版权声明:可以任意转载,转载时请务必以超链接形式标明文章原始出处和作者信息及本版权声明 (作者:张华 发表于:2018-05-29)
Install OpenLDAP
OpenLDAP Server可以使用这个charm安装 - https://jujucharms.com/u/openstack-charmers/ldap-test-fixture/3, 最终要添加的yaml如下:
keystone-ldap:#charm: cs:keystone-ldap-10charm: cs:~openstack-charmers-next/keystone-ldapldap-test-fixture:charm: cs:~openstack-charmers/ldap-test-fixture- [ keystone-ldap, keystone ]
也可以根据这个链接分步安装 - https://api.jujucharms.com/charmstore/v5/~openstack-charmers/ldap-test-fixture-3/archive/hooks/install
debconf-set-selections <<EOF
slapd slapd/internal/adminpw password password
slapd slapd/password1 password password
slapd slapd/password2 password password
slapd slapd/domain string test.com
slapd shared/organization string test
EOF
sudo apt install slapd ldap-utils phpldapadmin
sudo sed -i "s/dc=example/dc=test/g" /etc/phpldapadmin/config.php
sudo service apache2 restart
sudo service slapd restart
#sudo dpkg-reconfigure slapd #configure domain=test.com
wget https://raw.githubusercontent.com/openstack-charmers/charm-ldap-test-fixture/master/files/backup.ldif
sudo slapadd -v -c -l ./backup.ldif
sudo ldapsearch -H ldap://192.168.99.234:389 -x -w password -D"cn=admin,dc=test,dc=com" -b dc=test,dc=com
sudo ldapsearch -H ldap://node1.lan:389 -x -w password -D"cn=admin,dc=test,dc=com" -b dc=test,dc=com -ZZ
sudo ldapsearch -H ldaps://node1.lan:636 -x -w password -D"cn=admin,dc=test,dc=com" -b dc=test,dc=com
sudo ldapsearch -H ldaps://node1.lan:636 -x -b 'dc=test,dc=com' -s sub "(&(cn=johndoe)(objectClass=inetOrgPerson))" dn cn gidNumber uidNumber
配置ssl:
##### LDAP StartTLS configuration #######
sudo cp ~/ca/ca.crt /etc/ldap/sasl2/
sudo cp ~/ca/node1.lan.crt /etc/ldap/sasl2/
sudo cp ~/ca/node1.lan.key /etc/ldap/sasl2/
name=node1.lan
sudo chown openldap:openldap /etc/ldap/sasl2/*
sudo chmod 600 /etc/ldap/sasl2/${name}.key
cat <<EOF > $HOME/modify_ssl.ldif
# create new
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/sasl2/ca.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/sasl2/${name}.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/sasl2/${name}.key
EOF
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f $HOME/modify_ssl.ldif
sudo sed -i.orig "s/^TLS_CACERT.*/TLS_CACERT\t\/etc\/ldap\/sasl2\/ca.crt/" /etc/ldap/ldap.conf
$ grep -r '^SLAPD_SERVICES' /etc/default/slapd
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
sudo systemctl restart slapd
#use the domain node1.lan and -ZZ
sudo ldapsearch -H ldap://node1.lan -x -w password -D"cn=admin,dc=test,dc=com" -b dc=test,dc=com -ZZ
Modify default schema to support OpenStack
$ sudo ldapsearch ldap://192.168.99.234:389 -x -w password -D"cn=admin,dc=test,dc=com" -b dc=test,dc=com
# extended LDIF
#
# LDAPv3
# base <dc=test,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
## test.com
dn: dc=test,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: test
dc: test# admin, test.com
dn: cn=admin,dc=test,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9Q1RxNU1nNHA5blhlL25WVjBqenZSYTZ2VkxQQnVJZjc=# groups, test.com
dn: ou=groups,dc=test,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups# admin, groups, test.com
dn: cn=admin,ou=groups,dc=test,dc=com
cn: admin
gidNumber: 500
memberUid: johndoe
objectClass: posixGroup
objectClass: top# openstack, groups, test.com
dn: cn=openstack,ou=groups,dc=test,dc=com
cn: openstack
gidNumber: 501
memberUid: johndoe
objectClass: posixGroup
objectClass: top# users, test.com
dn: ou=users,dc=test,dc=com
objectClass: organizationalUnit
objectClass: top
ou: users# janedoe, users, test.com
dn: cn=janedoe,ou=users,dc=test,dc=com
cn: janedoe
gidNumber: 500
givenName: Jane
homeDirectory: /home/users/janedoe
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
sn: Jane Doe
uid: janedoe
uidNumber: 1001
userPassword:: e01ENX1IT01SNHBNMTV0M2dZZDhXVXhNRzhnPT0=# johndoe, users, test.com
