Keystone v3: различия между версиями
Материал из noname.com.ua
Перейти к навигацииПерейти к поискуSirmax (обсуждение | вклад) (Новая страница: «Заметки о кейстоун v3 * https://ask.openstack.org/en/question/57508/why-my-openstackclient-doesnt-work-with-keystone-v3-api/ <PRE> cat /etc/o…») |
Sirmax (обсуждение | вклад) |
||
| (не показано 19 промежуточных версий этого же участника) | |||
| Строка 1: | Строка 1: | ||
| + | [[Категория:OpenStack]] |
||
| − | Заметки о кейстоун v3 |
||
| + | [[Категория:Keystone]] |
||
| + | [[Категория:Linux]] |
||
| + | =Заметки о кейстоун v3 = |
||
| + | |||
| + | |||
| + | Задача: |
||
| + | * сконфигурировать отдельно-стоящий кейстоун, другие сервисы опенстека не нужны. |
||
| + | * Пользователи в LDAP (LDAP поставить локально для теста) |
||
| + | * выдавать токены |
||
| + | * OS - CentOS7 |
||
| + | |||
| + | ==Apache== |
||
| + | Кейстоун это WSGI-приложение и деплоить его нужно соответственно под apache (другие варианты не пробовал) |
||
| + | <BR> |
||
| + | ДУмаю что это не слишком безопасная настройка с <B> DocumentRoot "/usr/bin"</B> но для тестового сервера вполне. |
||
| + | <PRE> |
||
| + | /etc/httpd/conf.d/keystone.conf |
||
| + | </PRE> |
||
| + | <PRE> |
||
| + | <VirtualHost 0.0.0.0:35357> |
||
| + | ServerName node-1.domain.tld |
||
| + | |||
| + | DocumentRoot "/usr/bin" |
||
| + | |||
| + | <Directory "/usr/bin"> |
||
| + | Options Indexes FollowSymLinks MultiViews |
||
| + | AllowOverride None |
||
| + | Require all granted |
||
| + | </Directory> |
||
| + | |||
| + | ErrorLog "/var/log/httpd/keystone_wsgi_admin_error.log" |
||
| + | ServerSignature Off |
||
| + | CustomLog "/var/log/httpd/keystone_wsgi_admin_access.log" "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" |
||
| + | WSGIApplicationGroup apache |
||
| + | WSGIDaemonProcess keystone_admin display-name=keystone-admin group=keystone processes=1 threads=3 user=keystone |
||
| + | WSGIProcessGroup keystone_admin |
||
| + | WSGIScriptAlias / "/usr/bin/keystone-wsgi-admin" |
||
| + | WSGIPassAuthorization On |
||
| + | |||
| + | LimitRequestFieldSize 81900 |
||
| + | </VirtualHost> |
||
| + | |||
| + | <VirtualHost 0.0.0.0:5000> |
||
| + | ServerName node-1.domain.tld |
||
| + | |||
| + | ## Vhost docroot |
||
| + | DocumentRoot "/usr/bin" |
||
| + | |||
| + | <Directory "/usr/bin"> |
||
| + | Options Indexes FollowSymLinks MultiViews |
||
| + | AllowOverride None |
||
| + | Require all granted |
||
| + | </Directory> |
||
| + | ErrorLog "/var/log/httpd/keystone_wsgi_main_error.log" |
||
| + | ServerSignature Off |
||
| + | CustomLog "/var/log/httpd/keystone_wsgi_main_access.log" "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" |
||
| + | WSGIApplicationGroup apache |
||
| + | WSGIDaemonProcess keystone_main display-name=keystone-main group=keystone processes=1 threads=3 user=keystone |
||
| + | WSGIProcessGroup keystone_main |
||
| + | WSGIScriptAlias / "/usr/bin/keystone-wsgi-public" |
||
| + | WSGIPassAuthorization On |
||
| + | LimitRequestFieldSize 81900 |
||
| + | </VirtualHost> |
||
| + | </PRE> |
||
| + | Для убунты как минимум пути и имена бинарников будут отличаться |
||
| + | |||
| + | |||
| + | ==keystone.conf== |
||
| + | Настройки близки к минимальным |
||
| + | <PRE> |
||
| + | # cat /etc/keystone/keystone.conf | grep -v '#' | grep -v '^$' |
||
| + | [DEFAULT] |
||
| + | admin_token = z5Oq8GDTtFAvdGsld55WO6os |
||
| + | admin_endpoint = http://172.17.35.25:35357 |
||
| + | max_project_tree_depth = 5 |
||
| + | debug = True |
||
| + | verbose = True |
||
| + | log_file = keystone.log |
||
| + | log_dir = /var/log/keystone |
||
