http://www.florentflament.com/blog/setting-keystone-v3-domains.html

The Openstack Identity v3 API, provided by Keystone, offers features that were lacking in the previous version. Among these features, it introduces the concept of domains, allowing isolation of projects and users. For instance, an administrator allowed to create projects and users in a given domain, may not have any right in another one. While these features look very exciting, some configuration needs to be done to have a working identity v3 service with domains properly set.

Keystone API protection section of the developer's doc provides hints about how to set-up a multi-domain installation. Starting from there, I describe the full steps to have a multi-domain setup running, by using curl to send http requests and jq to parse the json answers.

Setting an admin domain and a cloud admin

First, we have to start on a fresh non multi-domain installation with the default policy file.

  • With the admin user we can create the admin_domain.

    ADMIN_TOKEN=$(\
    
curl http://localhost:5000/v3/auth/tokens \
    
    -s \
    
    -i \
    
    -H "Content-Type: application/json" \
    
    -d '
    
{
    
    "auth": {
    
        "identity": {
    
            "methods": [
    
                "password"
    
            ],
    
            "password": {
    
                "user": {
    
                    "domain": {
    
                        "name": "Default"
    
                    },
    
                    "name": "admin",
    
                    "password": "password"
    
                }
    
            }
    
        },
    
        "scope": {
    
            "project": {
    
                "domain": {
    
                    "name": "Default"
    
                },
    
                "name": "admin"
    
            }
    
        }
    
    }
    
}' | grep ^X-Subject-Token: | awk '{print $2}' )

ID_ADMIN_DOMAIN=$(\
    
curl http://localhost:5000/v3/domains \
    
    -s \
    
    -H "X-Auth-Token: $ADMIN_TOKEN" \
    
    -H "Content-Type: application/json" \
    
    -d '
    
{
    
    "domain": {
    
    "enabled": true,
    
    "name": "admin_domain"
    
    }
    
}' | jq .domain.id | tr -d '"' )

echo "ID of domain cloud: $ID_ADMIN_DOMAIN"

  • Then we can create our cloud_admin user, within the admin_domain domain.

    ID_CLOUD_ADMIN=$(\
    
curl http://localhost:5000/v3/users \
    
    -s \
    
    -H "X-Auth-Token: $ADMIN_TOKEN" \
    
    -H "Content-Type: application/json" \
    
    -d "
    
{
    
    \"user\": {
    
        \"description\": \"Cloud administrator\",
    
        \"domain_id\": \"$ID_ADMIN_DOMAIN\",
    
        \"enabled\": true,
    
        \"name\": \"cloud_admin\",
    
        \"password\": \"password\"
    
    }
    
}" | jq .user.id | tr -d '"' )

echo "ID of user cloud_admin: $ID_CLOUD_ADMIN"

  • And we grant to our user cloud_admin the admin role on domain admin_domain.

    ADMIN_ROLE_ID=$(\
    
curl http://localhost:5000/v3/roles?name=admin \
    
    -s \
    
    -H "X-Auth-Token: $ADMIN_TOKEN" \
    
| jq .roles[0].id | tr -d '"' )

curl -X PUT http://localhost:5000/v3/domains/${ID_ADMIN_DOMAIN}/users/${ID_CLOUD_ADMIN}/roles/${ADMIN_ROLE_ID} \
    
    -s \
    
    -i \
    
    -H "X-Auth-Token: $ADMIN_TOKEN" \
    
    -H "Content-Type: application/json"

curl http://localhost:5000/v3/domains/${ID_ADMIN_DOMAIN}/users/${ID_CLOUD_ADMIN}/roles\
    
    -s \
    
    -H "X-Auth-Token: $ADMIN_TOKEN" | jq .roles

  • Once the admin_domain has been created with its cloud_admin user, we can enforce a domain based policy. In order to do that, we have to copy the policy.v3cloudsample.json file over our former /etc/keystone/policy.json, while replacing the string admin_domain_id by the ID of the admin_domain we just created. Locate the policy.v3cloudsample.json file into the etc directory of Keystone's source.

    sed s/admin_domain_id/${ID_ADMIN_DOMAIN}/ \
    
    < policy.v3cloudsample.json \
    
    > /etc/keystone/policy.json

Warning, current version (commit 19620076f587f925c5d2fa59780c1a80dde15db2) of policy.v3cloudsample.json doesn't allow cloud_admin to manage users in other domains than its own (see bug 1267187). Until the patch is merged, I suggest using this policy.c3cloudsample.json under review.