dn: cn=johndoe,ou=users,dc=test,dc=com
cn: johndoe
gidNumber: 501
givenName: John
homeDirectory: /home/users/jdoe
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
sn: John Doe
uid: johndoe
uidNumber: 1000
userPassword:: e01ENX1IT01SNHBNMTV0M2dZZDhXVXhNRzhnPT0=# search result
search: 2
result: 0 Success# numResponses: 9
# numEntries: 8
Configure Keystone
juju config keystone preferred-api-version=3
juju deploy keystone-ldap --series xenial
juju add-relation keystone-ldap keystonejuju config keystone-ldap ldap-server="ldap://10.5.0.72" ldap-user="cn=admin,dc=test,dc=com" ldap-password="crapper" ldap-suffix="dc=test,dc=com"
juju config keystone-ldap domain-name="aaa_domain"
juju config keystone-ldap ldap-config-flags="{ user_tree_dn: 'dc=test,dc=com', query_scope: 'sub', user_objectclass: posixAccount, user_id_attribute: uid, user_name_attribute: uid, group_tree_dn: 'ou=groups,dc=test,dc=com', group_objectclass: posixGroup, group_id_attribute: gidNumber, group_name_attribute: cn, group_member_attribute: memberUid, group_members_are_ids: True}"root@juju-67d093-xenial-queens-ldap-2:~# cat /etc/keystone/domains/keystone.aaa_domain.conf
[ldap]
url = ldap://10.5.0.72
user = cn=admin,dc=test,dc=com
password = password
suffix = dc=test,dc=comuser_allow_create = False
user_allow_update = False
user_allow_delete = Falsegroup_allow_create = False
group_allow_update = False
group_allow_delete = False# User supplied configuration flags
group_id_attribute = gidNumber
group_member_attribute = memberUid
group_members_are_ids = True
group_name_attribute = cn
group_objectclass = posixGroup
group_tree_dn = ou=groups,dc=test,dc=com
query_scope = sub
#user_id_attribute = uidNumber
user_id_attribute = uid
user_name_attribute = uid
user_objectclass = posixAccount
user_tree_dn = dc=test,dc=com
[identity]
driver = ldap
注意, 上面有几个重要参数,注意是group_members_are_ids = True,下面将要着重讲解。
query_scope = sub
user_tree_dn = dc=test,dc=com
user_id_attribute = uid
group_members_are_ids = True
下面配置也可以work:
query_scope = base
user_tree_dn = dc=users,test,dc=com
user_id_attribute = uid
group_members_are_ids = True
Test
source ~/stsstack-bundles/novarcv3_domain
export OS_REGION_NAME=RegionOne
export OS_USER_DOMAIN_NAME=admin_domain
export OS_AUTH_VERSION=3
export OS_IDENTITY_API_VERSION=3
export OS_PASSWORD=openstack
export OS_DOMAIN_NAME=admin_domain
export OS_AUTH_URL=http://10.5.0.53:5000/v3
export OS_USERNAME=adminopenstack domain create --description "aaa_domain" aaa_domain
openstack domain list
openstack project create myproject --domain aaa_domain
openstack project list --domain aaa_domain
#The token used to make the request was project scoped but the policy requires ['system'] scope
#so it should be 'openstack group create aaa_group'
#openstack group create aaa_group --domain aaa_domain
#openstack group create aaa_group #we use the default openstack instead
openstack group list --domain aaa_domain
openstack role list
openstack user list --domain aaa_domain
openstack user list --group openstack --domain aaa_domain# https://ask.openstack.org/en/question/109588/domain-admin-can-access-entities-out-of-scope/
#Assign Role to a user in a Domain, it used --domain
#openstack role add --user johndoe --domain aaa_domain Member
NOTE: above command doesn't work, that's because we must use user's ID to avoid 'No user with a name or ID of 'johndoe' exists', so it should be:
#openstack role add --user $(openstack user show johndoe --domain aaa_domain -f value -c id) --domain aaa_domain Member#Assign Role to a group in a project, it used --group-domain
openstack role add --group openstack --group-domain aaa_domain --project myproject Member
openstack role add --group openstack --group-domain aaa_domain --project myproject Admin
openstack role list --group openstack --group-domain aaa_domain --project myproject$ openstack user list --domain aaa_domain