| + | [assignment] |
||
| + | [auth] |
||
| + | [cache] |
||
| + | [catalog] |
||
| + | [cors] |
||
| + | [cors.subdomain] |
||
| + | [credential] |
||
| + | [database] |
||
| + | connection = mysql://keystone:keystone@127.0.0.1/keystone?charset=utf8&read_timeout=60 |
||
| + | [domain_config] |
||
| + | driver = sql |
||
| + | [endpoint_filter] |
||
| + | [endpoint_policy] |
||
| + | [eventlet_server] |
||
| + | [eventlet_server_ssl] |
||
| + | [federation] |
||
| + | [fernet_tokens] |
||
| + | [identity] |
||
| + | default_domain_id = default |
||
| + | domain_specific_drivers_enabled = true |
||
| + | domain_configurations_from_database = false |
||
| + | domain_config_dir = /etc/keystone/domains |
||
| + | driver = sql |
||
| + | [identity_mapping] |
||
| + | [kvs] |
||
| + | [ldap] |
||
| + | [matchmaker_redis] |
||
| + | [memcache] |
||
| + | [oauth1] |
||
| + | [os_inherit] |
||
| + | [oslo_messaging_amqp] |
||
| + | [oslo_messaging_notifications] |
||
| + | [oslo_messaging_rabbit] |
||
| + | [oslo_middleware] |
||
| + | [oslo_policy] |
||
| + | [paste_deploy] |
||
| + | [policy] |
||
| + | [resource] |
||
| + | [revoke] |
||
| + | [role] |
||
| + | [saml] |
||
| + | [shadow_users] |
||
| + | [signing] |
||
| + | [ssl] |
||
| + | [token] |
||
| + | [tokenless_auth] |
||
| + | [trust] |
||
| + | </PRE> |
||
| + | |||
| + | Основаня магия доменов это здесь: |
||
| + | <PRE> |
||
| + | [identity] |
||
| + | default_domain_id = default |
||
| + | domain_specific_drivers_enabled = true |
||
| + | domain_configurations_from_database = false |
||
| + | domain_config_dir = /etc/keystone/domains |
||
| + | driver = sql |
||
| + | </PRE> |
||
| + | Эти настройки значат: |
||
| + | |||
| + | * искать домен-специфичные настройки в каталоге /etc/keystone/domains, имя файла должно быть <B>keystone.<domain_name>.conf</B>, например для моего домена ldaptest: <B>/etc/keystone/domains/keystone.ldaptest.conf</B> |
||
| + | * разрешить использовать разные бекенды для доменов. |
||
| + | |||
| + | На этом этапе подстерегает некоторое число засад |
||
| + | |||
| + | * ни под каким соусом у меня не заработал файл с бекендом SQL - вероятно нельзя создать домен с конфигурацией идентичной дефолтной. |
||
| + | * создавать надо строго в определенном порядке |
||
| + | ** включить опцию <B>domain_specific_drivers_enabled = true</B> |
||
| + | ** подложить файл конфигурации с указаным бекендом (но можно без опций этого бекенда) |
||
| + | ** рестартовать кейстоун |
||
| + | ** создать домен |
||
| + | |||
| + | ===keystone.ldaptest.conf=== |
||
| + | Для старта достаточно |
||
| + | <PRE> |
||
| + | [identity] |
||
| + | driver=ldap |
||
| + | </PRE> |
||
| + | остальные опции можно вписать позже. |
||
| + | <BR> |
||
| + | |||
| + | Мой файл выглядит так: |
||
| + | |||
| + | <PRE> |
||
| + | [identity] |
||
| + | driver=ldap |
||
| + | |||
| + | [ldap] |
||
| + | url = ldap://172.17.35.25 |
||
| + | user = cn=Manager,dc=my-domain,dc=com |
||
| + | password = r00tme |
||
| + | use_dumb_member = False |
||
| + | allow_subtree_delete = False |
||
| + | |||
| + | user_tree_dn = ou=People,dc=customer_organization,dc=my-domain,dc=com |
||
| + | group_tree_dn = ou=Group,dc=customer_organization,dc=my-domain,dc=com |
||
| + | |||
| + | |||
| + | user_objectclass = inetOrgPerson |
||
| + | user_name_attribute = uid |
||
| + | |||
| + | |||
| + | role_allow_create = False |
||
| + | role_allow_update = False |
||
| + | role_allow_delete = False |
||
| + | |||
| + | project_allow_create = False |
||
| + | project_allow_update = False |
||
| + | project_allow_delete = False |
||
| + | </PRE> |
||
| + | |||
| + | ==LDAP== |
