Openstack learning notes (II)

Video Explanation ：

keystone In short, it is used for certification

Concept explanation ：

User: Use Openstack The client of the component can be a person 、 service . System , Any visit Openstack The client of the component needs to have a user name

Project:

1、 Is a collection of resources owned by a person or service . Different Project Resources are isolated from each other , Resources can set quotas ;

2、 In a Project Can contain more than one User, Every User Will be used according to the division of permissions Project The resource .

3、User visit Project Before resources , Must be connected with the Project relation , And specify User stay Project Under the Role, An association is ：Project-User-Role

Role:

1、 Used for the division of permissions . By giving User Appoint Role, send User get Role Corresponding operation authority

2、User Verification must be accompanied by Project;

3、Keystone Return to User Of Token Contains Role list , Interviewed Services It will be judged User and User Provided Token Included in Role, And each of them role Access to resources or operations

Policy:

1、 about Keystone service Come on ,Policy It's just one. JSON file , The default is /etc/keystone/policy.json. By configuring this file ,Keystone Realized with User be based on Role Authority management .

2、OpenStack Yes User In addition to OpenStack Other than authentication , Still need to identify User To someone Service If you have access rights .Policy The mechanism is used to control User Yes Project(Tenant) Operation permissions of resources in .

Token:

1、 Is a numeric string , When accessing resources, you need " flashed " Your token . stay keystone Token mechanism is mainly introduced to protect users' access to resources , Simultaneous introduction PKI（ Public key infrastructure implementation ） Protect the token .

2、Token Contains resources that can be accessed within a specified range and effective time .

Credentials: The credentials used to confirm the user's identity , Equivalent to account number and password , It can be ： User name and password 、 User name and API key、 One Keystone Assigned identity token

Authentication:

1、 The process of identifying users .Keystone The service checks the user's Credential To determine the user's identity .

2、 In the beginning , Use the user name / Password or user name /API key As credential. When the user's credential After verification ,Kestone The user will be assigned a authentication token For subsequent requests from this user .

Service: namely Openstack Various component services running in .

Endpoint:

1、 Is a network that can access and locate a Openstack service The address of , It's usually a URL

2、Endpoint Divided into three categories ：（ Take any one url Will not make User Your permissions have changed , decision User Only Role）

admin url –> to admin The user to use ,Port：35357

internal url –> OpenStack Internal services are used to communicate with other services ,Port：5000

public url –> Addresses that Internet users can access ,Port：5000

3、 When Nova Need to access Glance Service to obtain image when ,Nova By visiting Keystone Get Glance Of endpoint, And then by visiting the endpoint To get Glance service .

Catalog：Service and Endpoint A collection of . Each service has one or more endpoint（ That is, accessible url Address ）, namely catalog=services+endpoint.

V3 New concepts ：

Tenant Rename it to Project

Added Domain The concept of

Added Group The concept of

Domain : Express project and user Set , In the public cloud or private cloud, it often represents a customer

Group ： One domain A collection of some users in

benefits ： Easy to manage

Communication between components is based on rest api

keystone function ：1、 authentication ;2、 distribution rest api

Books :

Cloud security considerations ：

1、 Data security ： Cloud service providers need to protect cloud users' data from theft or loss . Strong encryption and key management is a core mechanism for cloud computing system to protect data .Keystone The token mechanism is introduced to manage users' access to resources , At the same time, it introduces PKI( Public key infrastructure implementation ) Protect the token

2、 Identity and access management security ： Effective identity and access control is an essential part of the cloud platform . Yes User and service authentication in cloud computing , In addition to risk-based authentication methods , You also need to pay attention to simplicity and ease of use .Keystone Pass through Policy( Access rules ) To do more access control than user roles

3、 Virtualization security ： Virtualization technology also brings some security problems ： How to effectively and safely isolate each virtual machine , So that the data will not be contaminated ; How do virtual machines with different sensitivities and security requirements coexist , To prevent the virtual machine with low security protection from becoming the bottleneck under multi tenancy ; Virtual operating system lacks effective mechanism of security protection and how to control the communication between virtual machines safely .