+------------------------------------------------------------------+---------+
| ID | Name |
+------------------------------------------------------------------+---------+
| 5d15ad6474b1f212d159d974eba4d6b402636e67a7253bf7acb64403ff8c2c53 | janedoe |
| dcb455d78a9cc380d615fa79c56569b3e9947d9af7a2f83813b53fca198b61a5 | johndoe |
+------------------------------------------------------------------+---------+$ openstack group contains user --group-domain aaa_domain --user-domain aaa_domain openstack johndoe
johndoe in group openstacksource ~/stsstack-bundles/novarcv3_project
export OS_USER_DOMAIN_NAME=aaa_domain
export OS_PROJECT_DOMAIN_NAME=aaa_domain
export OS_PROJECT_NAME=myproject
export OS_USERNAME=johndoe
export OS_PASSWORD=crapper
export OS_AUTH_URL=http://10.5.0.72:5000/v3
export OS_AUTH_VERSION=3
export OS_IDENTITY_API_VERSION=3
export OS_REGION_NAME=RegionOneubuntu@zhhuabj-bastion:~? openstack user show johndoe
+---------------------+------------------------------------------------------------------+
| Field | Value |
+---------------------+------------------------------------------------------------------+
| domain_id | ae678292805a4db7917137c0621fe4cc |
| id | dcb455d78a9cc380d615fa79c56569b3e9947d9af7a2f83813b53fca198b61a5 |
| name | johndoe |
| options | {} |
| password_expires_at | None |
+---------------------+------------------------------------------------------------------+ubuntu@zhhuabj-bastion:~? openstack user list
You are not authorized to perform the requested action: identity:list_users. (HTTP 403) (Request-ID: req-8c373161-37d7-4d33-9dda-16bdbd2cecb7)Why we are not authorized to run 'openstack user list', that's because the following policy rules."admin_required": "role:Admin",
"cloud_admin": "rule:admin_required and (is_admin_project:True or domain_id:59d6b9c88f654dba9d06772ec1b197f0 or project_id:bbbb856f30b042a9a64d6646273a9ae2)",
"owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
"admin_and_matching_group_domain_id": "rule:admin_required and domain_id:%(group.domain_id)s",
"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s","identity:get_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id or rule:owner",
"identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",
问题一,找不着用户的调试
找不着用户时, 可查看日志:
(keystone.common.ldap.core): 2018-06-08 12:13:23,145 DEBUG LDAP bind: who=cn=admin,dc=cloud,dc=sts
(keystone.common.ldap.core): 2018-06-08 12:13:23,145 DEBUG LDAP search: base=dc=cloud,dc=sts scope=2 filterstr=(&(uidNumber=10002)(objectClass=inetOrgPerson)) attrs=['description', 'uidNumber', 'userPassword', 'enabled', 'mail', 'uid'] attrsonly=0
转换成下列命令看是否能运行:
sudo ldapsearch -h 10.5.0.53 -x -b 'dc=cloud,dc=sts' -s sub "(&(uidNumber=10002)(objectClass=inetOrgPerson))" description uidNumber userPassword enabled mail uid attrsonly=0
问题二,group_members_are_ids = True
例如本例数据:
# Entry 5: cn=openstack,ou=groups,dc=test,dc=com
dn: cn=openstack,ou=groups,dc=test,dc=com
cn: openstack
gidnumber: 501
memberuid: johndoe
objectclass: posixGroup
objectclass: top# Entry 8: cn=johndoe,ou=users,dc=test,dc=com
dn: cn=johndoe,ou=users,dc=test,dc=com
cn: johndoe
gidnumber: 501
givenname: John
homedirectory: /home/users/jdoe
loginshell: /bin/sh
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: John Doe
uid: johndoe
uidnumber: 1000
userpassword: {MD5}HOMR4pM15t3gYd8WUxMG8g==
# password is crapper
根据这个bug描述 - https://bugs.launchpad.net/keystone/+bug/1526462
我们得知在posixGroup类型的group下可以有很多memberuid属性,如本例中为id的形式:
memberuid: johndoe
也可能为下列dn的形式:
memberuid: johndoe,ou=users,dc=test,dc=com
在使用rpdb (import rpdb;rpdb.set_trace())对代码调试(nc 127.0.0.1 4444)时会发现, 当group_members_are_ids=true时,list_group_users就不会再根据dn找id了。
同时下面的一个if语句(if group_member_id == user_id)决定配置中得是:user_id_attribute = uid
(Pdb) p group_member_id
u'johndoe'
(Pdb) p user_id
u'johndoe'
(Pdb) l
142 # work.
