雲安全需要考慮的因素
1、數據安全
雲提供商需要保護雲用戶的數據不被竊取或丟失 核心機制:強加密及密鑰管理
2、身份和訪問管理安全
有效的身份和訪問控制
3、虛擬化安全
虛擬機的隔離,安全控制虛擬機之間通信的報告
4、基礎設施安全
服務器,存儲,網絡等核心IT基礎設施之間的安全
Keystone作用和工作原理
簡介
keystone 是openstack身份管理服務(Identity Service),是openstack中的一個獨立的提供安全認證的模塊。主要作用:
openstack用戶的身份認證,令牌管理,提供訪問資源的服務目錄,以及基於用戶角色的訪問控制keystone的基本概念
user:用戶 通過keystone訪問openstack服務的個人,系統亦或是某個服務 Tenant:租戶 可以理解成一個組織或者一個項目,租戶是各個服務中的一些可以訪問的資源的集合 用戶訪問租戶前,必須和該租戶關聯,並且指定該用戶在該租戶的下的角色 role:角色 一個用戶所具有的角色,角色不同意味着被賦予的權限不同 在租戶的角色中,用戶僅可以在當前租戶內執行角色規定的權限 service:服務 比如:Nova、Swift、Glance、Cinder等 根據User、Tenant、和Role,一個服務可以確認當前用戶時候具有訪問其資源的權限 Endpoint:端點 指一個可以用來訪問某個具體服務的網絡地址,可以理解爲服務的訪問點 訪問一個服務,就必須知道他的Endpoint(一般用一個url地址表示) URL具有三種權限: Public URL:爲全局提供的服務端點 Internal URL:提供內部服務之間的訪問 Admin URL:給管理員實用 Token:令牌 用戶通過Credential獲取在某個租戶下的令牌,以及令牌的頒發時間和有效時間
keystone主要提供以下服務:
1、身份認證:驗證用戶的用戶名和密碼 2、token:驗證身份後,提供給用戶用於覈實身份和請求資源的令牌 3、Catalog:提供一個服務的查詢目錄,或每個服務的訪問Endpoing列表 4、Policy:一種基於規則的身份驗證引擎,通過配置文件定義各種動作和用戶角色的匹配關係。 通過以上幾個服務,Keystone在用戶和服務之間架起一座橋樑: 用戶從keystone獲取令牌以及服務列表 用戶訪問服務時,發送自己的令牌 相關的服務向keystone求證令牌的合法性
keystone的工作流程:
以創建虛擬機爲例
1、身份認證:用戶發送自己的憑證到keystone,keystone認證通過後,keystone返回一個token1和服務目錄
2、查詢tenant:用戶通過token1請求keystone查詢他所擁有的tenant,keystone驗證token1成功後,飯後一個用戶的一個tenant列表
3、用戶選擇一個租戶,發送自己的憑證給keystone申請token,通過後返回token2
4、用戶選擇服務Endpoint併發送token2請求創建虛擬機,keystone驗證token2是否有效,是否有權限創建虛擬機後
把請求發送給Nova,創建虛擬機
安裝keystone
- 1、創建數據庫
mysql -e "CREATE DATABASE keystone;"
mysql -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';"
mysql -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';"
- 2、生成隨機token
#openssl rand -hex 10
9776252a40ab6d597ae1
- 3、安裝軟件包(keystone,http,memcached)
yum -y install openstack-keystone httpd mod_wsgi python-openstackclient memcached python-memcached openstack-utils
- 4、啓動memcached並設置開機啓動
systemctl enable memcached.service
systemctl restart memcached.service
配置keystone和apache http Server
- 配置keystone
替換admin_token的值(前面步驟生長的隨機數)
openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token 9776252a40ab6d597ae1
openstack-config --set /etc/keystone/keystone.conf database connection mysql://keystone:keystone@10.0.0.11/keystone
openstack-config --set /etc/keystone/keystone.conf DEFAULT servers localhost:11211
openstack-config --set /etc/keystone/keystone.conf token provider keystone.token.providers.uuid.Provider
openstack-config --set /etc/keystone/keystone.conf token driver keystone.token.persistence.backends.memcache.Token
openstack-config --set /etc/keystone/keystone.conf revoke driver keystone.contrib.revoke.backends.sql.Revoke
openstack-config --set /etc/keystone/keystone.conf DEFAULT verbose True
初始化keystone數據庫
su -s /bin/sh -c "keystone-manage db_sync" keystone
- 配置Apache Http server
httpd.conf
sed -i "s/#ServerName www.example.com:80/ServerName controller/" /etc/httpd/conf/httpd.conf
wsgi-keystone.conf
cat > /etc/httpd/conf.d/wsgi-keystone.conf <<OFF
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /var/www/cgi-bin/keystone/main
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
LogLevel info
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