4、 Infrastructure security ： Infrastructure security includes servers 、 Storage 、 Network and other core IT Security of infrastructure . Trusted computing pool (Trusted Compute Pools) By measuring the hardware of the computing node and the system kernel, we can determine a trusted agent A collection of nodes , The introduction of trusted computing pool improves the security of basic settings .

Keystone As OpenStack An independent module that provides security authentication , Mainly responsible for user authentication 、 Token management 、 Service directory providing access to resources , And the rhetorical control of user roles .

Keystone Architecture ：

Domain: Domain .

1、 By a specific project （Project） To undertake . A domain is a set of User user 、Group or Project The container of , It has to be globally unique .

2、 The customer of cloud service is Domain Owner , They can be in their own Domain Create multiple Projects、Users、Groups and Roles.

3、 By introducing Domain, Cloud service customers can have multiple Project Unified management .

User: user .

1、 User pass Keystone visit OpenStack Serving individuals 、 System or service .

2、Keystone Certified Information （Credential） Verify the user's request , After verification, the user will get a Token token （ Used as a pass for subsequent access to resources , Not globally unique , Only need to be unique in the domain ）

Group： User group .

1、 A group of Users The container of , You can add users to the container , And directly assign roles to user groups （ All users in this user group have Group The role permissions you have ）

2、 through Over introduction Group The concept of ,Keystone It realizes the management of user groups , Achieve the goal of managing a group of user rights at the same time .

Project： project （ A collection of resources that can be accessed in each service ）.

1、 We need to specify a project when creating the virtual machine .

2、 Before users access the resources of the project , You must have access to this item （ Or given a specific role under a specific project ）

3、 Projects do not have to be globally unique , It only needs to be unique under a certain domain .

Role： role .

1、 Only by knowing the role granted by the user can we know whether the user has permission to access a resource .

2、 Users can be assigned a role within a domain or project .

3、 A user assigned the role of domain means that he has the same role for all projects in the domain , The role of a specific project only has access to a specific project .

4、 Characters can inherit , In one Under the item tree , Access to the parent project also means access to the child project . The role must be globally unique .

Service： service , such as Nova、Glance、Cinder etc.

1、 according to User、Tenant、Role A service can confirm whether the current user has access to its resources .

2、 The service exposes one or more endpoints (Endpoint), Only through these endpoints can users access the required resources or perform certain operations .

Endpoint： Endpoint .（ A network address that can be used to access a specific service ）

1、 commonly URL Subdivided into ：Public、Internal and Admin

2、Public URL It is the service endpoint provided for the whole world ,Internal URL be relative to Public URL To offer to Access between internal services ,Admin URL It is provided to the system administrator .

Token： token （ Credentials that allow access to specific resources ）.

1、Keystone The ultimate goal is to provide an external token that can access resources .

2、 adopt Credential Get a token under an item .

Credentials： voucher . User name and password .

Based on these core concepts ,Keystone Mainly provides Authentication （ authentication ）、Token（ token ）、 Catalog （ Catalog ） and Policy （ The security policy , Or access control ）4 Core services in three aspects .

Authentication : Verify the user's identity . The authentication service also provides metadata related to the user .

Token: Validate and manage tokens used to authenticate .Keystone Two types of tokens are issued to the user . A token without an explicit access scope （ The main purpose is to save the user's credential）, Based on this token, a token with a certain access range can be obtained . The user selects the... To access Project, Then you can get and Project Or domain bound tokens , Only through tokens bound to a specific project or domain , To access resources in this project or domain . The token is only valid for a limited time .

Catalog： Catalog The service provides a service query directory , Or the accessibility of each service Endpoint list . The service directory contains all the services Endpoint Information , To access resources between services, you first need to obtain the Endpoint Information ( Usually a few URL list ) Then the resource can be accessed according to this information . From the current version ,Keystone The provided service directory is returned to the user at the same time as the token with access scope .

Policy： A rule-based authentication engine , Define the matching relationship between various actions and user roles through configuration files . Strictly speaking , This part of the content is as Oslo（OpenStack Common libraries （Oslo) It contains many inventions that do not need to be repeated " wheel ". When developers feel that existing code is suitable for being used by others OpenStack Common parts of the project , You can apply to put these usable codes into oslo-incubator Code base " incubation ".） Development and maintenance , Strictly speaking, it is no longer subordinate to Keystone Project .