143 self.get_user(user_id)
144 import rpdb;rpdb.set_trace()
145 member_list = self.group.list_group_users(group_id)
146 for group_member_id in self._transform_group_member_ids(member_list):
147 -> if group_member_id == user_id:
148 break
149 else:
150 raise exception.NotFound(_("User '%(user_id)s' not found in"
151 " group '%(group_id)s'") %
152 {'user_id': user_id,
另一个bug - https://bugs.launchpad.net/keystone/+bug/1782922
测试方法 - https://launchpadlibrarian.net/429689845/bug-1782922-initial-testing-details.txt
备份backup.ldif数据如下:
# LDIF Export for dc=test,dc=com
# Server: My LDAP Server (10.245.162.249)
# Search Scope: sub
# Search Filter: (objectClass=*)
# Total Entries: 8
#
# Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on March 31, 2017 8:18 am
# Version: 1.2.2#version: 1# Entry 1: dc=test,dc=com
#dn: dc=test,dc=com
#dc: test
#o: test
#objectclass: top
#objectclass: dcObject
#objectclass: organization# Entry 2: cn=admin,dc=test,dc=com
#dn: cn=admin,dc=test,dc=com
#cn: admin
#description: LDAP administrator
#objectclass: simpleSecurityObject
#objectclass: organizationalRole
#userpassword: {SSHA}lAJ0zkENTaSSU6++TM88A/DjnASa24tL# Entry 3: ou=groups,dc=test,dc=com
dn: ou=groups,dc=test,dc=com
objectclass: organizationalUnit
objectclass: top
ou: groups# Entry 4: cn=admin,ou=groups,dc=test,dc=com
dn: cn=admin,ou=groups,dc=test,dc=com
cn: admin
gidnumber: 500
memberuid: johndoe
memberuid: janedoe
objectclass: posixGroup
objectclass: top# Entry 5: cn=openstack,ou=groups,dc=test,dc=com
dn: cn=openstack,ou=groups,dc=test,dc=com
cn: openstack
member: cn=johndoe,ou=users,dc=test,dc=com
member: cn=janedoe,ou=users,dc=test,dc=com
businessCategory: cloud
objectclass: groupOfNames
objectclass: top# Entry 6: ou=users,dc=test,dc=com
dn: ou=users,dc=test,dc=com
objectclass: organizationalUnit
objectclass: top
ou: users# Entry 7: cn=janedoe,ou=users,dc=test,dc=com
dn: cn=janedoe,ou=users,dc=test,dc=com
cn: janedoe
gidnumber: 500
givenname: Jane
homedirectory: /home/users/janedoe
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Jane Doe
uid: janedoe
uidnumber: 1001
userpassword: {MD5}HOMR4pM15t3gYd8WUxMG8g==
# password is crapper# Entry 8: cn=johndoe,ou=users,dc=test,dc=com
dn: cn=johndoe,ou=users,dc=test,dc=com
cn: johndoe
gidnumber: 501
givenname: John
homedirectory: /home/users/jdoe
loginshell: /bin/sh
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: John Doe
uid: johndoe
uidnumber: 1000
userpassword: {MD5}HOMR4pM15t3gYd8WUxMG8g==
# password is crapper
问题三,怎么用LDAP里的用户
1, Confirm the user johndoe is in the domain aaa_domainubuntu@zhhuabj-bastion:~? openstack user list --domain aaa_domain
+------------------------------------------------------------------+---------+
| ID | Name |
+------------------------------------------------------------------+---------+
| 5d15ad6474b1f212d159d974eba4d6b402636e67a7253bf7acb64403ff8c2c53 | janedoe |
| dcb455d78a9cc380d615fa79c56569b3e9947d9af7a2f83813b53fca198b61a5 | johndoe |
+------------------------------------------------------------------+---------+2, Create a project myprojectopenstack project create myproject --domain aaa_domainubuntu@zhhuabj-bastion:~? openstack project list --domain aaa_domain
+----------------------------------+-----------+
| ID | Name |
+----------------------------------+-----------+
| f239a9aebc974664b3fb7823d7d873fa | myproject |
+----------------------------------+-----------+3, LDAP has two groups, one is admin, one is openstack, see https://api.jujucharms.com/charmstore/v5/~openstack-charmers/ldap-test-fixture-3/archive/files/backup.ldifubuntu@zhhuabj-bastion:~? openstack group list --domain aaa_domain
+------------------------------------------------------------------+-----------+
| ID | Name |
+------------------------------------------------------------------+-----------+
| a202723c28709cef142842b452fc93caf45d6b661e5d636a96cd10b9379fe0d2 | admin |
| c94536ce5d46380996999782dacf490b640385cd9b75450782cb279501238eac | openstack |
+------------------------------------------------------------------+-----------+ubuntu@zhhuabj-bastion:~? openstack user list --group openstack --domain aaa_domain
+------------------------------------------------------------------+---------+
| ID | Name |
+------------------------------------------------------------------+---------+
| dcb455d78a9cc380d615fa79c56569b3e9947d9af7a2f83813b53fca198b61a5 | johndoe |
+------------------------------------------------------------------+---------+
ubuntu@zhhuabj-bastion:~? openstack user list --group admin --domain aaa_domain
+------------------------------------------------------------------+---------+
| ID | Name |
+------------------------------------------------------------------+---------+
| dcb455d78a9cc380d615fa79c56569b3e9947d9af7a2f83813b53fca198b61a5 | johndoe |
+------------------------------------------------------------------+---------+3, Assign Role to a group in a projectopenstack role add --group openstack --project myproject --group-domain aaa_domain Member
openstack role add --group openstack --project myproject --group-domain aaa_domain Adminubuntu@zhhuabj-bastion:~? openstack role list --group openstack --project myproject --group-domain aaa_domain
Listing assignments using role list is deprecated. Use role assignment list --group <group-name> --project <project-name> --names instead.
