OpenStack Keystone 인스톨
OpenStack Kilo 버전에도 여전히 Keystone을 사용한다.
Keystone은 쉽게 말하면 사용자 인증에 대한 서비스를 제공해주는 블록이다.
OpenStack의 사용자 인증에 대한 내용은 다음과 같다.
- user
- credentials
- authentication
- token
- tenant
- service
- endpoint
- role
- keystone client
OpenStack Keystone 설정
Database에 Keystone 사용자를 등록하여야 한다.
1. Keystone 사용자 등록
1-1. Control Node
- MySql 사용자 등록 - keystone
$ mysql -u root -p
[MySql 환경]--------------------------------------------
MariaDB [(none)] > CREATE DATABASE keystone;
MariaDB [(none)] > GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS';
MariaDB [(none)] > GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS';
MariaDB [(none)] > exit
-----------------------------------------------------------
$ sudo su
$ echo "manual" > /etc/init/keystone.override
$ exit
$ sudo apt-get install keystone python-openstackclient apache2 libapache2-mod-wsgi memcached python-memcache
$ openssl rand -hex 10
[주의]-----------------------------------------------------------------
openssl rand -hex 10 결과 값을 복사하여 메모장에 붙여넣는다.
keystone의 admin_token에 난수 발생 결과 값을 활용하기 때문
------------------------------------------------------------------------
$ sudo vi /etc/keystone/keystone.conf
- keystone.conf
[난수 발생 결과 값을 활용한 Admin_token 설정]--------------------
[DEFAULT]
...
admin_token = 8d65110e0540c7e9b126
-------------------------------------------------------------------------
[Database 연결 설정]--------------------------------------------------
[database]
...
connection = mysql://keystone:KEYSTONE_DBPASS@controlnode01/keystone
--------------------------------------------------------------------------
[memcache 설정]-------------------------------------------------------
[memcache]
...
servers = localhost:11211
--------------------------------------------------------------------------
[token 제공 및 드라이버 설정]-----------------------------------------
[token]
...
provider = keystone.token.providers.uuid.Provider
driver = keystone.token.persistence.backends.memcache.Token
--------------------------------------------------------------------------
[revoke SQL revocation 드라이버 설정]-------------------------------
[revoke]
...
driver = keystone.contrib.revoke.backends.sql.Revoke
--------------------------------------------------------------------------
[Logging 설정]----------------------------------------------------------
[DEFAULT]
...
verbose = True
--------------------------------------------------------------------------
- 예)
- DB sync
$ sudo su
$ su -s /bin/sh -c "keystone-manage db_sync" keystone
2. 아파치 HTTP 서버 설정
2-1. Control Node
- apache 서버 등록
$ sudo vi /etc/apache2/apache2.conf
[추가]-------------------------------------------------
ServerName controlnode01
-------------------------------------------------------
- Keystone wsgi 파일 생성
$ sudo vi /etc/apache2/sites-available/wsgi-keystone.conf
[신규파일 생성]---------------------------------------
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /var/www/cgi-bin/keystone/main
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
LogLevel info
ErrorLog /var/log/apache2/keystone-error.log
CustomLog /var/log/apache2/keystone-access.log combined
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
LogLevel info
ErrorLog /var/log/apache2/keystone-error.log
CustomLog /var/log/apache2/keystone-access.log combined
</VirtualHost>
-------------------------------------------------------
- Service enable
$ ln -s /etc/apache2/sites-available/wsgi-keystone.conf /etc/apache2/sites-enabled
- WSGI 컴포넌트 디렉토리 생성
$ sudo mkdir -p /var/www/cgi-bin/keystone
- upstream repository 설정
$ sudo su
$ curl http://git.openstack.org/cgit/openstack/keystone/plain/httpd/keystone.py?h=stable/kilo | tee /var/www/cgi-bin/keystone/main /var/www/cgi-bin/keystone/admin
- 디렉토리 권한 설정
$ chown -R keystone:keystone /var/www/cgi-bin/keystone
$ chmod 755 /var/www/cgi-bin/keystone/*
- 아파치 서버 재시작
$ sudo service apache2 restart
$ sudo rm -f /var/lib/keystone/keystone.db
OpenStack Keystone 설정-Endpoint 등록
1. endpoint 등록
1-1. Control Node
- Token 설정