LogLevel info
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
</VirtualHost>
OFF
WSGI
mkdir -p /var/www/cgi-bin/keystone
curl http://git.openstack.org/cgit/openstack/keystone/plain/httpd/keystone.py?h=stable/kilo | tee /var/www/cgi-bin/keystone/main /var/www/cgi-bin/keystone/admin
chown -R keystone:keystone /var/www/cgi-bin/keystone
chmod 755 /var/www/cgi-bin/keystone/*
啓動httpd並設置開機啓動
systemctl enable httpd.service
systemctl restart httpd.service
systemctl status httpd.service
創建keystone服務和API endpoint
- 設置變量
export OS_TOKEN=9776252a40ab6d597ae1
export OS_URL=http://controller:35357/v2.0
- 創建keystone服務
openstack service create --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | 9bf7353187aa4388af91765718a7bad3 |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
- 創建keystone endpoint
openstack endpoint create \
--publicurl http://controller:5000/v2.0 \
--internalurl http://controller:5000/v2.0 \
--adminurl http://controller:35357/v2.0 \
--region RegionOne \
identity
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| adminurl | http://controller:35357/v2.0 |
| id | a6025f5b403e41e0babc652564678d9e |
| internalurl | http://controller:5000/v2.0 |
| publicurl | http://controller:5000/v2.0 |
| region | RegionOne |
| service_id | 9bf7353187aa4388af91765718a7bad3 |
| service_name | keystone |
| service_type | identity |
+--------------+----------------------------------+
創建projects, users, 和 roles
- 創建admin project
openstack project create --description "Admin Project" admin
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| enabled | True |
| id | 6655a8db1705461384c78137e5e87c17 |
| name | admin |
+-------------+----------------------------------+
- 創建admin user
openstack user create --password-prompt admin
User Password:
Repeat User Password:
+----------+----------------------------------+
| Field | Value |
+----------+----------------------------------+
| email | None |
| enabled | True |
| id | 9ba6768a31c64aa2904845f7c20ef59e |
| name | admin |
| username | admin |
+----------+----------------------------------+
- 創建admin role
openstack role create admin
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | 53e5d390efe84b948ba5718f116b4861 |
| name | admin |
+-------+----------------------------------+
- 將admin角色添加到admin project 和 admin 用戶
openstack role add --project admin --user admin admin
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | 53e5d390efe84b948ba5718f116b4861 |
| name | admin |
+-------+----------------------------------+
- 創建service project
This guide uses a service project that contains a unique user for each service that you add to your environment.
openstack project create --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| enabled | True |
| id | aeff31522d2b493cbe8b0e3cdf44b9dd |
| name | service |
+-------------+----------------------------------+
- 創建demo project
Regular (non-admin) tasks should use an unprivileged project and user. As an example,this guide creates the demo project and user.