Through these services ,Keystone A bridge has been built between users and services : User from Keystone Get token and service list ; When a user accesses a service , Send your own token ; Related services to Keystone Verify the legitimacy of the token .

Keystone Workflow details ：

1、User The user login keystone System , Get a temporary unscoped token and catalog Service catalog (v3 Version login , If not specified project or domain, Get temporary token There are no permissions , Can't query project or catalog)

2、User adopt unscoped token Get all project list .

3、User Select one project, Then assign a project Log back in , Get one scoped token, At the same time, get the service list endpoint, The user selects a endpoint, stay HTTP The message header carries token, Then send the request （ If the user knows project name or project id You can skip 1、2 Step , From 3 Step on ）.

4、User rely on scoped token Send a request to the endpoint To create a virtual machine ,keystone verification token（ Include token Whether it works , Whether you have permission to create virtual machines, etc ） After success , Forward the request to Nova.

The first 4 Step more detailed analysis ：

1、 The news arrived endpoint after , By the server （nova） Of keystone Middleware to keystone Send a verification token Request .

2、keystone verification token After success , take token Details of the corresponding user , for example ：role,username,userid etc. , Return to the server （nova）.

3、 Server side （nova） Complete the request , for example ： Create a virtual machine .

4、 The server returns the request result to User.

Be careful ： In the process , It is common to trigger two ERROR

1. If User Included in the issued request Token after Keystone Invalid after validation of (Invalid), Then we will set out 401 Error code .

2. If Token It works , but Keystone But can't provide services , Will return 503 Error code .

except keystoneclient outside , There is another sub project involved keystonemideeleware.

keystonemiddleware Introduce ：

1、 yes Keystone The middleware provided to verify the token validity .

2、 such as , Client access Keystone Provided Resources provide PKI type （PKI It is a standard technology and specification that uses public key encryption technology to provide a set of security basic platform for the development of e-commerce .） Token type of , You don't have to go through every time Keystone Service to verify the validity of the token , Generally, it can be verified on the middleware （ Of course, this requires that the middleware has cached the relevant certificates and secret keys to sign and authenticate the token .）

3、 If you are PKI Token of type , You have to go through Keystoneauth Get one with Keystone Service connected session, By calling Keystone service-provided API To verify the validity of the token .

keystoneclient、keystoneauth、keystonemiddleware The relationship between

a、keystoneauth It's the core component , Most of the openstack All components that need to be verified depend on it

1、 Basic data structure

2、http Access the used requests Of session from keystoneauth encapsulation

b、keystoneclient It should be a tool component 、 rely on keystoneauth

1、 part keystoneclient Transfer your code to keystoneauth1 It's in

2、 It's written in it v2 and v3 Interface client, And defined keystone It's abnormal

c、keystonemiddleware It should be a secondary encapsulated component 、 rely on keystoneauth

1、 each openstack Service and keystone Communications （ Not users and keystone Communications , Users and keystone Communication depends on keystoneclient）

2、 Generate 、 check 、 cache token The code is written in it .

Keystone The project itself , In addition to the background database , It mainly includes a process RESTful Requested API Service process . these API covers Identity、 Token、Catalog and Policy etc. Keystone All kinds of services , The functions provided by these different services are provided by the corresponding backend Driver （Backend Driver） Realization .

V2 And V3 Different versions API The difference between ：

1、V3 API stay V2 Domain is introduced on the basis of （Domains） User group (Groups) The concept of .

2、 Domain in project （Project Or say Tenant） above , A domain can contain multiple items .

3、 The introduction of the domain allows a user to better manage their own resources .

4、 If the user is given domain administrator privileges , Then the user can create a domain User/Groups, Define the user's role in the domain .

5、 The administrator permission of a domain is limited to this domain , He is wrong Other domains have the same permissions , Such a design well isolates various terminal cloud consumers , And in the V2 in , The role of administrator is global , That is, as long as you define an administrator user , that The user is globally valid, not only for a project .

6、 A group is a collection of users , With the group , Domain administrators do not need to define their roles for individual users , It can directly define the roles corresponding to a group , All users in this group have this role .