- Keystone 등록시 사용한 난수를 export 함
$ export OS_TOKEN=8d65110e0540c7e9b126
$ export OS_URL=http://controlnode01:35357/v2.0
- 서비스 등록
$ openstack service create --name keystone --description "OpenStack Identity" identity
[결과]
+-------------+-------------------------------------------+
| Field | Value |
+-------------+-------------------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | 048ddf9767454c54aababa5256ad3ab2 |
| name | keystone |
| type | identity |
+-------------+-------------------------------------------+
- endpoint 연결
$ openstack endpoint create --publicurl http://controlnode01:5000/v2.0 --internalurl http://controlnode01:5000/v2.0 --adminurl http://controlnode01:35357/v2.0 --region RegionOne identity
[결과]
+--------------+-------------------------------------------+
| Field | Value |
+--------------+-------------------------------------------+
| adminurl | http://controlnode01:35357/v2.0 |
| id | fd2163d94127414aa16114b793eaff6a |
| internalurl | http://controlnode01:5000/v2.0 |
| publicurl | http://controlnode01:5000/v2.0 |
| region | RegionOne |
| service_id | 048ddf9767454c54aababa5256ad3ab2 |
| service_name | keystone |
| service_type | identity |
+--------------+-------------------------------------------+
2. Admin 프로젝트, 사용자, 권한 생성
2-1. Control Node
- Admin 프로젝트 등록
$ openstack project create --description "Admin Project" admin
[결과]
+-------------+-------------------------------------------+
| Field | Value |
+-------------+-------------------------------------------+
| description | Admin Project |
| enabled | True |
| id | 0d1c68156ad84d63a6b7a19e92b46ddf |
| name | admin |
+-------------+-------------------------------------------+
- admin 사용자 등록
- 설정한 password는 추후 admin-openrc.sh 파일에도 적용이 되기 때문에 주의하여야 한다
$ openstack user create --password-prompt admin
[결과]
User Password:
Repeat User Password:
+----------+-----------------------------------------+
| Field | Value |
+----------+-----------------------------------------+
| email | None |
| enabled | True |
| id | a81078f6a3f94490a1fc504f840e23f0 |
| name | admin |
| username | admin |
+----------+-----------------------------------------+
- admin role 생성
$ openstack role create admin
[결과]
+-------+------------------------------------------+
| Field | Value |
+-------+------------------------------------------+
| id | 9c6551f223cc492392c51c2e454756e4 |
| name | admin |
+-------+------------------------------------------+
- admin role 연관 사용자 추가
$ openstack role add --project admin --user admin admin
[결과]
+-------+------------------------------------------+
| Field | Value |
+-------+------------------------------------------+
| id | 9c6551f223cc492392c51c2e454756e4 |
| name | admin |
+-------+------------------------------------------+
3. Service 프로젝트, 사용자, 권한 생성
3-1. Control Node
- Service 프로젝트 등록
$ openstack project create --description "Service Project" service
- Demo 프로젝트 등록
$ openstack project create --description "Demo Project" demo
- demo 사용자 등록
- 설정한 password는 추후 demo-openrc.sh 파일에도 적용이 되기 때문에 주의하여야 한다
$ openstack user create --password-prompt demo
- user role 생성
$ openstack role create user
- demo role 연관 사용자 추가
$ openstack role add --project demo --user demo user
4. 설정 조회 및 추가내용
Security 설정/unset 설정 이하 내용은 위에서 설정한 내용이 적절하게 적용되었는지 확인하는 내용이다.
4-1. Control Node
- Security 관련 설정 조절
$ sudo vi /etc/keystone/keystone-paste.ini
[파일내용: 아래 3개의 섹션에서 admin_token_auth를 삭제]------------------------------------------------
[pipeline:public_api]
# The last item in this pipeline must be public_service or an equivalent
# application. It cannot be a filter.
pipeline = sizelimit url_normalize request_id build_auth_context token_auth json_body ec2_extension user_crud_extension public_service
[pipeline:admin_api]
# The last item in this pipeline must be admin_service or an equivalent
# application. It cannot be a filter.
pipeline = sizelimit url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension crud_extension admin_service
[pipeline:api_v3]