+----------------------------------+--------+-----------+-----------+
| ID | Name | Project | Group |
+----------------------------------+--------+-----------+-----------+
| 578a7eca0d184945b57ed0b718e59ae0 | Member | myproject | openstack |
| 64c64c90886d4f3cb13d3c599748086b | Admin | myproject | openstack |
+----------------------------------+--------+-----------+-----------+4, Confirm the user johndoe in the the domain aaa_domain and group openstackubuntu@zhhuabj-bastion:~? openstack user list --group openstack --domain aaa_domain
+------------------------------------------------------------------+---------+
| ID | Name |
+------------------------------------------------------------------+---------+
| dcb455d78a9cc380d615fa79c56569b3e9947d9af7a2f83813b53fca198b61a5 | johndoe |
+------------------------------------------------------------------+---------+5, Switch to use the user johndoesource ~/stsstack-bundles/novarcv3_project
export OS_USER_DOMAIN_NAME=aaa_domain
export OS_PROJECT_DOMAIN_NAME=aaa_domain
export OS_PROJECT_NAME=myproject
export OS_USERNAME=johndoe
export OS_PASSWORD=crapper
export OS_AUTH_URL=http://10.5.0.72:5000/v3
export OS_AUTH_VERSION=3
export OS_IDENTITY_API_VERSION=3
export OS_REGION_NAME=RegionOne6, Test the user johndoeubuntu@zhhuabj-bastion:~? openstack user show johndoe
+---------------------+------------------------------------------------------------------+
| Field | Value |
+---------------------+------------------------------------------------------------------+
| domain_id | ae678292805a4db7917137c0621fe4cc |
| id | dcb455d78a9cc380d615fa79c56569b3e9947d9af7a2f83813b53fca198b61a5 |
| name | johndoe |
| options | {} |
| password_expires_at | None |
+---------------------+------------------------------------------------------------------+ubuntu@zhhuabj-bastion:~? openstack user list
You are not authorized to perform the requested action: identity:list_users. (HTTP 403) (Request-ID: req-8c373161-37d7-4d33-9dda-16bdbd2cecb7)Why we are not authorized to run 'openstack user list', that's because the following policy rules."admin_required": "role:Admin",
"cloud_admin": "rule:admin_required and (is_admin_project:True or domain_id:59d6b9c88f654dba9d06772ec1b197f0 or project_id:bbbb856f30b042a9a64d6646273a9ae2)",
"owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
"admin_and_matching_group_domain_id": "rule:admin_required and domain_id:%(group.domain_id)s",
"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s","identity:get_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id or rule:owner",
"identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",怎么才能让openstack user list生效呢?
