1、keyston安装过程
在安装过程中,首先需要在controller node上的MariaDB中创建一个名为keystone的数据库。
接着,在controller node上安装Keystone软件包,并配置数据库连接。
Keystone和数据库可以部署在不同的服务器上,Keystone通过解析主机名“controller”来访问数据库。
2、不同类型endpoint和region
Endpoint 是 OpenStack 服务的访问点,它是一个 URL 地址,用户或其他服务可以通过访问这个 endpoint 来使用相应的服务。
Endpoints 分为三种类型:admin、internal 和 public。这主要是出于网络访问安全的考虑,服务可以根据需求向不同的用户公开不同的访问点,或者选择不公开某些类型的访问点,以确保服务的安全性。
下图展示了三种不同类型endpoint的网络连接示意图。假设一个openstack node(即部署了OpenStack服务的服务器)有三块网卡,IP地址分别配置为:ip address 1, ip address 2, ip address 3,并且分别连接到三个不同类型的网络:管理网络、内部网络和公共网络(也可以称作外部网络)。
这样,IP地址1加上服务端口号构成了该服务的管理员端点,IP地址2加上服务端口号则构成了内部端点,而IP地址3加上服务端口号则是公共端点。通过这种方式,可以控制用户或其他服务对不同类型的服务访问点的访问权限。
需要说明的是,admin, internal, public三种类型endpoint对应的admin network,internal network, public network,只是OpenStack部署上针对endpoint的分类,至于三种网络类型是如何和实际的网络对接的,取决于实际的网络规划。比如,在本次安装中,三种类型的endpoint都对应了本次安装中规划的管理网络。
此外,endpoint的创建与region密切相关,这可以从OpenStackClient创建endpoint时必须指定region参数中看出:
每个endpoint必定对应一个region,这意味着从总体规划的角度来看,某项service将被分配到特定的region,进而管理用户对不同region中服务的访问。
如下图所示,user1通过访问位于region1的Nova服务API端点,请求在其对应的计算节点上创建一个新的instance。同样,user2通过访问位于region2的Nova服务API端点,也在其对应的计算节点上发起创建instance的请求。每个region的Nova服务独立管理其计算资源,确保用户请求的虚拟机实例能够在相应的区域内被创建和运行。
3、关于user/project/role/domian
从OpenStackClient创建user、project命令可以看出,user、project都必须在一定domain之下。
在domain ”default“下创建"myproject" project,project可以理解为资源的集合,这里的资源主要指计算、存储、网络资源。
在domain ”default“下创建"myuser" user,user就是资源的使用者、操作者。
创建了"myrole" role,role定义了对资源操作的权限。注意role并不需要在domain下定义。
"myuser" user 以”myrole" role对"myproject"进行访问和操作,也叫role assignment,这就定义了用户对project下的资源的操作权限。
之前还创建了一个新的domain "example":
可以在example domain下创建user、project、role、role assignment等:
ubcode@osclient ~(admin/amdin)$ openstack user create --domain example --description "for test" --password-prompt testuser1
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| description | for test |
| domain_id | f2a209f9e83040c9a619ca05c41e952b |
| enabled | True |
| id | 981d061282aa43afba72df6ff637f41c |
| name | testuser1 |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
ubcode@osclient ~(admin/amdin)$ openstack project create --domain example --description "for test" testproject1
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | for test |
| domain_id | f2a209f9e83040c9a619ca05c41e952b |
| enabled | True |
| id | 0d2f8cf8cacb4b6e99cc3286c5d67f16 |
| is_domain | False |
| name | testproject1 |
| options | {} |
| parent_id | f2a209f9e83040c9a619ca05c41e952b |
| tags | [] |
+-------------+----------------------------------+
ubcode@osclient ~(admin/amdin)$ openstack role create testrole //没有domain信息
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | None |
| domain_id | None |
| id | 48fa6b74f7b74d8698fe20b21ae8a02b |
| name | testrole |
| options | {} |
+-------------+----------------------------------+
ubcode@osclient ~(admin/amdin)$ openstack role add --project testproject1 --user testuser1 testrole
ubcode@osclient ~(admin/amdin)$ 一番操作后,之间的关系如下图所示:
说明如下:
default domain下的admin user可以以admin role对project admin进行操作。
default domain下的myuser user可以以myrole role对project myproject进行操作。
example domain下的testuser1 user可以以testrole role对project testproject1进行操作。
