Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

A. MarkelovCertified OpenStack Administrator Study Guide Certification Study Companion Serieshttps://doi.org/10.1007/978-1-4842-8804-7_4

4. Identity Management

Andrey Markelov¹

(1)

Stockholm, Sweden

Keystone, OpenStack’s identity service, catalogs all its services. It provides the ability to authenticate and manage user accounts, regions, domains, projects, and role information for the cloud environment. If you are familiar with the Microsoft Windows Server environment, you can think of Keystone as the “Active Directory analog” for your OpenStack cloud. Usually, Keystone is the first component to be installed when starting an OpenStack cloud. Keystone supports multiple forms of authentication, including login name and password, token-based credentials, Amazon Web Services, REST API logins, and many others.

First, let’s define some terms under which Keystone operates with.

A service is an OpenStack cloud component listed in the Keystone catalog. These services include Nova, Neutron, Glance, and Keystone. Service provides one or more endpoints through which users can access the service’s API.

An endpoint is a URL from which the service is available. Service can have three endpoints: internal, public, and administration. They can have different subsets of API calls. An endpoint can look like this: https://controller.my-domain.com:8776/v3. Here, the service listens to incoming calls on port 8776, and the API is version 3. Common port numbers for OpenStack services are shown in Table 4-1. You can get a list of the endpoints for your OpenStack installation by executing the openstack catalog list command.

Table 4-1

Common Port Numbers for OpenStack Services

Network Port Number	OpenStack Service
5000	Keystone’s public API endpoint port
35357	Keystone’s admin API endpoint port (can share 5000)
8776	Cinder block storage services
9292	Glance image services
8774 8778	Nova compute services placement services
8080 and 6001–6003	Swift object storage services
9696	Neutron networking services
8042 8041	aodh telemetry alarming services time series DB as a service
8004	Heat orchestration services

A project represents the base unit of ownership in OpenStack. Networks, VMs, users, roles, and so forth belong to a particular project. An special project “admin” exists for administrative operations in OpenStack. The second utility project is the “services” project.
A domain represents a collection of projects, groups, and users that defines administrative boundaries for managing OpenStack identity entities. In an initial OpenStack deployment, the only existing domain is the default domain.
A region separates the OpenStack environment with dedicated API endpoints but with a common Keystone service. In an initial OpenStack deployment, the only existing region is RegionOne.
A token is issued by Keystone service, then passed to API requests and used by OpenStack to verify that the client is authorized to run the requested operation. The token is issued for a limited time and, if necessary, may be withdrawn prior to the expiration. To get the user token, the user must either provide a name and password or the name and the key to access the API (API key). The token also contains a list of roles that defines the roles available to the user.
A user is an individual API consumer. Users can be associated with roles, projects, or both. In an initial OpenStack deployment, the only existing user account is admin, which is assigned to the admin role in the default domain’s admin project. The PackStack installation tool can create demo users with demo projects as well.
A role is a specific set of operations associated with a user. A role includes a set of rights and privileges.

From an architectural point of view, Keystone is the simplest service in the cloud. As for many other OpenStack services, the identity service uses the MariaDB/MySQL database. Alternatively, storing information in the LDAP (Lightweight Directory Access Protocol) server or Microsoft Active Directory is possible. Starting from the Mitaka release, Keystone uses the Apache web server as the front end, so you no longer need to start openstack-keystone.service. Prior to the Mitaka release, Keystone worked under the built-in Eventlet Python service by default.

Tip

In modern documents, the OpenStack community prefers to use the word project. In older documents, you can still find the word tenant. Keep in mind that project and tenant are synonymous.

Let’s quickly look through the Keystone main configuration file /etc/keystone/keystone.conf. Table 4-2 summarizes the main configuration options from config.