1, LDAP中的两个组openstack与admin, johndoe都在这两个组下。
ubuntu@zhhuabj-bastion:~? openstack user list --group openstack --domain aaa_domain
+------------------------------------------------------------------+---------+
| ID | Name |
+------------------------------------------------------------------+---------+
| dcb455d78a9cc380d615fa79c56569b3e9947d9af7a2f83813b53fca198b61a5 | johndoe |
+------------------------------------------------------------------+---------+
ubuntu@zhhuabj-bastion:~? openstack user list --group admin --domain aaa_domain
+------------------------------------------------------------------+---------+
| ID | Name |
+------------------------------------------------------------------+---------+
| dcb455d78a9cc380d615fa79c56569b3e9947d9af7a2f83813b53fca198b61a5 | johndoe |
+------------------------------------------------------------------+---------+
2, policy rules中在用project_id:bbbb856f30b042a9a64d6646273a9ae2
所以首先得用admin权限为bbbb856f30b042a9a64d6646273a9ae2这个project添加Admin role:
openstack role add --group admin --project bbbb856f30b042a9a64d6646273a9ae2 --group-domain aaa_domain Admin
其将环境变量得使用这个group:
unset OS_PROJECT_NAME
export OS_PROJECT_ID=bbbb856f30b042a9a64d6646273a9ae2
ubuntu@zhhuabj-bastion:~? openstack user list
+----------------------------------+-------------------+
| ID | Name |
+----------------------------------+-------------------+
| 12507a988b8a438e85ee36617302fd34 | neutron |
| 1b8ad6f6fc4c479a90b7a34c8187cd3b | cinderv2_cinderv3 |
| 2c6d8f3b156c45b5bb7998cca056edc4 | nova_placement |
| feaaf07467f142a5a5901ab066af9dca | glance |
+----------------------------------+-------------------+
ubuntu@zhhuabj-bastion:~? env |grep OS_
OS_PROJECT_ID=bbbb856f30b042a9a64d6646273a9ae2
OS_REGION_NAME=RegionOne
OS_USER_DOMAIN_NAME=aaa_domain
OS_AUTH_VERSION=3
OS_IDENTITY_API_VERSION=3
OS_PASSWORD=crapper
OS_AUTH_URL=http://10.5.0.72:5000/v3
OS_USERNAME=johndoe
OS_PROJECT_DOMAIN_NAME=aaa_domain
Add data
sudo -i#juju bootstrap --debug --config bootstrap-series=bionic --config agent-stream=devel localhost lxd-controller
#juju add-model test && juju deploy cs:~openstack-charmers/ldap-test-fixture-4
wget https://api.jujucharms.com/charmstore/v5/~openstack-charmers/ldap-test-fixture-4/archive/files/backup.ldif
sudo slapadd -v -c -l ./backup.ldif
#install ldap
export DEBIAN_FRONTEND=noninteractive
debconf-set-selections <<EOF
slapd slapd/internal/adminpw password crapper
slapd slapd/password1 password crapper
slapd slapd/password2 password crapper
slapd slapd/domain string test.com
slapd shared/organization string test
EOF
apt -y install slapd ldap-utils phpldapadmin
sed -i "s/dc=example/dc=test/g" /etc/phpldapadmin/config.php
service apache2 restart
ldapsearch -h 192.168.99.124 -x -w crapper -D"cn=admin,dc=test,dc=com" -b dc=test,dc=com -s sub '(objectclass=*)' cn sn
######################### Create new LDAP users for MAAS testing - user1 through user5 in group maas password crapper
cat <<EOF > $HOME/new_users_groups.ldif
# Entry 10: cn=user1,ou=users,dc=test,dc=com
dn: cn=user1,ou=users,dc=test,dc=com
cn: user1
gidnumber: 502
givenname: user1
homedirectory: /home/users/user1
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: user1 Doe
uid: user1
uidnumber: 1001
userpassword: {MD5}HOMR4pM15t3gYd8WUxMG8g==# Entry 11: cn=user2,ou=users,dc=test,dc=com
dn: cn=user2,ou=users,dc=test,dc=com
cn: user2
gidnumber: 502
givenname: user2
homedirectory: /home/users/user2
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: user2 Doe
uid: user2
uidnumber: 1002
userpassword: {MD5}HOMR4pM15t3gYd8WUxMG8g==# Entry 12: cn=user3,ou=users,dc=test,dc=com
dn: cn=user3,ou=users,dc=test,dc=com
cn: user3
gidnumber: 502
givenname: user3
homedirectory: /home/users/user3
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: user3 Doe
uid: user3
uidnumber: 1003
userpassword: {MD5}HOMR4pM15t3gYd8WUxMG8g==# Entry 13: cn=user4,ou=users,dc=test,dc=com
dn: cn=user4,ou=users,dc=test,dc=com
cn: user4
gidnumber: 502
givenname: user4
homedirectory: /home/users/user4
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: user4 Doe
uid: user4
uidnumber: 1004
userpassword: {MD5}HOMR4pM15t3gYd8WUxMG8g==# Entry 14: cn=user5,ou=users,dc=test,dc=com