Creating domains and admins

From now on, the admin user can only manage projects and users in the Default domain. To create other domains we will have to authenticate with the cloud_admin user created above.

  • Getting a token scoped on the admin_domain, for user cloud_admin.

    CLOUD_ADMIN_TOKEN=$(\
    
curl http://localhost:5000/v3/auth/tokens \
    
    -s \
    
    -i \
    
    -H "Content-Type: application/json" \
    
    -d '
    
{
    
    "auth": {
    
        "identity": {
    
            "methods": [
    
                "password"
    
            ],
    
            "password": {
    
                "user": {
    
                    "domain": {
    
                        "name": "admin_domain"
    
                    },
    
                    "name": "cloud_admin",
    
                    "password": "password"
    
                }
    
            }
    
        },
    
        "scope": {
    
            "domain": {
    
                "name": "admin_domain"
    
            }
    
        }
    
    }
    
}' | grep ^X-Subject-Token: | awk '{print $2}' )

  • Creating domains dom1 and dom2.

    ID_DOM1=$(\
    
curl http://localhost:5000/v3/domains \
    
    -s \
    
    -H "X-Auth-Token: $CLOUD_ADMIN_TOKEN" \
    
    -H "Content-Type: application/json" \
    
    -d '
    
{
    
    "domain": {
    
        "enabled": true,
    
        "name": "dom1"
    
    }
    
}' | jq .domain.id | tr -d '"')

echo "ID of dom1: $ID_DOM1"

ID_DOM2=$(\
    
curl http://localhost:5000/v3/domains \
    
    -s \
    
    -H "X-Auth-Token: $CLOUD_ADMIN_TOKEN" \
    
    -H "Content-Type: application/json" \
    
    -d '
    
{
    
    "domain": {
    
        "enabled": true,
    
        "name": "dom2"
    
    }
    
}' | jq .domain.id | tr -d '"')

echo "ID of dom2: $ID_DOM2"

  • Now we will create a user adm1 in domain dom1.

    ID_ADM1=$(\
    
curl http://localhost:5000/v3/users \
    
    -s \
    
    -H "X-Auth-Token: $CLOUD_ADMIN_TOKEN" \
    
    -H "Content-Type: application/json" \
    
    -d "
    
{
    
    \"user\": {
    
        \"description\": \"Administrator of domain dom1\",
    
        \"domain_id\": \"$ID_DOM1\",
    
        \"enabled\": true,
    
        \"name\": \"adm1\",
    
        \"password\": \"password\"
    
    }
    
}" | jq .user.id | tr -d '"')

echo "ID of user adm1: $ID_ADM1"

  • We will also grant the admin role on domain dom1 to this adm1 user.

    curl -X PUT http://localhost:5000/v3/domains/${ID_DOM1}/users/${ID_ADM1}/roles/${ADMIN_ROLE_ID} \
    
    -s \
    
    -i \
    
    -H "X-Auth-Token: $CLOUD_ADMIN_TOKEN" \
    
    -H "Content-Type: application/json"

curl http://localhost:5000/v3/domains/${ID_DOM1}/users/${ID_ADM1}/roles \
    
    -s \
    
    -H "X-Auth-Token: $CLOUD_ADMIN_TOKEN" | jq .roles

Creating projects and users

The adm1 user can now fully manage domain dom1. He is allowed to manage as many projects and users as he wishes within dom1, while not being able to access resources of domain dom2.

