開啟domain-specific drivers配置:
To enable domain-specific drivers, set these options in the /etc/keystone/keystone.conf file:
[identity]
domain_specific_drivers_enabled = True
domain_config_dir = /etc/keystone/domains
注:配置文件將保存在domain_config_dir指定的目錄中,而且文件命名方式是keystone.<domain_name>.conf (<domain_name>將由openstack指令創建)
同時修改[assignment]的backend driver為sql:
[assignment]
driver = sql
(注:不知道是否與這段話相關:
Although keystone supports multiple LDAP backends via the above domain-specific configuration methods, it currently only supports one SQL backend. This could be either the default driver or a single domain-specific backend, perhaps for storing service users in a predominantly LDAP installation.)
>> 3.2) 創建保存config文件的目錄:
root@server1:~# mkdir -p /etc/keystone/domains
root@server1:~# chown keystone /etc/keystone/domains
>> 3.3) openstack指令創建domain:
root@server1:~# openstack domain create star
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| enabled | True |
| id | 012df6be871c4b33949c50dc461a0751 |
| name | star |
+-------------+----------------------------------+
root@server1:~# openstack domain list
+----------------------------------+-------------+---------+--------------------+
| ID | Name | Enabled | Description |
+----------------------------------+------------+---------+--------------------+
| 012df6be871c4b33949c50dc461a0751 | star | True | |
| default | Default | True | The default domain |
+----------------------------------+---------+---------+--------------------+
>> 3.4) 創建相應的domain driver文件:(內容可參考上面提及的"Integrate Identity with LDAP",或者keystone.conf的【ldap】, 文件名里的domain即是上一步創建的domain)
root@server1:/etc/keystone/domains# vi keystone.star.conf
例如:
4) 重啟keystone服務,之后可以用指令看到新加的
5) 接下來可以進行驗證:
>> 5.1) 在LDAP Server新加用戶,並加入group openstack,例如test_user (密碼password321);
>> 5.2) 該用戶現在可以在openstack控制器中顯示了:
root@server1:# openstack user list --domain star
+------------------------------------------------------------------+----------------------------------------------+
| ID | Name |
+------------------------------------------------------------------+-------------------------------------------------+
| f730d57dc79553aa5cf99b0c15b70283787f930d5b599c2385c5712cbcc11c46 | test_user |
+------------------------------------------------------------------+----------------------------------------------------+
>> 5.3) 給該user配置具有管理權限的role:
root@server1:~# openstack role add --project admin --user f730d57dc79553aa5cf99b0c15b70283787f930d5b599c2385c5712cbcc11c46 admin
>> 5.4) 建立一個該用戶的source環境文件,包含如下關鍵信息:
>> 5.5) 進入test_user的環境文件,可以正常運行openstack指令:
root@server1:~# source openrc-test
root@server1:~# nova list
注:一個相關的問題是id mapping,參見“Configuring Keystone”:
https://docs.openstack.org/keystone/rocky/configuration.html
Due to the need for user and group IDs to be unique across an OpenStack installation and for keystone to be able to deduce which domain and backend to use from just a user or group ID, it dynamically builds a persistent identity mapping table from a public ID to the actual domain, local ID (within that backend) and entity type.
相關數據保存在mysql的keystone庫的id_mapping表里:
mysql> select* from id_mapping;
+-----------------------------------------------------------------------------------------------------------+-----------------------------------------------+----------+-------------+
| public_id | domain_id | local_id | entity_type |
+------------------------------------------------------------------------------------------------------------+-----------------------------------------------+----------+-------------+
| f730d57dc79553aa5cf99b0c15b70283787f930d5b599c2385c5712cbcc11c46 | 012df6be871c4b33949c50dc461a0751 | test_user | user |
| 967ecd62f1987b626476221d3beb051a72ed45c84324327ea82c58b887ce8953 | 012df6be871c4b33949c50dc461a0751 | test-ldap | user |
+------------------------------------------------------------------------------------------------------------+----------------------------------------------+----------+-------------+