||
| + | LDAP я поставил с минимальной конфигурацией. Залил следующие данные: |
||
| + | |||
| + | |||
| + | <PRE> |
||
| + | dn: dc=my-domain,dc=com |
||
| + | objectClass: top |
||
| + | objectClass: dcObject |
||
| + | objectClass: organization |
||
| + | o: fuel_users |
||
| + | dn: olcDatabase={2}hdb,cn=config |
||
| + | changetype: modify |
||
| + | replace: olcRootPW |
||
| + | olcRootPW: r00tme |
||
| + | </PRE> |
||
| + | |||
| + | |||
| + | <PRE> |
||
| + | dn: dc=customer_organization,dc=my-domain,dc=com |
||
| + | dc: customer_organization |
||
| + | o: Example Organization |
||
| + | objectClass: dcObject |
||
| + | objectClass: organizationdn: cn=admin,dc=my-domain,dc=com |
||
| + | objectClass: simpleSecurityObject |
||
| + | objectClass: organizationalRole |
||
| + | cn: admin |
||
| + | description: LDAP administrator |
||
| + | userPassword: {SSHA}bxQpFzYmIkILSbDEL3cVl+nf03mdra/tdn: ou=Group,dc=customer_organization,dc=my-domain,dc=com |
||
| + | ou: Group |
||
| + | objectClass: top |
||
| + | objectClass: organizationalUnit |
||
| + | </PRE> |
||
| + | |||
| + | <PRE> |
||
| + | dn: ou=People,dc=customer_organization,dc=my-domain,dc=com |
||
| + | ou: People |
||
| + | objectClass: top |
||
| + | objectClass: organizationalUnit |
||
| + | </PRE> |
||
| + | |||
| + | |||
| + | <PRE> |
||
| + | dn: cn=sirmax,ou=Group,dc=customer_organization,dc=my-domain,dc=com |
||
| + | objectClass: posixGroup |
||
| + | gidNumber: 9999 |
||
| + | description: Fuel Users |
||
| + | memberUid: sirmaxdn: uid=sirmax,ou=People,dc=customer_organization,dc=my-domain,dc=com |
||
| + | objectClass: top |
||
| + | objectClass: person |
||
| + | objectClass: organizationalPerson |
||
| + | objectClass: inetOrgPerson |
||
| + | objectClass: posixAccount |
||
| + | objectClass: shadowAccount |
||
| + | uid: sirmax |
||
| + | cn: Max Mazur |
||
| + | sn: Mazur |
||
| + | title: Max Mazur |
||
| + | telephoneNumber: +38 067 341 80 70 |
||
| + | postalAddress: AddressLine1$AddressLine2$AddressLine3 |
||
| + | userPassword: {CRYPT}$6$DS/mzad5$EB.cNCLE7KB7OCPK1nU6aEA8HnQDLY1FPd3KaWPVqaNBtWhmh/4cOUgD1I8tQSFu41yy7jMXDrg9TDqlAbuLX. |
||
| + | loginShell: /bin/bash |
||
| + | uidNumber: 9999 |
||
| + | gidNumber: 9999 |
||
| + | homeDirectory: /home/sirmax |
||
| + | description: This is me :) |
||
| + | </PRE> |
||
| + | |||
| + | |||
| + | <PRE> |
||
| + | dn: uid=test,ou=People,dc=customer_organization,dc=my-domain,dc=com |
||
| + | objectClass: top |
||
| + | objectClass: person |
||
| + | objectClass: organizationalPerson |
||
| + | objectClass: inetOrgPerson |
||
| + | objectClass: posixAccount |
||
| + | objectClass: shadowAccount |
||
| + | uid: test |
||
| + | cn: Test Test |
||
| + | sn: Test |
||
| + | title: Max Mazur |
||
| + | telephoneNumber: +000 |
||
| + | postalAddress: AddressLine1$AddressLine2$AddressLine3 |
||
| + | userPassword: {CRYPT}$6$DS/mzad5$EB.cNCLE7KB7OCPK1nU6aEA8HnQDLY1FPd3KaWPVqaNBtWhmh/4cOUgD1I8tQSFu41yy7jMXDrg9TDqlAbuLX. |
||
| + | loginShell: /bin/bash |
||
| + | uidNumber: 9999 |
||
| + | gidNumber: 9999 |
||
| + | homeDirectory: /home/test |
||
| + | description: This test user |
||
| + | </PRE> |
||
| + | |||
| + | ==openstack клиент== |
||
| + | |||
| + | начиная с какого-то момента кейстоун (особенно v3) использует openstack клиент (вместо утилиты keysone) |
||
| − | * https://ask.openstack.org/en/question/57508/why-my-openstackclient-doesnt-work-with-keystone-v3-api/ |
||
<PRE> |
<PRE> |
||
cat /etc/openstack/clouds.yaml |
cat /etc/openstack/clouds.yaml |
||
| + | </PRE> |
||
| + | |||
| + | |||
| + | * 2 части |
||
| + | ** дефолтный домен |
||