Table 4-2

Main Configuration Options for /etc/keystone/keystone.conf

Example of Config Options	Description
[DEFAULT] admin_token = ee224e8...	A “shared secret” that can be used to bootstrap and debug Keystone (This “token” does not represent a user.)
[DEFAULT] debug = True	Sets logging level to DEBUG instead of default INFO level in a journal
[DEFAULT] log_dir = /var/log/keystone	The base directory used for log files
[database] connection = mysql://keystone_admin:password@ 192.168.122.10/keystone	The SQLAlchemy connection string to connect to the database
[token] expiration = 3600 [ssl] Enable=False	Token validity timeframe (in seconds) (default–1 hour) Defines use of SSL connection

Managing Keystone Catalog Services and Endpoints

Before initiating something with OpenStack, you must go through the authorization and authentication processes. You can use the CLI commands options, but it is better and easier to create a file with global variables for GNU/Linux environment and to process this file with the source command. You need to create in any text editor something like the following code.

unset OS_SERVICE_TOKEN

export OS_AUTH_URL=http://192.168.122.10:5000/v3

export OS_TENANT_NAME=admin

export OS_REGION_NAME=RegionOne

export OS_USERNAME=admin

export OS_PASSWORD=openstack

export OS_PROJECT_NAME=admin

export OS_USER_DOMAIN_NAME=Default

export OS_PROJECT_DOMAIN_NAME=Default

export OS_IDENTITY_API_VERSION=3

If you used any of the installers described in Chapter 2, you would get this file automatically. You need to use your environment's correct IP address and admin password. Now you can execute the script.

$ source keystonerc_admin

Let’s create a service record in Keystone for OpenStack’s Glance image service (this service is described in Chapter 5).

$ openstack service create --name glance --description "OpenStack Image service" image

+-------------+----------------------------------+

| Field | Value |

+-------------+----------------------------------+

| description | OpenStack Image service |

| enabled | True |

| id | 9d33c464f61749cd9f5811cda1ae5444 |

| name | glance |

| type | image |

+-------------+----------------------------------+

Only two mandatory options exist in this command: the name of the service and the type of service. The name is glance, and the type is image. You can check the existing services with their types by using the openstack service list command.

$ openstack service list

+----------------------------------+-----------+----------------+

| ID | Name | Type |

+----------------------------------+-----------+----------------+

| 1512e88885c84cfa8a1d54ade990712b | placement | placement |

| 44cb0eddaae5494f83d07bb48278eed6 | nova | compute |

| 5ae88c354230480e9b4e071d11587ee7 | glance | image |

| 5f094c2dcd964f2bbbc44172cc5a7840 | cinderv3 | volumev3 |

| 6435972a40544279944c7cc72edda939 | heat | orchestration |

| 7c2aa7536caf43b5bf4ce51b96fea4a1 | keystone | identity |

| a1b61cc227394eebbcd6198a3994185c | aodh | alarming |

| ad15ba2dcedb4f90ae0f8fc43511153e | heat-cfn | cloudformation |

| c355a9e2e6524d77afd8694d5ef326e0 | neutron | network |

| d7670dab054e43939c420c7c7f678a16 | gnocchi | metric |

| e0568d312dce42cc86b7ae25ac34d135 | swift | object-store |

+----------------------------------+-----------+----------------+

If you made a mistake in service creation, you could easily delete it with the openstack service delete command. After creating the service record in the Keystone catalog, you need to create three endpoints for this service. This can be done with the next command.

$ openstack endpoint create image public http://192.168.122.10:9292 --region RegionOne

+--------------+----------------------------------+

| Field | Value |

+--------------+----------------------------------+

| enabled | True |

| id | 2bf154ca232640288fc36acff35a8997 |

| interface | public |

| region | RegionOne |

| region_id | RegionOne |

| service_id | 71595091f7df4feea97c9925bf181269 |

| service_name | glance |

| service_type | image |

| url | http://192.168.122.10:9292 |

+--------------+----------------------------------+

You must repeat the command with two additional endpoints: internal and admin.

Note

The command’s syntax changed in the Mitaka release. Do not be confused if you find examples where a single command created all three endpoints.

You can run a check on all the endpoints.

