O018、理解 Keystone 核心概念

参考https://www.cnblogs.com/CloudMan6/p/5365474.html   作为OpenStack的基础支持服务，Keystone做了下面几件事情：       1、管理用户及其权限     2、维护 OpenStack Services 的 Endpoint     3、Authentication（认证）和 Authorization（鉴权）   学习 Keystone，得理解这些概念：     User   User 指代任何使用OpenStack的实体，可以是真正的用户，其他系统或者服务。     当 User 请求访问 OpenStack时，Keystone会对其进行验证。Horizon 在 identity -> Users 管理 User     除了 admin 和 demo ，OpenStack也未 nova 、cinder 、glance、neutron 服务创建了对应 User。admin也可以管理这些User。     Credentials   Credentials 是User 用来证明自己身份的信息，可以是：       1、用户名/密码     2、Token     3、API Key     4、其他高级方式     Authorization   Authorization 是 Keystone验证 User 身份的过程。User访问OpenStack 时向 Keystone 提交用户名和密码形式的 Credentials，Keystone 验证通过后会给User 签发一个Token作为后续访问的Credentials。     Token   Token 是由数字和字母组成的字符串，User 成功Authorization 后 Keystone生成 Token 并分配给User。       1、Token 用做访问Service 的Credentials     2、Service会通过Keystone 验证Token的有效性     3、Token的有效期默认是24小时     Project   Project 用于将OpenStack的资源（计算、存储和网络）进行分组和隔离。根据OpenStack服务对象的不同，Project可以是一个客户（公有云、也叫租户）、部门或者项目组（私有云）。   这里需要注意：       1、资源的所有权是属于Project的，而不是User     2、在OpenStack的界面和文档中，Tenant、Project、Account 这几个术语是通用的，但长期看会倾向于使用Project     3、每个User（包括admin）必须挂载Project里才能访问该Project的资源。一个User可以属于多个Project     4、admin 相当于root用户，具有最高权限     Horizon 在 Identity ->  Projects 中管理 Project     通过 Manage Members 将 User 添加到 Project     Service   OpenStack 的 Service 包括 Compute（Nova）、Block Storage（Cinder）、Object Storage（Swift）、Image Service（Glance）、Networking Service（Neutron）等。每个 Service都会提供若干个 Endpoint，User 通过 Endpoint 访问资源和执行操作。     Endpoint   Endpoint 是一个网络上可以访问的地址，通常是一个URL。Service 通过Endpoint暴露自己的API。Keystone 负责管理和维护每个 Service 的Endpoint。     可以使用下面的命令来查看 Endpoint   root@DevStack-Controller:~# su - stack   stack@DevStack-Controller:~$ source devstack/openrc admin admin WARNING: setting legacy OS_TENANT_NAME to support cli tools. stack@DevStack-Controller:~$ openstack catalog list +-------------+----------------+--------------------------------------------------------------------------+ | Name        | Type           | Endpoints                                                                | +-------------+----------------+--------------------------------------------------------------------------+ | nova_legacy | compute_legacy | RegionOne                                                                | |             |                |   internal: http://10.12.31.241:8774/v2/c2b9e5f4a15d43218f3fca6e13c49a3a | |             |                | RegionOne                                                                | |             |                |   admin: http://10.12.31.241:8774/v2/c2b9e5f4a15d43218f3fca6e13c49a3a    | |             |                | RegionOne                                                                | |             |                |   public: http://10.12.31.241:8774/v2/c2b9e5f4a15d43218f3fca6e13c49a3a   | |             |                |                                                                          | | nova        | compute        | RegionOne                                                                | |             |                |   public: http://10.12.31.241:8774/v2.1                                  | |             |                | RegionOne                                                                | |             |                |   admin: http://10.12.31.241:8774/v2.1                                   | |             |                | RegionOne                                                                | |             |                |   internal: http://10.12.31.241:8774/v2.1                                | |             |                |                                                                          | | placement   | placement      | RegionOne                                                                | |             |                |   admin: http://10.12.31.241/placement                                   | |             |                | RegionOne                                                                | |             |                |   public: http://10.12.31.241/placement                                  | |             |                | RegionOne                                                                | |             |                |   internal: http://10.12.31.241/placement                                | |             |                |                                                                          | | neutron     | network        | RegionOne                                                                | |             |                |   internal: http://10.12.31.241:9696/                                    | |             |                | RegionOne                                                                | |             |                |   admin: http://10.12.31.241:9696/                                       | |             |                | RegionOne                                                                | |             |                |   public: http://10.12.31.241:9696/                                      | |             |                |                                                                          | | cinder      | volume         | RegionOne                                                                | |             |                |   public: http://10.12.31.241:8776/v1/c2b9e5f4a15d43218f3fca6e13c49a3a   | |             |                | RegionOne                                                                | |             |                |   internal: http://10.12.31.241:8776/v1/c2b9e5f4a15d43218f3fca6e13c49a3a | |             |                | RegionOne                                                                | |             |                |   admin: http://10.12.31.241:8776/v1/c2b9e5f4a15d43218f3fca6e13c49a3a    | |             |                |                                                                          | | cinderv2    | volumev2       | RegionOne                                                                | |             |                |   internal: http://10.12.31.241:8776/v2/c2b9e5f4a15d43218f3fca6e13c49a3a | |             |                | RegionOne                                                                | |             |                |   public: http://10.12.31.241:8776/v2/c2b9e5f4a15d43218f3fca6e13c49a3a   | |             |                | RegionOne                                                                | |             |                |   admin: http://10.12.31.241:8776/v2/c2b9e5f4a15d43218f3fca6e13c49a3a    | |             |                |                                                                          | | glance      | image          | RegionOne                                                                | |             |                |   admin: http://10.12.31.241:9292                                        | |             |                | RegionOne                                                                | |             |                |   public: http://10.12.31.241:9292                                       | |             |                | RegionOne                                                                | |             |                |   internal: http://10.12.31.241:9292                                     | |             |                |                                                                          | | keystone    | identity       | RegionOne                                                                | |             |                |   public: http://10.12.31.241/identity                                   | |             |                | RegionOne                                                                | |             |                |   admin: http://10.12.31.241/identity_admin                              | |             |                | RegionOne                                                                | |             |                |   internal: http://10.12.31.241/identity                                 | |             |                |                                                                          | | cinderv3    | volumev3       | RegionOne                                                                | |             |                |   admin: http://10.12.31.241:8776/v3/c2b9e5f4a15d43218f3fca6e13c49a3a    | |             |                | RegionOne                                                                | |             |                |   internal: http://10.12.31.241:8776/v3/c2b9e5f4a15d43218f3fca6e13c49a3a | |             |                | RegionOne                                                                | |             |                |   public: http://10.12.31.241:8776/v3/c2b9e5f4a15d43218f3fca6e13c49a3a   | |             |                |                                                                          | +-------------+----------------+--------------------------------------------------------------------------+   Role   安全包含两部分：Authentication（认证）和Authorization（鉴权）   Authentication    解决“你是谁”的问题 Authorization      解决“你能干什么的”的问题   Keystone 借助 Role 实现 Authorization   stack@DevStack-Controller:~$ openstack role list +----------------------------------+---------------+ | ID                               | Name          | +----------------------------------+---------------+ | 27b9f9c4662f43c3b7105e850c379178 | ResellerAdmin | | 3f30d75f5f36462188912589b6836845 | admin         | | 4449fc37d1ca4553b01aeb13a9ade335 | service       | | 7eaba228090b4b9085b3ae6dd5350779 | anotherrole   | | 9fe2ff9ee4384b1894a90878d3e92bab | _member_      | | ac26bf535bec47549f8da39809fc79a4 | Member        | +----------------------------------+---------------+       1、Keystone定义 Role     2、可以为 User 分配一个或者多个 Role ，Horizon的菜单为 Identity -> Project -> Manage Members          3、Service 决定每个Role 能做什么事情。Service 通过各自的 policy.json 文件对 Role 进行访问控制。下面是 Nova 服务的json文件   cat /etc/nova/policy.json     上面配置的含义是：对于 create、attach_network 和 attach_volume 操作，任何 Role 的User 都可以执行； 但只有admin 这个Role 的User 才能执行 forced_host 操作。   OpenStack 默认配置只区分 admin  和 非admin Role。如果需要对特定的Role 进行授权，可以修改 policy.json 。    

标签：RegionOne,10.12,http,admin,O018,理解,Keystone,User,31.241
来源： https://www.cnblogs.com/www1707/p/10909021.html