| + | ** домен для тестирования лдапа |
||
| + | <PRE> |
||
clouds: |
clouds: |
||
test: |
test: |
||
| Строка 20: | Строка 309: | ||
</PRE> |
</PRE> |
||
| + | <PRE> |
||
| + | ldaptest1: |
||
| + | identity-api-version: 3 |
||
| + | auth: |
||
| + | auth_url: http://172.17.35.25:35357/v3/ |
||
| + | project_name: sirmax |
||
| + | username: sirmax |
||
| + | password: r00tme |
||
| + | project_domain_id: e33e580874f046c39949500462f80a3c |
||
| + | user_domain_id: e33e580874f046c39949500462f80a3c |
||
| + | region_name: RegionOne |
||
| + | </PRE> |
||
| + | |||
| + | Создать домент так: |
||
<PRE> |
<PRE> |
||
| − | openstack --os-identity-api-version 3 domain create --description "Test |
+ | openstack --os-identity-api-version 3 domain create --description "Test ldap backend Domain" ldap |
+-------------+----------------------------------+ |
+-------------+----------------------------------+ |
||
| Field | Value | |
| Field | Value | |
||
+-------------+----------------------------------+ |
+-------------+----------------------------------+ |
||
| − | | description | Test |
+ | | description | Test ldap backend Domain | |
| enabled | True | |
| enabled | True | |
||
| − | | id | |
+ | | id | 0799329296c64c3192d3479cd2c18614 | |
| − | | name | |
+ | | name | ldap | |
+-------------+----------------------------------+ |
+-------------+----------------------------------+ |
||
</PRE> |
</PRE> |
||
| + | |||
<PRE> |
<PRE> |
||
| + | openstack --debug --os-cloud test domain list |
||
| − | openstack --os-identity-api-version 3 domain create --description "Test ldap backend Domain" ldap |
||
| + | |||
| + | +----------------------------------+----------+---------+-----------------------+ |
||
| + | | ID | Name | Enabled | Description | |
||
| + | +----------------------------------+----------+---------+-----------------------+ |
||
| + | | 69ecb5b256c14d168d788e5f69b367a2 | test1 | True | ldap backend Domain | |
||
| + | | default | Default | True | The default domain | |
||
| + | | e33e580874f046c39949500462f80a3c | ldaptest | True | ldap backend Domain | |
||
| + | +----------------------------------+----------+---------+-----------------------+ |
||
| + | </PRE> |
||
| + | |||
| + | |||
| + | |||
| + | ==Создание проекта и назначение роли== |
||
| + | |||
| + | <PRE> |
||
| + | openstack --debug --os-cloud test project create --domain ldaptest --description "test" testproject |
||
| + | |||
| + | |||
+-------------+----------------------------------+ |
+-------------+----------------------------------+ |
||
| Field | Value | |
| Field | Value | |
||
+-------------+----------------------------------+ |
+-------------+----------------------------------+ |
||
| − | | description | |
+ | | description | test | |
| + | | domain_id | e33e580874f046c39949500462f80a3c | |
||
| enabled | True | |
| enabled | True | |
||
| − | | id | |
+ | | id | facc7e61f02b4b8084973efdd54cd8fd | |
| − | | |
+ | | is_domain | False | |
| + | | name | testproject | |
||
| + | | parent_id | e33e580874f046c39949500462f80a3c | |
||
+-------------+----------------------------------+ |
+-------------+----------------------------------+ |
||
</PRE> |
</PRE> |
||
| − | |||
<PRE> |
<PRE> |
||
openstack --debug --os-cloud test domain list |
openstack --debug --os-cloud test domain list |
||
| + | |||
| − | +----------------------------------+---------+---------+-----------------------------+ |
||
| + | |||
| − | | ID | Name | Enabled | Description | |
||
| − | +----------------------------------+---------+---------+ |
+ | +----------------------------------+----------+---------+-----------------------+ |