另外,user也可以对跨domain的project进行操作。至于各种role具体权限是如何定义的,此处暂且跳过。
4、API Examples using Curl
在 OpenStack 中,API 是用来与各个服务进行交互的接口,允许你通过编程方式管理和操作 OpenStack 环境。使用 curl 工具来与 OpenStack API 交互是非常常见的,因为 curl 是一个强大的命令行工具,可以用来发起 HTTP 请求。
4.1 Get version
ubcode@osclient:~$ curl -s "http://controller:5000" | python3 -mjson.tool
{
"versions": {
"values": [
{
"id": "v3.14",
"status": "stable",
"updated": "2020-04-07T00:00:00Z",
"links": [
{
"rel": "self",
"href": "http://controller:5000/v3/"
}
],
"media-types": [
{
"base": "application/json",
"type": "application/vnd.openstack.identity-v3+json"
}
]
}
]
}
}
ubcode@osclient:~$
4.2 Tokens
在 OpenStack中,"Tokens" 指的是访问令牌,它们是用户或服务用来验证身份并访问 API 的凭证。
4.2.1 Get an unscoped token
未限定范围令牌(Unscoped Tokens)是身份认证系统中的一种临时令牌,用于验证用户的身份,但不赋予任何具体的权限或访问资源的能力。它通常是身份认证过程中的中间步骤。未限定范围的令牌的主要用例是稍后向Keystone证明该user的身份(通常是为了生成限定范围的令牌),而无需重复呈现该user的原始凭证。
ubcode@osclient:~$ curl -i \
> -H "Content-Type: application/json" \
> -d '
> { "auth": {
> "identity": {
> "methods": ["password"],
> "password": {
> "user": {
> "name": "admin",
> "domain": { "id": "default" },
> "password": "openstack"
> }
> }
> }
> }
> }' \
> "http://controller:5000/v3/auth/tokens" ; echo
HTTP/1.1 201 CREATED
Date: Wed, 03 Jul 2024 15:14:26 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 312
X-Subject-Token: gAAAAABmhWrS9pjsZbHKHDEfSa_l91n5Jst0pG37PEBDrcRqKZ50JLhlDm_v-Y-Mztb0xQQFd5nYA7C_P0W7gdp7xCNIXSEsQ0WyKufIiYhyKw77Z9oOPydPp2ZD3_bnH4vL6AjrVWM3VKf1LqOdMK3fK3XHqDj8uw
Vary: X-Auth-Token
x-openstack-request-id: req-0ed02152-99d4-4be2-ab2e-3e668be607fd
Content-Type: application/json
{"token": {"methods": ["password"], "user": {"domain": {"id": "default", "name": "Default"}, "id": "2947c213547147979dce3c8f8b85697f", "name": "admin", "password_expires_at": null}, "audit_ids": ["zDdlzcbaT5-JjguilOiBrA"], "expires_at": "2024-07-03T16:14:26.000000Z", "issued_at": "2024-07-03T15:14:26.000000Z"}}
ubcode@osclient:~$
----对json body格式化输出:
ubcode@osclient:~$ echo '{"token": {"methods": ["password"], "user": {"domain": {"id": "default", "name": "Default"}, "id": "2947c213547147979dce3c8f8b85697f", "name": "admin", "password_expires_at": null}, "audit_ids": ["zDdlzcbaT5-JjguilOiBrA"], "expires_at": "2024-07-03T16:14:26.000000Z", "issued_at": "2024-07-03T15:14:26.000000Z"}}' | python3 -mjson.tool
{
"token": {
"methods": [
"password"
],
"user": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "2947c213547147979dce3c8f8b85697f",
"name": "admin",
"password_expires_at": null
},
"audit_ids": [
"zDdlzcbaT5-JjguilOiBrA"
],
"expires_at": "2024-07-03T16:14:26.000000Z",
"issued_at": "2024-07-03T15:14:26.000000Z"
}
}
ubcode@osclient:~$ 4.2.2 Get a project-scoped token
Project-scoped token包含服务目录、一组角色和有关该user有授权权限的项目的信息。大多数user需要在project上分配role才能在部署中使用资源。
default domain下的admin user以admin role请求default domain下的admin project为例:
ubcode@osclient:~$ curl -i \
> -H "Content-Type: application/json" \
> -d '
> { "auth": {
> "identity": {
> "methods": ["password"],
> "password": {
> "user": {
> "name": "admin",
> "domain": { "id": "default" },
> "password": "openstack"
> }
> }
> },
> "scope": { <----限定令牌范围
> "project": {
> "name": "admin",