$ openstack endpoint list

+----------------------------------+-----------+--------------+-----------------------------------+

+----------------------------------+-----------+--------------+-----------------------------------+

+----------------------------------+-----------+--------------+-------------------------------------+

And if you want to show the details about a particular endpoint, you need to refer to it by ID.

openstack endpoint show f5d15ec7d0a04327b5d402c82a93799d

+--------------+---------------------------------------------+

| Field | Value |

+--------------+---------------------------------------------+

| enabled | True |

| id | f5d15ec7d0a04327b5d402c82a93799d |

| interface | admin |

| region | RegionOne |

| region_id | RegionOne |

| service_id | 6435972a40544279944c7cc72edda939 |

| service_name | heat |

| service_type | orchestration |

| url | http://192.168.122.10:8004/v1/%(tenant_id)s |

+--------------+---------------------------------------------+

Horizon can handle approximately 70% of the overall available OpenStack functionality. So, you can’t create services and endpoints through the web client, although you can check a list of services and their current statuses. Log in as an admin and go to Admin ➤ System ➤ System Information (see Figure 4-1).

Managing/Creating Domains, Projects, Users, and Roles

You can easily create projects, users, and roles with the help of the openstack CLI command. Let’s start with a new domain. You need to use admin credentials for this operation.

$ source keystonerc_admin

$ openstack domain create --description "Test domain" newdomain

+-------------+----------------------------------+

| Field | Value |

+-------------+----------------------------------+

| description | Test domain |

| enabled | True |

| id | 2eb7949c140f4c6f9da639fb4ff3b292 |

| name | newdomain |

| options | {} |

| tags | [] |

+-------------+----------------------------------+

Then, you can create a new project at the newdomain domain.

$ openstack project create --description "Test project" --domain newdomain apress

+-------------+----------------------------------+

| Field | Value |

+-------------+----------------------------------+

| description | Test project |

| domain_id | 2eb7949c140f4c6f9da639fb4ff3b292 |

| enabled | True |

| id | 8850cf87ed6e463d91c6096687e236bf |

| is_domain | False |

| name | apress |

| options | {} |

| parent_id | 2eb7949c140f4c6f9da639fb4ff3b292 |

| tags | [] |

+-------------+----------------------------------+

You can get a list of all projects and details about each.

$ openstack project list

+----------------------------------+----------+

| ID | Name |

+----------------------------------+----------+

| 27cdeded89d24fb49c11030b8cc87f15 | admin |

| 53d4fd6c5b1d44e89e604957c4df4fc2 | services |

| 8850cf87ed6e463d91c6096687e236bf | apress |

| 9e0c535c2240405b989afa450681df18 | demo |

+----------------------------------+----------+

$ openstack project show apress

+-------------+----------------------------------+

| Field | Value |

+-------------+----------------------------------+

| description | Test project |

| domain_id | 2eb7949c140f4c6f9da639fb4ff3b292 |

| enabled | True |

| id | 8850cf87ed6e463d91c6096687e236bf |

| is_domain | False |

| name | apress |

| options | {} |

| parent_id | 2eb7949c140f4c6f9da639fb4ff3b292 |

| tags | [] |

+-------------+----------------------------------+

The first command provided three projects from the default domain and one from newdomain. You can create the second Apress project in another domain, the default domain. In this case, you see two Apress projects.

$ openstack project create --description "Test project" --domain default apress

+-------------+----------------------------------+

| Field | Value |

+-------------+----------------------------------+

| description | Test project |

| domain_id | default |

| enabled | True |

| id | 3a9a59175cce4a74a72c882947e8bc86 |

| is_domain | False |

| name | apress |

| options | {} |

| parent_id | default |

| tags | [] |

+-------------+----------------------------------+

$ openstack project list

+----------------------------------+----------+

| ID | Name |

+----------------------------------+----------+

| 27cdeded89d24fb49c11030b8cc87f15 | admin |

| 3a9a59175cce4a74a72c882947e8bc86 | apress |

| 53d4fd6c5b1d44e89e604957c4df4fc2 | services |

| 8850cf87ed6e463d91c6096687e236bf | apress |

| 9e0c535c2240405b989afa450681df18 | demo |

+----------------------------------+----------+

You can recognize projects by adding the --domain option.

$ openstack project list --domain default

+----------------------------------+----------+

| ID | Name |

+----------------------------------+----------+

| 27cdeded89d24fb49c11030b8cc87f15 | admin |

| 3a9a59175cce4a74a72c882947e8bc86 | apress |

| 53d4fd6c5b1d44e89e604957c4df4fc2 | services |

| 9e0c535c2240405b989afa450681df18 | demo |

+----------------------------------+----------+

$ openstack project list --domain newdomain

+----------------------------------+--------+

| ID | Name |

+----------------------------------+--------+

| 8850cf87ed6e463d91c6096687e236bf | apress |

+----------------------------------+--------+

Now you can create a new user - apressadmin- granting _member_ a role in the Apress project.