| − | | |
+ | | ID | Name | Enabled | Description | |
| + | +----------------------------------+----------+---------+-----------------------+ |
||
| − | | 107c679c80264cc080c439a784d95466 | sql | True | Test sql backend Domain | |
||
| − | | |
+ | | 69ecb5b256c14d168d788e5f69b367a2 | test1 | True | ldap backend Domain | |
| − | | default | Default | True | The default domain |
+ | | default | Default | True | The default domain | |
| + | | e33e580874f046c39949500462f80a3c | ldaptest | True | ldap backend Domain | |
||
| − | +----------------------------------+---------+---------+-----------------------------+ |
||
| + | +----------------------------------+----------+---------+-----------------------+ |
||
| + | |||
| + | |||
</PRE> |
</PRE> |
||
| + | <PRE> |
||
| + | openstack --debug --os-cloud test user list --domain ldaptest |
||
| + | |||
| + | |||
| + | +------------------------------------------------------------------+--------+ |
||
| + | | ID | Name | |
||
| + | +------------------------------------------------------------------+--------+ |
||
| + | | ca5c3062cd6030942e7de61e57278b8755675c26cc2d17a8448408e2a7bafc97 | sirmax | |
||
| + | | 593ef710581a7ad614727971d84bef0610d5f7aa359c44919461d5cd24ae0aee | test | |
||
| + | +------------------------------------------------------------------+--------+ |
||
| + | |||
| + | </PRE> |
||
| + | |||
| + | <PRE> |
||
| + | openstack --debug --os-cloud test role add --project testproject --user 593ef710581a7ad614727971d84bef0610d5f7aa359c44919461d5cd24ae0aee admin |
||
| + | </PRE> |
||
| + | |||
| + | После чего этот пользователь сможет работать с минимальной конфигурацией - например получать токены |
||
| + | <BR>Добавить секцию в clouds.yaml |
||
| + | <PRE> |
||
| + | ldaptest2: |
||
| + | identity-api-version: 3 |
||
| + | auth: |
||
| + | auth_url: http://172.17.35.25:35357/v3/ |
||
| + | project_name: testproject |
||
| + | username: test |
||
| + | password: r00tme |
||
| + | project_domain_id: e33e580874f046c39949500462f80a3c |
||
| + | user_domain_id: e33e580874f046c39949500462f80a3c |
||
| + | region_name: RegionOne |
||
| + | </PRE> |
||
| + | |||
| + | <PRE> |
||
| + | openstack --debug --os-cloud ldaptest2 token issue |
||
| + | |||
| + | |||
| + | +------------+------------------------------------------------------------------+ |
||
| + | | Field | Value | |
||
| + | +------------+------------------------------------------------------------------+ |
||
| + | | expires | 2016-08-16T16:27:26.499057Z | |
||
| + | | id | a2cba9fe1eca4190887de2222753f744 | |
||
| + | | project_id | facc7e61f02b4b8084973efdd54cd8fd | |
||
| + | | user_id | 593ef710581a7ad614727971d84bef0610d5f7aa359c44919461d5cd24ae0aee | |
||
| + | +------------+------------------------------------------------------------------+ |
||
| + | </PRE> |
||
| + | |||
| + | =Ссылки= |
||
| + | * https://ask.openstack.org/en/question/57508/why-my-openstackclient-doesnt-work-with-keystone-v3-api/ |
||
| + | * http://docs.openstack.org/mitaka/install-guide-obs/keystone-users.html |
||
| + | * http://docs.openstack.org/admin-guide/keystone-integrate-assignment-backend-ldap.html |
||
| + | * http://www.ibm.com/developerworks/cloud/library/cl-ldap-keystone/ |
||
| + | * http://docs.openstack.org/admin-guide/keystone-integrate-identity-backend-ldap.html |
||
| + | * http://docs.openstack.org/admin-guide/keystone-integrate-with-ldap.html |
||
| + | * http://www.ibm.com/developerworks/cloud/library/cl-ldap-keystone/ |
||
Текущая версия на 15:26, 16 августа 2016
Заметки о кейстоун v3
Задача:
- сконфигурировать отдельно-стоящий кейстоун, другие сервисы опенстека не нужны.