dn: cn=user5,ou=users,dc=test,dc=com
cn: user5
gidnumber: 502
givenname: user5
homedirectory: /home/users/user5
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: user5 Doe
uid: user5
uidnumber: 1005
userpassword: {MD5}HOMR4pM15t3gYd8WUxMG8g==
# password is crapper# Entry 15: cn=maas,ou=groups,dc=test,dc=com
dn: cn=maas,ou=groups,dc=test,dc=com
cn: maas
gidnumber: 502
memberuid: user1
memberUid: user2
memberUid: user3
memberUid: user4
memberUid: user5
objectClass: top
objectClass: posixGroup
EOF
ldapadd -x -D "cn=admin,dc=test,dc=com" -w crapper -f new_users_groups.ldif
20210329 Update - OpenStack application credential
openstack application credential create test_cred --role member --restricted
openstack application credential list
openstack application credential delete auditexport OS_AUTH_TYPE=v3applicationcredential
export OS_AUTH_URL=http://<keystone-server>:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_REGION_NAME="RegionOne"
export OS_INTERFACE=public
export OS_APPLICATION_CREDENTIAL_ID=508821d772c24e138c520104b40f6d155
export OS_APPLICATION_CREDENTIAL_SECRET=xxx
application_credntials可以让一个application在不向它共享password的前提下使用应用。例如,当用户信息被存储在LDAP或者SSO时,这样为了避免将password存储在应用的配置文件中,user能为一个project创建一个application_credntials, 并给予这个project的一些或者全部role给application_credntials, 这样只是存储application_credntials ID and secret string(this is not password)到配置文件中。
多个application_credntials能同时创建,这个每个都可以轮转,还可以给它添加过期时间。
https://docs.openstack.org/api-ref/identity/v3/index.html#application-credentials
https://docs.openstack.org/keystone/ussuri/user/application_credentials.html
1, Use admin project user to create a common user user1export OS_REGION_NAME=RegionOne
export OS_AUTH_URL=http://10.5.3.98:5000/v3
export OS_PROJECT_DOMAIN_NAME=admin_domain
export OS_USERNAME=admin
export OS_AUTH_TYPE=password
export OS_USER_DOMAIN_NAME=admin_domain
export OS_PROJECT_NAME=admin
export OS_PASSWORD=openstack
export OS_IDENTITY_API_VERSION=3openstack domain create aaa_domain
openstack project create myproject --domain aaa_domain
openstack user create --project myproject --domain aaa_domain --password password user1
openstack user list --domain aaa_domain
openstack role add --user user1 --project myproject --user-domain aaa_domain Member
openstack role assignment list --project myproject --nameopenstack user create --project myproject --domain aaa_domain --password password user3
openstack role add --user user3 --project myproject --user-domain aaa_domain Member2, User user1 to create a application credentialexport OS_REGION_NAME=RegionOne
export OS_AUTH_URL=http://10.5.3.98:5000/v3
export OS_PROJECT_DOMAIN_NAME=aaa_domain
export OS_USERNAME=user1
export OS_AUTH_TYPE=password
export OS_USER_DOMAIN_NAME=aaa_domain
export OS_PROJECT_NAME=myproject
export OS_PASSWORD=password
export OS_IDENTITY_API_VERSION=3
openstack application credential create test_cred --role member --restricted
openstack application credential list$ openstack application credential list
+----------------------------------+-----------+----------------------------------+-------------+------------+
| ID | Name | Project ID | Description | Expires At |
+----------------------------------+-----------+----------------------------------+-------------+------------+
| 66ec413bd7f34317a0bdef9605990d22 | test_cred | 1911461d8ea7473a8dc7447bf6ebb419 | None | None |
+----------------------------------+-----------+----------------------------------+-------------+------------+3, Use another domain user user2 to access application credential created by user1openstack domain create bbb_domain
openstack project create secondproject --domain bbb_domain
openstack user create --project secondproject --domain bbb_domain --password password user2
openstack role add --user user2 --project secondproject --user-domain bbb_domain Memberexport OS_REGION_NAME=RegionOne
export OS_AUTH_VERSION=3
export OS_AUTH_URL=http://10.5.3.98:5000/v3
export OS_USERNAME=user2
export OS_DOMAIN_NAME=bbb_domain
export OS_AUTH_TYPE=password
export OS_USER_DOMAIN_NAME=bbb_domain
export OS_PASSWORD=password
export OS_IDENTITY_API_VERSION=3$ openstack application credential list