7、 Domain and role names need to be unique in this cloud environment , And users 、 Items and groups only need to be unique in this field .

8、V3API Token information in may not be directly exposed to HTTP URL in , token ID Are saved in the request Header Domain "X-Subject-Token” in . be relative to V2 The implementation of the , In a sense , Improve the security of the system , Avoid the token being directly exposed to HTTP The main body （Body） in

Keystone Source structure ：

keystone：

assignment - User role authorization

auth - User authentication module

catalog - Provide an accessible service directory

cmd - Command line support

contrib - Extended API Realization

credential - User secret key management

endpoint_policy - be based on endpoint Of policy management

federation - Provides Federated Identity Management

identity - User identity management

middleware - WSGI middleware

oauthl - Provide right OAuthl Support

policy - User customization Policy To configure

resource - Manage projects and domains

revoke - Recycle message management

token - Token management module

trust - Provide access proxy

v2_crud - Abandoned V2 Of CRUD operation

version - At present API Version information

keystone There is no other item in the directory that has a special api Subdirectories for various Keystone API To implement , It is basically directed at Identity And other sub directories of different services , And the code under these subdirectories The structure is basically the same .

Let's say Catalog Service as an example ： There are basically three files ,routers.py Define routing rules , Through these rules , Each API The request is routed to controllers.py As defined in Controller; core.py It defines Manager Class and Driver class , Manager Responsible for different Backend Driver Further processing of requests .Driver Layer and Manager The relationship between layers

keystone framework ：

One 、Keystone API:Keystone API And Openstack Other services API similar , Is based on ReSTFul HTTP Realized .Keystone API Divided into Admin API and Public API：

1、Public API It can not only obtain the version and the corresponding extension information , It also includes acquiring Token as well as Token Operation of tenant information ;

2、Admin API It is mainly used by service developers , Not only can you do Public API The operation of , At the same time User、Tenant、Role and Service Endpoint Management operations .

Two 、Router：Keystone Router It mainly realizes the upper layer API Mapping and transformation functions with underlying services , Including four kinds Router type .

1、 AdminRouter

Responsible for Admin API The request is mapped to the corresponding behavior operation and forwarded to the underlying corresponding service execution ;

2、PublicRouter

And AdminRouter similar ;

3、 PublicVersionRouter

Request for system version API Do mapping ;

4、AdminVersionRouter

And PublicVersionRouter similar .

3、 ... and 、Services：Keystone Service The receiving upper layer is different Router Operation request sent , And complete corresponding operations according to different back-end drivers , It mainly includes four categories

1、Identity Service Provide authorization, authentication and related data about users and user groups .

2、Resouse Service Provide information about projects and domains The data of .

3、Assignment Service Provide role And role assignments The data of

4、Token Service Provide authentication and management tokens token The function of , User credentials After passing the certification, you will get token.

5、Catalog Service Provide service and Endpoint Related management operations （service namely openstack All services ,endpont That is, access to each service url）.

6、Policy Service Provide a rule-based authorization driver and rule management .

Four 、Backend Driver：Backend Driver There are many types , Different Service Choose different Backend Driver.

Various Backend Driver It represents different back-end implementation methods （SQL、KVS （Key-Value Store）、 LDAP etc. ）, Others are Keystone Also used in Template （ It can be understood as a special Of KVS Realization ）、MemCache （ Cache storage system ） etc. .

1、SQL： utilize SQLAlchemy Data persistence .

2、KVS： The primary key query can greatly support massive data storage , It is widely used in caching 、 Search engine and other fields .Keystone in KVS Data storage is mainly realized in combination with cache .

3、LDAP： Lightweight Directory Access Protocol , Store data in a tree hierarchy .

4、Template： It is mainly used in the service directory , Users can customize a current system environment through templates Available service directories under .

keystone The boot process ：

Use Devstack Conduct OpenStack When the deployment , The default is Apache/mod wsgi How to deploy . In the new version , In addition to adopting mod wsgi Outside , And support Apache/mod_proxy_uwsgi How to deploy . In the source code, there are default configuration files that support two types of deployment .

Keystone As a Apache A module of is provided with Apache Service startup , here , Use screen During development debugging , We need to restart Apache Services to run new Keystone Code .