- Пользователи в LDAP (LDAP поставить локально для теста)
- выдавать токены
- OS - CentOS7
Apache
Кейстоун это WSGI-приложение и деплоить его нужно соответственно под apache (другие варианты не пробовал)
ДУмаю что это не слишком безопасная настройка с DocumentRoot "/usr/bin" но для тестового сервера вполне.
/etc/httpd/conf.d/keystone.conf
<VirtualHost 0.0.0.0:35357>
ServerName node-1.domain.tld
DocumentRoot "/usr/bin"
<Directory "/usr/bin">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Require all granted
</Directory>
ErrorLog "/var/log/httpd/keystone_wsgi_admin_error.log"
ServerSignature Off
CustomLog "/var/log/httpd/keystone_wsgi_admin_access.log" "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\""
WSGIApplicationGroup apache
WSGIDaemonProcess keystone_admin display-name=keystone-admin group=keystone processes=1 threads=3 user=keystone
WSGIProcessGroup keystone_admin
WSGIScriptAlias / "/usr/bin/keystone-wsgi-admin"
WSGIPassAuthorization On
LimitRequestFieldSize 81900
</VirtualHost>
<VirtualHost 0.0.0.0:5000>
ServerName node-1.domain.tld
## Vhost docroot
DocumentRoot "/usr/bin"
<Directory "/usr/bin">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Require all granted
</Directory>
ErrorLog "/var/log/httpd/keystone_wsgi_main_error.log"
ServerSignature Off
CustomLog "/var/log/httpd/keystone_wsgi_main_access.log" "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\""
WSGIApplicationGroup apache
WSGIDaemonProcess keystone_main display-name=keystone-main group=keystone processes=1 threads=3 user=keystone
WSGIProcessGroup keystone_main
WSGIScriptAlias / "/usr/bin/keystone-wsgi-public"
WSGIPassAuthorization On
LimitRequestFieldSize 81900
</VirtualHost>
Для убунты как минимум пути и имена бинарников будут отличаться
keystone.conf
Настройки близки к минимальным
# cat /etc/keystone/keystone.conf | grep -v '#' | grep -v '^$' [DEFAULT] admin_token = z5Oq8GDTtFAvdGsld55WO6os admin_endpoint = http://172.17.35.25:35357 max_project_tree_depth = 5 debug = True verbose = True log_file = keystone.log log_dir = /var/log/keystone [assignment] [auth] [cache] [catalog] [cors] [cors.subdomain] [credential] [database] connection = mysql://keystone:keystone@127.0.0.1/keystone?charset=utf8&read_timeout=60 [domain_config] driver = sql [endpoint_filter] [endpoint_policy] [eventlet_server] [eventlet_server_ssl] [federation] [fernet_tokens] [identity] default_domain_id = default domain_specific_drivers_enabled = true domain_configurations_from_database = false domain_config_dir = /etc/keystone/domains driver = sql [identity_mapping] [kvs] [ldap] [matchmaker_redis] [memcache] [oauth1] [os_inherit] [oslo_messaging_amqp] [oslo_messaging_notifications] [oslo_messaging_rabbit] [oslo_middleware] [oslo_policy] [paste_deploy] [policy] [resource] [revoke] [role] [saml] [shadow_users] [signing] [ssl] [token] [tokenless_auth] [trust]
Основаня магия доменов это здесь:
[identity] default_domain_id = default domain_specific_drivers_enabled = true domain_configurations_from_database = false domain_config_dir = /etc/keystone/domains driver = sql
Эти настройки значат:
- искать домен-специфичные настройки в каталоге /etc/keystone/domains, имя файла должно быть keystone.<domain_name>.conf, например для моего домена ldaptest: /etc/keystone/domains/keystone.ldaptest.conf
- разрешить использовать разные бекенды для доменов.