> "domain": { "id": "default" }
> }
> }
> }
> }' \
> "http://controller:5000/v3/auth/tokens" ; echo
HTTP/1.1 201 CREATED
Date: Wed, 03 Jul 2024 21:55:44 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1220
X-Subject-Token: gAAAAABmhcjhup-6DomVu7Cn2ZKv5M33RtUuVZ4y6RFZsGlh3LoE_Ow1CYGsBVM6VYNJauNy965uKxIHEMkJjlykfEubqzOxHvmeAc5DMi1d62ZZeCFH_ZdlaKM05GxZb1yPgIpyGCcg-0bUWt8lECHUs2lj6c3xKaRT1Q_8qg73ua9V5IOIrQs
Vary: X-Auth-Token
x-openstack-request-id: req-dedf68e3-d438-4b37-86fe-a13d9d0915ea
Content-Type: application/json
{"token": {"methods": ["password"], "user": {"domain": {"id": "default", "name": "Default"}, "id": "2947c213547147979dce3c8f8b85697f", "name": "admin", "password_expires_at": null}, "audit_ids": ["1bQYLV1uRX6cd0V0MGaUFw"], "expires_at": "2024-07-03T22:55:45.000000Z", "issued_at": "2024-07-03T21:55:45.000000Z", "project": {"domain": {"id": "default", "name": "Default"}, "id": "ee65b6c3961747b988ab8bd1cc19fb93", "name": "admin"}, "is_domain": false, "roles": [{"id": "17552c9a365d4944a50fd8ac271791c6", "name": "member"}, {"id": "e434c66b7af647158bcaa77686ca6e93", "name": "admin"}, {"id": "be23525c20c44f05b3ba071455522fcb", "name": "reader"}], "catalog": [{"endpoints": [{"id": "a82bd043e133464fa863fba98b400460", "interface": "admin", "region_id": "RegionOne", "url": "http://controller:5000/v3/", "region": "RegionOne"}, {"id": "ac109817862344c4854b783d642be412", "interface": "internal", "region_id": "RegionOne", "url": "http://controller:5000/v3/", "region": "RegionOne"}, {"id": "eaf4ddaab1b74aa59403f9fbf5fc4ac1", "interface": "public", "region_id": "RegionOne", "url": "http://controller:5000/v3/", "region": "RegionOne"}], "id": "75fe01049ec648b69e48d200971bf601", "type": "identity", "name": "keystone"}]}}
ubcode@osclient:~$
----对json body格式化输出:
ubcode@osclient:~$ echo '{"token": {"methods": ["password"], "user": {"domain": {"id": "default", "name": "Default"}, "id": "2947c213547147979dce3c8f8b85697f", "name": "admin", "password_expires_at": null}, "audit_ids": ["1bQYLV1uRX6cd0V0MGaUFw"], "expires_at": "2024-07-03T22:55:45.000000Z", "issued_at": "2024-07-03T21:55:45.000000Z", "project": {"domain": {"id": "default", "name": "Default"}, "id": "ee65b6c3961747b988ab8bd1cc19fb93", "name": "admin"}, "is_domain": false, "roles": [{"id": "17552c9a365d4944a50fd8ac271791c6", "name": "member"}, {"id": "e434c66b7af647158bcaa77686ca6e93", "name": "admin"}, {"id": "be23525c20c44f05b3ba071455522fcb", "name": "reader"}], "catalog": [{"endpoints": [{"id": "a82bd043e133464fa863fba98b400460", "interface": "admin", "region_id": "RegionOne", "url": "http://controller:5000/v3/", "region": "RegionOne"}, {"id": "ac109817862344c4854b783d642be412", "interface": "internal", "region_id": "RegionOne", "url": "http://controller:5000/v3/", "region": "RegionOne"}, {"id": "eaf4ddaab1b74aa59403f9fbf5fc4ac1", "interface": "public", "region_id": "RegionOne", "url": "http://controller:5000/v3/", "region": "RegionOne"}], "id": "75fe01049ec648b69e48d200971bf601", "type": "identity", "name": "keystone"}]}}' | python3 -mjson.tool
{
"token": {
"methods": [
"password"
],
"user": { <----授权的user
"domain": {