openstack project create --description "Demo Project" demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| enabled | True |
| id | 453b044bd6704d509423c992880184da |
| name | demo |
+-------------+----------------------------------+
openstack user create --password-prompt demo
User Password:
Repeat User Password:
+----------+----------------------------------+
| Field | Value |
+----------+----------------------------------+
| email | None |
| enabled | True |
| id | 1ec121d596c142d18d81064b17512a32 |
| name | demo |
| username | demo |
+----------+----------------------------------+
openstack role create user
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | 4a3f8fe61d59456e876a92a9c53d0b81 |
| name | user |
+-------+----------------------------------+
openstack role add --project demo --user demo user
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | 4a3f8fe61d59456e876a92a9c53d0b81 |
| name | user |
+-------+----------------------------------+
驗證服務
- 取消設置的變量
unset OS_TOKEN OS_URL
- 驗證admin token(API 2.0)
openstack --os-auth-url http://controller:35357 \
--os-project-name admin --os-username admin --os-auth-type password \
token issue
Password:
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2015-09-09T11:25:09Z |
| id | 2e06ec10f395438c9d87c93c0a36ef54 |
| project_id | 6655a8db1705461384c78137e5e87c17 |
| user_id | 9ba6768a31c64aa2904845f7c20ef59e |
+------------+----------------------------------+
- 驗證admin token(API 3.0)
openstack --os-auth-url http://controller:35357 \
--os-project-domain-id default --os-user-domain-id default \
--os-project-name admin --os-username admin --os-auth-type password \
token issue
Password:
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2015-09-09T11:26:32.326481Z |
| id | 5875fd684d9d4092996a68b45ed65b05 |
| project_id | 6655a8db1705461384c78137e5e87c17 |
| user_id | 9ba6768a31c64aa2904845f7c20ef59e |
+------------+----------------------------------+
- 查看已創建的project
openstack --os-auth-url http://controller:35357 \
--os-project-name admin --os-username admin --os-auth-type password \
project list
Password:
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 453b044bd6704d509423c992880184da | demo |
| 6655a8db1705461384c78137e5e87c17 | admin |
| aeff31522d2b493cbe8b0e3cdf44b9dd | service |
+----------------------------------+---------+
- 查看已創建的用戶
openstack --os-auth-url http://controller:35357 \
--os-project-name admin --os-username admin --os-auth-type password \
user list
Password:
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 9ba6768a31c64aa2904845f7c20ef59e | admin |
| 1ec121d596c142d18d81064b17512a32 | demo |
+----------------------------------+-------+
- 查看已創建的角色
openstack --os-auth-url http://controller:35357 \
--os-project-name admin --os-username admin --os-auth-type password \
role list
Password:
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 4a3f8fe61d59456e876a92a9c53d0b81 | user |
| 53e5d390efe84b948ba5718f116b4861 | admin |
+----------------------------------+-------+
- demo身份查看token(API 3.0)
openstack --os-auth-url http://controller:5000 \
--os-project-domain-id default --os-user-domain-id default \
--os-project-name demo --os-username demo --os-auth-type password \
token issue
Password:
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2015-09-09T11:31:21.431270Z |
| id | 83442092b3ad4903ab4395efcb06b585 |
| project_id | 453b044bd6704d509423c992880184da |
| user_id | 1ec121d596c142d18d81064b17512a32 |
+------------+----------------------------------+
- 使用demo用戶去查看user list (檢驗是否有權限)
openstack --os-auth-url http://controller:5000 \
--os-project-domain-id default --os-user-domain-id default \
--os-project-name demo --os-username demo --os-auth-type password \
user list
Password:
ERROR: openstack You are not authorized to perform the requested action: admin_required (HTTP 403) (Request-ID: req-11dbd684-6922-44e9-97f1-2048b2407a74)
創建admin-openrc.sh變量文件
- 創建admin-openrc.sh (替換admin的密碼)
cat > admin-openrc.sh << OFF
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_AUTH_URL=http://controller:35357/v3
OFF
- 使用
source admin-openrc.sh
openstack token issue
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2015-09-09T11:36:55.775786Z |
| id | e8edf46d77a94d108c6939ad89f0e098 |
| project_id | 6655a8db1705461384c78137e5e87c17 |
| user_id | 9ba6768a31c64aa2904845f7c20ef59e |
+------------+----------------------------------+
keystone服務小結
項目 | 信息 |
---|---|
服務名稱 | keystone |
配置文件 | /etc/keystone/keystone.conf |
日誌文件 | /var/log/keystone/keystone.log |
Public URL | http://controller:5000/v2.0 |
nternal URL | http://controller:5000/v2.0 |
Admin URL | http://controller:35357/v2.0 |