На этом этапе подстерегает некоторое число засад
- ни под каким соусом у меня не заработал файл с бекендом SQL - вероятно нельзя создать домен с конфигурацией идентичной дефолтной.
- создавать надо строго в определенном порядке
- включить опцию domain_specific_drivers_enabled = true
- подложить файл конфигурации с указаным бекендом (но можно без опций этого бекенда)
- рестартовать кейстоун
- создать домен
keystone.ldaptest.conf
Для старта достаточно
[identity] driver=ldap
остальные опции можно вписать позже.
Мой файл выглядит так:
[identity] driver=ldap [ldap] url = ldap://172.17.35.25 user = cn=Manager,dc=my-domain,dc=com password = r00tme use_dumb_member = False allow_subtree_delete = False user_tree_dn = ou=People,dc=customer_organization,dc=my-domain,dc=com group_tree_dn = ou=Group,dc=customer_organization,dc=my-domain,dc=com user_objectclass = inetOrgPerson user_name_attribute = uid role_allow_create = False role_allow_update = False role_allow_delete = False project_allow_create = False project_allow_update = False project_allow_delete = False
LDAP
LDAP я поставил с минимальной конфигурацией. Залил следующие данные:
dn: dc=my-domain,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: fuel_users
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: r00tme
dn: dc=customer_organization,dc=my-domain,dc=com
dc: customer_organization
o: Example Organization
objectClass: dcObject
objectClass: organizationdn: cn=admin,dc=my-domain,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: {SSHA}bxQpFzYmIkILSbDEL3cVl+nf03mdra/tdn: ou=Group,dc=customer_organization,dc=my-domain,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
dn: ou=People,dc=customer_organization,dc=my-domain,dc=com ou: People objectClass: top objectClass: organizationalUnit
dn: cn=sirmax,ou=Group,dc=customer_organization,dc=my-domain,dc=com
objectClass: posixGroup
gidNumber: 9999
description: Fuel Users
memberUid: sirmaxdn: uid=sirmax,ou=People,dc=customer_organization,dc=my-domain,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: sirmax
cn: Max Mazur
sn: Mazur
title: Max Mazur
telephoneNumber: +38 067 341 80 70
postalAddress: AddressLine1$AddressLine2$AddressLine3
userPassword: {CRYPT}$6$DS/mzad5$EB.cNCLE7KB7OCPK1nU6aEA8HnQDLY1FPd3KaWPVqaNBtWhmh/4cOUgD1I8tQSFu41yy7jMXDrg9TDqlAbuLX.
loginShell: /bin/bash
uidNumber: 9999
gidNumber: 9999
homeDirectory: /home/sirmax
description: This is me :)
dn: uid=test,ou=People,dc=customer_organization,dc=my-domain,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: test
cn: Test Test
sn: Test
title: Max Mazur
telephoneNumber: +000
postalAddress: AddressLine1$AddressLine2$AddressLine3
userPassword: {CRYPT}$6$DS/mzad5$EB.cNCLE7KB7OCPK1nU6aEA8HnQDLY1FPd3KaWPVqaNBtWhmh/4cOUgD1I8tQSFu41yy7jMXDrg9TDqlAbuLX.