$ openstack user create --password-prompt --domain newdomain apressuser

User Password:

Repeat User Password:

+---------------------+----------------------------------+

| Field | Value |

+---------------------+----------------------------------+

| domain_id | 2eb7949c140f4c6f9da639fb4ff3b292 |

| enabled | True |

| id | b61d2670f55f425e9a8e5eabb8deeeda |

| name | apressuser |

| options | {} |

| password_expires_at | None |

+---------------------+----------------------------------+

$ openstack role add --project apress --user apressuser _member_

+-------+----------------------------------+

| Field | Value |

+-------+----------------------------------+

| id | 9fe2ff9ee4384b1894a90878d3e92bab |

| name | _member_ |

+-------+----------------------------------+

Note

If you skip the --domain option, the user is created at the default domain. If more than one project exists with the name apress, the command fails. You must add the --domain option to specify the domain.

The admin role is global, not per project, so granting a user the admin role in any project gives the user administrative rights across the whole environment.

If you use the multi-domain model, then you must enable the OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True option in the /etc/openstack-dashboard/local_settings file; otherwise, users who are not from the default domain cannot log in to the Horizon dashboard. The screenshot on the left side of Figure 4-2 is disabled; the screenshot on the right side shows it enabled.

If you want a list of all the roles in the OpenStack cloud, use the following command.

$ openstack role list

+----------------------------------+------------------+

| ID | Name |

+----------------------------------+------------------+

| 1911ed7a60dd4747b1fa6acc5f92a043 | _member_ |

| 2fedf0797f424044bcab955aec0eab3d | ResellerAdmin |

| 4954a6475ba9486db1a71d9a7c80678a | reader |

| 5cee5adb606f46178d5afe98875d73b7 | heat_stack_user |

| 90d2e65c22d44414a5f4426cc475be25 | heat_stack_owner |

| ac25b92ce9474945831685b249a4a07b | admin |

| d88c81ae7b354abb9a2960115cff07a6 | SwiftOperator |

| f7722f79327f40b7845899cef62c8b0a | member |

+----------------------------------+------------------+

As you can see, to create a region or domain in the identity service, you need an admin role. You get an HTTP 403 error code if the current policy doesn’t allow the command to be performed.

After creating a new user, you may want to create a new keystonerc file for it. You may use the keystonerc_admin file as a template. In this case, you need to change the OS_PROJECT_NAME, OS_USERNAME, and OS_PASSWORD variables.

If you need to delete a user or project, you can use the same openstack command but with the delete subcommand. The following is an example.

$ openstack user delete apressuser

$ openstack project delete apress

It is possible to create, delete, and edit users and projects in OpenStack in the web interface (Horizon). Go to Identity ➤ Users or Identity ➤ Projects. Examples of editing a project and creating a user are shown in Figures 4-3 and 4-4, respectively.

Figure 4-3
Managing project members in Horizon

Figure 4-4
Creating a new user in Horizon

Managing and Verifying the Operation of the Identity Service

For performance, a modern OpenStack installation deploys the Apache HTTP server with the mod_wsgi package to handle requests and the Memcached front end to store tokens. CentOS, Scientific Linux, Oracle Linux, and other Red Hat Enterprise Linux derivatives use service management system distribution. You can check whether Memcached and Apache servers are started and active.

# systemctl status memcached.service

● memcached.service - Memcached

Loaded: loaded (/usr/lib/systemd/system/memcached.service; enabled; vendor preset: disabled)

Active: active (running) since Wed 2022-07-13 15:12:19 CEST; 20min ago

Main PID: 1347 (memcached)

Tasks: 14 (limit: 204820)

Memory: 9.4M

CPU: 192ms

CGroup: /system.slice/memcached.service

└─1347 /usr/bin/memcached -p 11211 -u memcached -m 3206 -c 8192 -l 0.0.0.0 -U 0 -t 8 ">>" /var/log/memcached.log "2>&1"

Jul 13 15:12:19 rdo.test.local systemd[1]: Started memcached daemon.