# The last item in this pipeline must be service_v3 or an equivalent
# application. It cannot be a filter.
pipeline = sizelimit url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension oauth1_e
xtension endpoint_filter_extension endpoint_policy_extension service_v3
-------------------------------------------------------------------------------------------------------------------
- unset OS_TOKEN/OS_URL
$ unset OS_TOKEN OS_URL
- admin 사용자 API 버전 2.0 설정
$ openstack --os-auth-url http://controlnode01:35357 --os-project-name admin --os-username admin --os-auth-type password token issue
[결과]
Password:
+------------+-------------------------------------------+
| Field | Value |
+------------+-------------------------------------------+
| expires | 2015-09-30T12:47:10Z |
| id | 457728dc906f48a1953a1c332c3e9bc8 |
| project_id | 0d1c68156ad84d63a6b7a19e92b46ddf |
| user_id | a81078f6a3f94490a1fc504f840e23f0 |
+------------+-------------------------------------------+
- admin 사용자 keystone 버전 3 설정
$ openstack --os-auth-url http://controlnode01:35357 --os-project-domain-id default --os-user-domain-id default --os-project-name admin --os-username admin --os-auth-type password token issue
[결과]
Password:
+------------+-------------------------------------------+
| Field | Value |
+------------+-------------------------------------------+
| expires | 2015-09-30T12:50:06.396284Z |
| id | 9d39a6a4da9f47599075e004647b8c55 |
| project_id | 0d1c68156ad84d63a6b7a19e92b46ddf |
| user_id | a81078f6a3f94490a1fc504f840e23f0 |
+------------+-------------------------------------------+
- admin 사용자 project list 확인
$ openstack --os-auth-url http://controlnode01:35357 --os-project-name admin --os-username admin --os-auth-type password project list
[결과]
Password:
+-------------------------------------------+---------+
| ID | Name |
+-------------------------------------------+---------+
| 0d1c68156ad84d63a6b7a19e92b46ddf | admin |
| 9e53fb1e432a421792660fe6fe9da7c7 | demo |
| f61fe004e9f049ffbe288a9fc1d546d9 | service |
+-------------------------------------------+---------+
- admin 사용자 user list 확인
$ openstack --os-auth-url http://controlnode01:35357 --os-project-name admin --os-username admin --os-auth-type password user list
[결과]
Password:
+-----------------------------------------+--------+
| ID | Name |
+-----------------------------------------+--------+
| a81078f6a3f94490a1fc504f840e23f0 | admin |
| ce59f5678f1340dbb9b4f9360228612b | demo |
+-----------------------------------------+--------+
- admin 사용자 role list 확인
$ openstack --os-auth-url http://controlnode01:35357 --os-project-name admin --os-username admin --os-auth-type password role list
[결과]
Password:
+-----------------------------------------+--------+
| ID | Name |
+-----------------------------------------+--------+
| 7201f71d33694e4f91f67650aeaa6e3b | user |
| 9c6551f223cc492392c51c2e454756e4 | admin |
+-----------------------------------------+--------+
- demo 사용자 token 확인
$ openstack --os-auth-url http://controlnode01:5000 --os-project-domain-id default --os-user-domain-id default --os-project-name demo --os-username demo --os-auth-type password token issue
[결과]
Password:
+-------------+-----------------------------------------+
| Field | Value |
+-------------+-----------------------------------------+
| expires | 2015-09-30T13:01:49.549455Z |
| id | 76c7b97385a14f969c24fcf888883937 |
| project_id | 9e53fb1e432a421792660fe6fe9da7c7 |
| user_id | ce59f5678f1340dbb9b4f9360228612b |
+-------------+------------------------------------------+
- 사용자 권한 확인 (demo 사용자가 admin 권한에 대한 CLI 사용하는 경우)
$ openstack --os-auth-url http://controlnode01:5000 --os-project-domain-id default --os-user-domain-id default --os-project-name demo --os-username demo --os-auth-type password user list
[결과]
Password:
ERROR: openstack You are not authorized to perform the requested action: admin_required (HTTP 403) (Request-ID: req-aa22e65b-c4ae-439c-84fd-73f968ed90ee)
5. 클라이언트 환경 설정
OpenStack 관련 클라이언트에 대한 내용으로 admin에 대한 환경 설정이 포함된다.
5-1. Control Node
- admin-openrc.sh 생성
$ vi admin-openrc.sh
[신규 파일 생성: ADMIN_PASS는 Keystone 생성시 적용한 password]------------------------------
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=<admin 사용자 등록에 설정한 Pass>
export OS_AUTH_URL=http://controlnode01:35357/v3
----------------------------------------------------------------------------------------------------------
- demo-openrc.sh 생성
$ vi demo-openrc.sh
[신규 파일 생성: DEMO_PASS는 Keystone 생성시 적용한 password]---------------------------------
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=demo
export OS_TENANT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=<demo 사용자 등록에 설정한 Pass>
export OS_AUTH_URL=http://controlnode01:5000/v3
------------------------------------------------------------------------------------------------------------
- 클라이언트 환경 설정 확인
$ source admin-openrc.sh
$ openstack token issue
[결과]
+------------+-------------------------------------------+
| Field | Value |
+------------+-------------------------------------------+
| expires | 2015-09-30T13:19:02.954322Z |
| id | 43e7bb74db4d4f64bc23c510afd25f30 |
| project_id | 0d1c68156ad84d63a6b7a19e92b46ddf |
| user_id | a81078f6a3f94490a1fc504f840e23f0 |
+------------+-------------------------------------------+
'Cloud Native > Install_OpenStack' 카테고리의 다른 글
| OpenStack Kilo Install - Network Service (20) | 2015.10.01 |
|---|---|
| OpenStack Kilo Install - Compute Service (6) | 2015.10.01 |
| OpenStack Kilo Install - Image Service (0) | 2015.10.01 |
| OpenStack Kilo Install - Common (6) | 2015.09.30 |
| OpenStack Juno Install using DevStack (0) | 2015.06.19 |