loginShell: /bin/bash
uidNumber: 9999
gidNumber: 9999
homeDirectory: /home/test
description: This test user
openstack клиент
начиная с какого-то момента кейстоун (особенно v3) использует openstack клиент (вместо утилиты keysone)
cat /etc/openstack/clouds.yaml
- 2 части
- дефолтный домен
- домен для тестирования лдапа
clouds:
test:
identity-api-version: 3
auth:
auth_url: http://172.17.35.25:35357/v3/
project_name: admin
username: admin
password: admin
project_domain_id: default
user_domain_id: default
region_name: RegionOne
ldaptest1:
identity-api-version: 3
auth:
auth_url: http://172.17.35.25:35357/v3/
project_name: sirmax
username: sirmax
password: r00tme
project_domain_id: e33e580874f046c39949500462f80a3c
user_domain_id: e33e580874f046c39949500462f80a3c
region_name: RegionOne
Создать домент так:
openstack --os-identity-api-version 3 domain create --description "Test ldap backend Domain" ldap +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Test ldap backend Domain | | enabled | True | | id | 0799329296c64c3192d3479cd2c18614 | | name | ldap | +-------------+----------------------------------+
openstack --debug --os-cloud test domain list +----------------------------------+----------+---------+-----------------------+ | ID | Name | Enabled | Description | +----------------------------------+----------+---------+-----------------------+ | 69ecb5b256c14d168d788e5f69b367a2 | test1 | True | ldap backend Domain | | default | Default | True | The default domain | | e33e580874f046c39949500462f80a3c | ldaptest | True | ldap backend Domain | +----------------------------------+----------+---------+-----------------------+
Создание проекта и назначение роли
openstack --debug --os-cloud test project create --domain ldaptest --description "test" testproject +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | test | | domain_id | e33e580874f046c39949500462f80a3c | | enabled | True | | id | facc7e61f02b4b8084973efdd54cd8fd | | is_domain | False | | name | testproject | | parent_id | e33e580874f046c39949500462f80a3c | +-------------+----------------------------------+
openstack --debug --os-cloud test domain list +----------------------------------+----------+---------+-----------------------+ | ID | Name | Enabled | Description | +----------------------------------+----------+---------+-----------------------+ | 69ecb5b256c14d168d788e5f69b367a2 | test1 | True | ldap backend Domain | | default | Default | True | The default domain | | e33e580874f046c39949500462f80a3c | ldaptest | True | ldap backend Domain | +----------------------------------+----------+---------+-----------------------+
openstack --debug --os-cloud test user list --domain ldaptest +------------------------------------------------------------------+--------+ | ID | Name | +------------------------------------------------------------------+--------+ | ca5c3062cd6030942e7de61e57278b8755675c26cc2d17a8448408e2a7bafc97 | sirmax | | 593ef710581a7ad614727971d84bef0610d5f7aa359c44919461d5cd24ae0aee | test | +------------------------------------------------------------------+--------+
openstack --debug --os-cloud test role add --project testproject --user 593ef710581a7ad614727971d84bef0610d5f7aa359c44919461d5cd24ae0aee admin
После чего этот пользователь сможет работать с минимальной конфигурацией - например получать токены
Добавить секцию в clouds.yaml
ldaptest2:
identity-api-version: 3
auth:
auth_url: http://172.17.35.25:35357/v3/
project_name: testproject
username: test
password: r00tme
project_domain_id: e33e580874f046c39949500462f80a3c
user_domain_id: e33e580874f046c39949500462f80a3c
region_name: RegionOne
openstack --debug --os-cloud ldaptest2 token issue +------------+------------------------------------------------------------------+ | Field | Value | +------------+------------------------------------------------------------------+ | expires | 2016-08-16T16:27:26.499057Z | | id | a2cba9fe1eca4190887de2222753f744 | | project_id | facc7e61f02b4b8084973efdd54cd8fd | | user_id | 593ef710581a7ad614727971d84bef0610d5f7aa359c44919461d5cd24ae0aee | +------------+------------------------------------------------------------------+
Ссылки
- https://ask.openstack.org/en/question/57508/why-my-openstackclient-doesnt-work-with-keystone-v3-api/
- http://docs.openstack.org/mitaka/install-guide-obs/keystone-users.html
- http://docs.openstack.org/admin-guide/keystone-integrate-assignment-backend-ldap.html
- http://www.ibm.com/developerworks/cloud/library/cl-ldap-keystone/
- http://docs.openstack.org/admin-guide/keystone-integrate-identity-backend-ldap.html
- http://docs.openstack.org/admin-guide/keystone-integrate-with-ldap.html
- http://www.ibm.com/developerworks/cloud/library/cl-ldap-keystone/