The request you have made requires authentication. (HTTP 401) (Request-ID: req-1b18c8c1-4009-4789-9d49-9db6d6190ac7)(keystone.server.flask.application): 2021-03-31 10:20:18,122 WARNING Authorization failed. The request you have made requires authentication. from 10.5.3.984, Use another project user user2 to access application credential created by user1export OS_REGION_NAME=RegionOne
export OS_AUTH_URL=http://10.5.3.98:5000/v3
export OS_PROJECT_DOMAIN_NAME=bbb_domain
export OS_USERNAME=user2
export OS_AUTH_TYPE=password
export OS_USER_DOMAIN_NAME=bbb_domain
export OS_PROJECT_NAME=secondproject
export OS_PASSWORD=password
export OS_IDENTITY_API_VERSION=3
openstack application credential list$ openstack application credential list
The request you have made requires authentication. (HTTP 401) (Request-ID: req-af30b758-0a68-49e9-ae22-7e23e8e571fd)(keystone.server.flask.application): 2021-03-31 10:24:15,182 WARNING Authorization failed. The request you have made requires authentication. from 10.5.3.985, Use another user user3 which is in aaa_domain as wellexport OS_REGION_NAME=RegionOne
export OS_AUTH_URL=http://10.5.3.98:5000/v3
export OS_PROJECT_DOMAIN_NAME=aaa_domain
export OS_USERNAME=user3
export OS_AUTH_TYPE=password
export OS_USER_DOMAIN_NAME=aaa_domain
export OS_PROJECT_NAME=myproject
export OS_PASSWORD=password
export OS_IDENTITY_API_VERSION=3
openstack application credential list$ openstack application credential list
<empty>6, Use domain user user3export OS_REGION_NAME=RegionOne
export OS_AUTH_VERSION=3
export OS_AUTH_URL=http://10.5.3.98:5000/v3
export OS_USERNAME=user3
export OS_DOMAIN_NAME=aaa_domain
export OS_AUTH_TYPE=password
export OS_USER_DOMAIN_NAME=aaa_domain
export OS_PASSWORD=password
export OS_IDENTITY_API_VERSION=3$ openstack application credential list
<empty>7, use application credentionexport OS_AUTH_TYPE=v3applicationcredential
export OS_AUTH_URL=http://10.5.3.98:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_REGION_NAME="RegionOne"
export OS_INTERFACE=public
export OS_APPLICATION_CREDENTIAL_ID=9b55f634d2d74e90ab95ac946ba205ff
export OS_APPLICATION_CREDENTIAL_SECRET=YMAq2rP9JKJ3XEWd8mgJeke4XBZw_a6aPKAB4L2NA1VkbGm0NtvBlIftYkh0HluRZRWbAeAbnINeJbo9_cSfKQopenstack token issue$ openstack token issue
+------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2021-03-31T11:39:52+0000 |
| id | gAAAAABgZFF4uK3c5OxIgM9vG618nXv1wRAi4YiNOXM7DG2ZuQhZt1puns7rcZwLjk6uDLKWwfxfrYO4N9eSTravF1A_dgEVRUxxgWuIk0rKj5F7lH2dhzfbZnBhqLPpspgv2l_Z4UwAJjNPOAEtTE2T2mCgnyY7gYkpR9Pq-ANHY7xyeu5LTGPhAVXghV5yrFgLfRuOOUNv |
| project_id | 1911461d8ea7473a8dc7447bf6ebb419 |
| user_id | 8b1d6e8628de4d78823c5c7f59751fd9 |
+------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
20230306更新 - 为何有的application credntials call慢
keystone也配置了memcached:
[cache]
enabled = true
backend = oslo_cache.memcache_pool
memcache_servers = inet6:[::1]:11211
# This goes in the section above, selectively
# Bug #1899117
expiration_time = 600
找到mysql的慢查询 :
edited /etc/mysql/mysql.conf.d/mysqld.cnf for every mysql unit and uncommented the following lines ->
slow_query_log = 1
slow_query_log_file = /var/log/mysql/mysql-slow.log
long_query_time = 0
用time 命令确定或者:
curl -v http://localhost:4990/v3/auth/tokens?nocatalog -H "X-Auth-Token: token" -H "X-Subject-Token: token" -H "Accept-Encoding: gzip" -H "Accept: application/json"
最后找到原因是: 取 token取3次,每次都取role, 造成DB压力
相关的bug: application credential有access rules时需配置service_type - https://bugs.launchpad.net/keystone/+bug/1950464 (charm: https://bugs.launchpad.net/charm-neutron-api/+bug/1965967)
20221205 - keystone code
import os
from keystoneauth1 import session as session
from keystoneclient.v3 import client as client
from keystoneauth1.identity import v3
auth = v3.Password(auth_url = os.environ['OS_AUTH_URL'], \username = os.environ['OS_USERNAME'], \password = os.environ['OS_PASSWORD'], \user_domain_name=os.environ['OS_USER_DOMAIN_NAME'], \project_name = os.environ['OS_PROJECT_NAME'], \project_domain_name = os.environ['OS_PROJECT_DOMAIN_NAME'])
sess = session.Session(auth=auth)
keystoneClient = client.Client(session=sess)
print(sess.get_token())
projectList = keystoneClient.projects.list()
print(projectList)