  • Now we authenticate as user adm1 with a scope on dom1.

    ADM1_TOKEN=$(\
    
curl http://localhost:5000/v3/auth/tokens \
    
    -s \
    
    -i \
    
    -H "Content-Type: application/json" \
    
    -d '
    
{
    
    "auth": {
    
        "identity": {
    
            "methods": [
    
                "password"
    
            ],
    
            "password": {
    
                "user": {
    
                    "domain": {
    
                        "name": "dom1"
    
                    },
    
                    "name": "adm1",
    
                    "password": "password"
    
                }
    
            }
    
        },
    
        "scope": {
    
            "domain": {
    
                "name": "dom1"
    
            }
    
        }
    
    }
    
}' | grep ^X-Subject-Token: | awk '{print $2}' )

  • We create a project prj1 in domain dom1.

    ID_PRJ1=$(\
    
curl http://localhost:5000/v3/projects \
    
    -s \
    
    -H "X-Auth-Token: $ADM1_TOKEN" \
    
    -H "Content-Type: application/json" \
    
    -d "
    
{
    
    \"project\": {
    
        \"enabled\": true,
    
        \"domain_id\": \"$ID_DOM1\",
    
        \"name\": \"prj1\"
    
    }\
    
}" | jq .project.id | tr -d '"' )

echo "ID of prj1: $ID_PRJ1"

  • When trying and creating a project in domain dom2, it fails.

    curl http://localhost:5000/v3/projects \
    
    -s \
    
    -H "X-Auth-Token: $ADM1_TOKEN" \
    
    -H "Content-Type: application/json" \
    
    -d "
    
{
    
    \"project\": {
    
        \"enabled\": true,
    
        \"domain_id\": \"$ID_DOM2\",
    
        \"name\": \"prj2\"
    
    }\
    
}" | jq .

  • Creating a standard user usr1 in domain dom1, with default project prj1.

    ID_USR1=$(\
    
curl http://localhost:5000/v3/users \
    
    -s \
    
    -H "X-Auth-Token: $ADM1_TOKEN" \
    
    -H "Content-Type: application/json" \
    
    -d "
    
{
    
    \"user\": {
    
        \"default_project_id\": \"$ID_PRJ1\",
    
        \"description\": \"Just a user of dom1\",
    
        \"domain_id\": \"$ID_DOM1\",
    
        \"enabled\": true,
    
        \"name\": \"usr1\",
    
        \"password\": \"password\"
    
    }
    
}" | jq .user.id | tr -d '"' )

echo "ID of user usr1: $ID_USR1"

  • Granting Member role to user usr1 on project prj1.

    MEMBER_ROLE_ID=$(\
    
curl http://localhost:5000/v3/roles?name=Member \
    
    -s \
    
    -H "X-Auth-Token: $ADM1_TOKEN" \
    
| jq .roles[0].id | tr -d '"' )

curl -X PUT http://localhost:5000/v3/projects/${ID_PRJ1}/users/${ID_USR1}/roles/${MEMBER_ROLE_ID} \
    
    -s \
    
    -i \
    
    -H "X-Auth-Token: $ADM1_TOKEN" \
    
    -H "Content-Type: application/json"

curl http://localhost:5000/v3/projects/${ID_PRJ1}/users/${ID_USR1}/roles \
    
    -s \
    
    -H "X-Auth-Token: $ADM1_TOKEN" | jq .roles

The domain administrator adm1 ended up creating a project prj1 and a user usr1 member of the project. usr1 can now get a token scoped onprj1 and manage resources into this project.

[转]Setting Keystone v3 domains的更多相关文章

  1. 在Keystone V3基础上改进的分布式认证体系

    目标 使用java实现keystone v3相关功能与概念: api client authentication service discovery distributed multi-tenant ...

  2. OpenStack IdentityService Keystone V3 API Curl实战

    v3 API Examples Using Curl <Tokens> 1,Default scope 获取token Get an token with default scope (m ...