# systemctl status httpd.service

● httpd.service - The Apache HTTP Server

Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)

Drop-In: /usr/lib/systemd/system/httpd.service.d

└─openstack-dashboard.conf

Active: active (running) since Wed 2022-07-13 15:12:49 CEST; 20min ago

...

Note

Keystone supports the three access tokens: PKI tokens (deprecated), UUID, and Fernet tokens. The first two are non-persistent, lightweight, and reduce the operational overhead required to run a cloud. Fernet tokens don’t need to have the Memcached daemon run.

The standard GNU/Linux ps command can show you eight processes with names containing keystone.

# ps aux | grep keystone

keystone 4305 0.2 0.3 255984 111544 ? Sl 15:12 0:03 keystone -DFOREGROUND

keystone 4306 0.1 0.3 254192 109248 ? Sl 15:12 0:02 keystone -DFOREGROUND

...

There are daemon processes created for running through the WSGI module of the Apache HTTP server. You can find their configuration files in the /etc/httpd/conf.d/ directory.

# ls /etc/httpd/conf.d/*keystone*

/etc/httpd/conf.d/10-keystone_wsgi.conf

Here is a shortened example of the configuration file for the virtual host.

ServerName rdo.test.local

## Vhost docroot

DocumentRoot "/var/www/cgi-bin/keystone"

## Directories, there should at least be a declaration for /var/www/cgi-bin/keystone

Options -Indexes +FollowSymLinks +MultiViews

AllowOverride None

Require all granted

</Directory>

## Logging

ErrorLog "/var/log/httpd/keystone_wsgi_error.log"

ServerSignature Off

CustomLog "/var/log/httpd/keystone_wsgi_access.log" combined

SetEnvIf X-Forwarded-Proto https HTTPS=1

## WSGI configuration

WSGIApplicationGroup %{GLOBAL}

WSGIDaemonProcess keystone display-name=keystone group=keystone processes=8 threads=1 user=keystone

WSGIProcessGroup keystone

WSGIScriptAlias / "/var/www/cgi-bin/keystone/keystone"

WSGIPassAuthorization On

</VirtualHost>

If troubleshooting is needed, you may also want to check the endpoints by ID.

$ openstack endpoint show <ID of endpoint>

When debugging, you may want to check the logins using /var/log/httpd/keystone_* and /var/log/keystone/keystone.log.

Summary

This chapter discussed Keystone’s architecture and main components. You learned how to manage catalog services, endpoints, users, and domains.

The next chapter delves into image management.

Review Questions

1.
Which of the following adds user apressuser with a member role to the only Apress project?
1. A.
  openstack role add --project apress --user apressuser _member_
2. B.
  openstack role add --project apress --user apressuser member
3. C.
  openstack role add --project apress --user _member_ apressuser
4. D.
  openstack role add --project apress --user member apressuser
2.
Which system service should be started for proper Keystone functioning?
1. A.
  httpd
2. B.
  keystone-admin
3. C.
  memcached
4. D.
  keystone
3.
How do you define a new role in the OpenStack cloud? (Choose all that are applicable.)
1. A.
  Enter the openstack role create newrole command.
2. B.
  Restart the httpd service.
3. C.
  Create a new keystonerc file.
4. D.
  Add a definition to the policy.json file.
4.
How do you separate two or more cloud instances but manage them with one Keystone instance?
1. A.
  Use the Domains feature.
2. B.
  Use the Regions feature.
3. C.
  Use availability zones.
4. D.
  Each cloud instance should use its own Keystone instance feature.
5.
Which HTTP error code do you get if the Keystone token has expired?
1. A.
  ERROR 404
2. B.
  ERROR 403
3. C.
  ERROR 401
4. D.
  All of them

Answers

1.
A
2.
D
3.
A
4.
A
5.
C

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for 4. Identity Management

Create new playlist

Sign In

Sign Up

4. Identity Management

Managing Keystone Catalog Services and Endpoints

Managing/Creating Domains, Projects, Users, and Roles

Managing and Verifying the Operation of the Identity Service

Summary

Review Questions

Answers

Table of Contents for
4. Identity Management