"id": "default",
"name": "Default"
},
"id": "2947c213547147979dce3c8f8b85697f",
"name": "admin",
"password_expires_at": null
},
"audit_ids": [
"1bQYLV1uRX6cd0V0MGaUFw"
],
"expires_at": "2024-07-03T22:55:45.000000Z",
"issued_at": "2024-07-03T21:55:45.000000Z",
"project": { <----授权的project
"domain": {
"id": "default",
"name": "Default"
},
"id": "ee65b6c3961747b988ab8bd1cc19fb93",
"name": "admin"
},
"is_domain": false,
"roles": [ <----授权的role,admin role自动获得member,reader role。
{
"id": "17552c9a365d4944a50fd8ac271791c6",
"name": "member"
},
{
"id": "e434c66b7af647158bcaa77686ca6e93",
"name": "admin"
},
{
"id": "be23525c20c44f05b3ba071455522fcb",
"name": "reader"
}
],
"catalog": [ <---服务目录,包含服务和endpoint,目前只安装了身份认证服务,代号keystone
{
"endpoints": [
{
"id": "a82bd043e133464fa863fba98b400460",
"interface": "admin",
"region_id": "RegionOne",
"url": "http://controller:5000/v3/",
"region": "RegionOne"
},
{
"id": "ac109817862344c4854b783d642be412",
"interface": "internal",
"region_id": "RegionOne",
"url": "http://controller:5000/v3/",
"region": "RegionOne"
},
{
"id": "eaf4ddaab1b74aa59403f9fbf5fc4ac1",
"interface": "public",
"region_id": "RegionOne",
"url": "http://controller:5000/v3/",
"region": "RegionOne"
}
],
"id": "75fe01049ec648b69e48d200971bf601",
"type": "identity",
"name": "keystone"
}
]
}
}
ubcode@osclient:~$ 4.2.3 Get a token from a token
在OpenStack中,使用一个已有的令牌获取一个新的令牌。通常是一个未限定范围的令牌("unscoped token")来获取一个新的、限定了特定project范围的令牌("project-scoped token")。
ubcode@osclient:~$ curl -i \
> -H "Content-Type: application/json" \
> -d '
> { "auth": {
> "identity": {
> "methods": ["token"],
> "token": {
> "id": "'gAAAAABmhcjhup-6DomVu7Cn2ZKv5M33RtUuVZ4y6RFZsGlh3LoE_Ow1CYGsBVM6VYNJauNy965uKxIHEMkJjlykfEubqzOxHvmeAc5DMi1d62ZZeCFH_ZdlaKM05GxZb1yPgIpyGCcg-0bUWt8lECHUs2lj6c3xKaRT1Q_8qg73ua9V5IOIrQs'"
> }
> }
> }
> }' \
> "http://controller:5000/v3/auth/tokens" ; echo
HTTP/1.1 201 CREATED
Date: Wed, 03 Jul 2024 22:08:11 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 347
X-Subject-Token: gAAAAABmhcvLXZkyhiEyP-Als26O4bJwo21lW9EKjvqwXPYj1PzUhKEfsEQvxajijVCEuiSjhh_DOn55q007XnvOUivqIC6PbvjyA1syqhMjD8C86n08Tqbwj8MH0d_olDr1JWI4jRPpM_rRNvfczZNrUXOMoSHIzPEsDcTB1ahTdGOEpj3CAk4
Vary: X-Auth-Token
x-openstack-request-id: req-6c83f458-1fd1-4d1a-a76a-6aead667f7f4
Content-Type: application/json
{"token": {"methods": ["token", "password"], "user": {"domain": {"id": "default", "name": "Default"}, "id": "2947c213547147979dce3c8f8b85697f", "name": "admin", "password_expires_at": null}, "audit_ids": ["21rMZehZSzWRHDv3OPS9Iw", "1bQYLV1uRX6cd0V0MGaUFw"], "expires_at": "2024-07-03T22:55:45.000000Z", "issued_at": "2024-07-03T22:08:11.000000Z"}}
----对json body 格式化输出:
ubcode@osclient:~$ echo '{"token": {"methods": ["token", "password"], "user": {"domain": {"id": "default", "name": "Default"}, "id": "2947c213547147979dce3c8f8b85697f", "name": "admin", "password_expires_at": null}, "audit_ids": ["21rMZehZSzWRHDv3OPS9Iw", "1bQYLV1uRX6cd0V0MGaUFw"], "expires_at": "2024-07-03T22:55:45.000000Z", "issued_at": "2024-07-03T22:08:11.000000Z"}}' | python3 -mjson.tool
{
"token": {
"methods": [
"token", <---- toke方式获得token
"password"
],