  3. 使用openstackclient调用Keystone v3 API

    本文内容属于个人原创,转载务必注明出处:  http://www.cnblogs.com/Security-Darren/p/4138945.html 考虑到Keystone社区逐渐弃用第二版身份AP ...

  4. [转]OpenStack Keystone V3

    Keystone V3 Keystone 中主要涉及到如下几个概念:User.Tenant.Role.Token.下面对这几个概念进行简要说明. User:顾名思义就是使用服务的用户,可以是人.服务或 ...

  5. OpenStack Keystone V3 简介

    Keystone V3 简介 Keystone 中主要涉及到如下几个概念:User.Tenant.Role.Token.下面对这几个概念进行简要说明. User:顾名思义就是使用服务的用户,可以是人. ...

  6. Keystone V3 API Examples

    There are few things more useful than a set of examples when starting to work with a new API. Here a ...

  7. 【openStack】Libcloud 如何支持 keystone V3?

    Examples This section includes some examples which show how to use the newly available functionality ...

  8. OpenStack Keystone v3 API新特性

    原连接 http://blog.chinaunix.net/uid-21335514-id-3497996.html keystone的v3 API与v2.0相比有很大的不同,从API的请求格式到re ...

  9. Openstack Keystone V3 利用 curl 命令获取 token

    curl -i \ -H "Content-Type: application/json" \ -d ' { "auth": { "identity& ...

随机推荐

  1. STM32 USB 鼠标+键盘 串口控制

    *MOS0101000000# 鼠标左键按下 *MOS0102000000# 鼠标右键按下 *MOS0103000000# 鼠标中键按下 *MOS0100000000# 鼠标抬起 *MOS01000a ...

  2. oracle查询某张表的外键,并用 truncate 命令有外键的表中的数据

    注:本文来源于<oracle查询某张表的外键(最终解决办法)> 一:几个查询表外键的脚本 select b.table_name, b.column_name from user_cons ...

  3. tomcat配置文件及性能优化

    收藏两个地址 配置文件: https://www.cnblogs.com/sunshine-1/p/8990044.html 性能调优: https://www.cnblogs.com/zhuawan ...

  4. JDBC连接最新版Mysql数据库url设置

    String url="jdbc:mysql://127.0.0.1:3306/northwind?serverTimezone=UTC"; 需要在连接后面加个时区参数?serve ...

  5. 【GIT】git 删除本地分支和远程分支、本地代码回滚和远程代码库回滚

    [git 删除本地分支] git branch -D br [git 删除远程分支] git push origin :br  (origin 后面有空格) git代码库回滚: 指的是将代码库某分支退 ...

  6. Linux磁盘管理及LVM讲解

    硬盘接口 硬盘接口分为IDE.SATA.SCSI和SAS四种, IDE接口硬盘多用于家用产品中,也部分应用于服务器.不支持热添加,比较老. SCSI接口的硬盘则主要应用于服务器市场.linux. 而S ...

  7. python re库的正则表达式学习笔记

    1. 安装 默认已经安装好了python环境了 re库是python3的核心库,不需要pip install,直接import就行 2. 最简单的模式 字符本身就是最简单的模式 比如:'A', 'I ...

  8. 大数据学习之HDFS基本API操作(下)06

    hdfs文件流操作方法一: package it.dawn.HDFSPra; import java.io.BufferedReader; import java.io.FileInputStream ...

  9. bs4库学习

    # -*- coding:utf-8 -*- import bs4 import requests def tags_val(tag, key='', index=0): ''' tag指HTML元素 ...

  10. [R]R包版本更迭【持续更新】

    由于R版本更迭,网上或旧的教材上的包可能没有在维护,或者被其他包替代. 做一个表记录碰到的一些替代方案.个人向,非完整指南. * mvpart 2014年之后不再更新,R 3.0版本后无法安装, 提示 ...