"user": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "2947c213547147979dce3c8f8b85697f",
"name": "admin",
"password_expires_at": null
},
"audit_ids": [
"21rMZehZSzWRHDv3OPS9Iw",
"1bQYLV1uRX6cd0V0MGaUFw"
],
"expires_at": "2024-07-03T22:55:45.000000Z",
"issued_at": "2024-07-03T22:08:11.000000Z"
}
}
ubcode@osclient:~$ 4.3 List domains:
ubcode@osclient:~$ curl -s \
> -H "X-Auth-Token: gAAAAABmhd-VwklS-RRrEMRQy72MeIBoIm8eBKq47vxgw1q2hwEW_RKZzvjVSNUGROTDHX75KP_nC0xA0lfEbWvokAoUwC-2RIXxj-flKoedBbYnopJ2WQPbMR52RtkzkBjI0j2aAKQoZRxjf9AEA8O1YqL1b3qWIByDBklPqx0j7aN9puAIaGk" \
> "http://controller:5000/v3/domains" | python3 -mjson.tool
{
"domains": [
{
"id": "default",
"name": "Default",
"description": "The default domain",
"enabled": true,
"tags": [],
"options": {},
"links": {
"self": "http://controller:5000/v3/domains/default"
}
},
{
"id": "f2a209f9e83040c9a619ca05c41e952b",
"name": "example",
"description": "An Example Domain",
"enabled": true,
"tags": [],
"options": {},
"links": {
"self": "http://controller:5000/v3/domains/f2a209f9e83040c9a619ca05c41e952b"
}
}
],
"links": {
"next": null,
"self": "http://controller:5000/v3/domains",
"previous": null
}
}
ubcode@osclient:~$ 4.4 List projects
ubcode@osclient:~$ curl -s \
> -H "X-Auth-Token: gAAAAABmhd-VwklS-RRrEMRQy72MeIBoIm8eBKq47vxgw1q2hwEW_RKZzvjVSNUGROTDHX75KP_nC0xA0lfEbWvokAoUwC-2RIXxj-flKoedBbYnopJ2WQPbMR52RtkzkBjI0j2aAKQoZRxjf9AEA8O1YqL1b3qWIByDBklPqx0j7aN9puAIaGk" \
> "http://controller:5000/v3/projects" | python3 -mjson.tool
{
"projects": [
{
"id": "0d2f8cf8cacb4b6e99cc3286c5d67f16",
"name": "testproject1",
"domain_id": "f2a209f9e83040c9a619ca05c41e952b",
"description": "for test",
"enabled": true,
"parent_id": "f2a209f9e83040c9a619ca05c41e952b",
"is_domain": false,
"tags": [],
"options": {},
"links": {
"self": "http://controller:5000/v3/projects/0d2f8cf8cacb4b6e99cc3286c5d67f16"
}
},
{
"id": "ee65b6c3961747b988ab8bd1cc19fb93",
"name": "admin",
"domain_id": "default",
"description": "Bootstrap project for initializing the cloud.",
"enabled": true,
"parent_id": "default",
"is_domain": false,
"tags": [],
"options": {},
"links": {
"self": "http://controller:5000/v3/projects/ee65b6c3961747b988ab8bd1cc19fb93"
}
},
{
"id": "f5e75a3f7cc347ad89d20dcfe70dae01",
"name": "myproject",
"domain_id": "default",
"description": "Demo Project",
"enabled": true,
"parent_id": "default",
"is_domain": false,
"tags": [],
"options": {},
"links": {
"self": "http://controller:5000/v3/projects/f5e75a3f7cc347ad89d20dcfe70dae01"
}
},
{
"id": "fe9220b4131041e4b551b42b64a8f9ca",
"name": "service",
"domain_id": "default",
"description": "Service Project",
"enabled": true,
"parent_id": "default",
"is_domain": false,
"tags": [],
"options": {},
"links": {
"self": "http://controller:5000/v3/projects/fe9220b4131041e4b551b42b64a8f9ca"
}
}
],
"links": {
"next": null,
"self": "http://controller:5000/v3/projects",
"previous": null
}
}
ubcode@osclient:~$ 5、API Examples using Postman
之前介绍的安装环境中的win11电脑安装Postman。
5.1 Get version
5.2 Tokens
5.2.1 Get an unscoped token
5.2.2 Get a projected-scoped token
(Body部分)
5.2.3 Get a token from a token
5.3 List domains
5.4 List projects