In order to be able to pass Apache Access to the Keystone Of WSGI application , It's used here mod wsgi (https://code.google.eom/p/modwsgi/ ), And in /etc/apache2/sites-available/keystone.conf The corresponding configuration is made in the file .

There are two open here TCP Access port of 5000 And 35357. According to the official explanation ,5000 Is a public port , 35357 Is the management port .V3 API Before appearance , Keystone Defines some functions that only administrators can call API,V3 API After appearing , Such an operation can have Policy To control . Correspondingly, two independent Virtual Host.

WSGI Script /usr/local/bin/keystone-wsgi-admin Namely Keystone The startup script , The core work includes the registration of configuration parameters 、 Initialization of database connection ( The default database engine is SQLite), as well as Loading various Backend Driver etc. .

To solve the problem of interdependence ,Keystone adopt keystone.common.dependency.resolve_fiiture_dependencies() Method to solve .

Keystone Three authentication methods ：

1、 Token based ： If the token is in authenticate_for_token(self,request,auth=None) Parameters of auth（ The second parameter auth It's ours curl（URL grammar ） Incoming parameters in the request ） in , Then the authentication is completed through the token information , be stripped HTTP request Header Token information in , Perform hash calculation and compare with the token value saved in the database to confirm whether it is valid . The token here is equivalent to the user name and password .

2、 External users ： If the context information context Contains external users “REMOTE_USER” Information , Verify the legitimacy of the external user's associated items and roles , And authenticate in a customized way .

3、 Local certification ： Default mode , Verify user name and password . The operation of the local authentication core is through Backend Driver To verify the password , It is to do one time for the incoming plaintext SHA512 Hash operation , Then compare with the hash password stored in the database .

4、OAuth1： A through OAuthl agreement , Implement the authentication method of access authority proxy , As well as mapped The authentication method is right federation Function provides support .

Expand ：OAuth The purpose of the agreement is to ⽤ Authorized access to user resources provides ⼀ It's safe , Open standards .OAuth The agreement does not need to touch ⽤ Account information (⽤ Account name and password ), Through different types of token, The platform provider can complete the user information access authorization for third-party applications .

How tokens are generated ：

After the verification, the user will be checked 、 Domain 、 Whether the project is available , Filter out data that does not need to be returned to the user , And call Catalog API Construct the service directory , Finally, it is through specific Backend To generate a token . Tokens can have 4 There are two ways to generate , The default is to use UUID The way , Later versions will be provided by Fernet Token replaces .

1、UUID： call Python Library functions to produce a random UUID （ Universal unique identification code ） As a token ID.

2、PKIZ： Use OpenSSL Sign user related information , The format after signature is DER, And use this to generate a token ID.

3、PKI： Use OpenSSL Sign user related information , And PKIZ The difference is that the generated signature format is PEM.

4、Ferent token： be based on Fernet （ A symmetric encryption algorithm ） A token generated by encrypting user information , All authentication information related to the user is stored in the token , So the token itself contains all the information , Therefore Fernet Tokens do not need to be persisted .

Expand ：openssl yes web The cornerstone of secure communication ,openssl yes SSL Implementation version of , in addition openssl It also includes the generation of public and private keys 、 Summary generation and other tools .

stay Folsom Version before , To generate the token ID The only way to do that is UUID This way . The generated token is saved in Keystone In the background database of , At the same time, it is transmitted to the client through the network .Keystone After receiving this information, the token will be extracted ID Compare with the value in the background database To verify the validity of the request . But the problem with this is that there are a large number of concurrent client requests at the same time , Keystone The performance of will be a big bottleneck . Because every request needs and Keystone To interact with the token To verify the validity of ; besides , If the token is inadvertently disclosed or stolen , It will also be a problem .

therefore PKJ The system was introduced in later versions ,Keystone Make use of PKI Sign the data related to the token , Each service endpoint will save a signed public key certificate 、CA Public key certificate and certificate revocation list , In this way, local verification can be carried out without the need to compare with Keystone Frequent interaction .

Verification process ：

1、 The client sends the user name and password information to Keystone To verify .Keystone Verify the user name, password and key After the target information is legal, use the signature private key to sign the token metadata to generate a token .

2、 The token is sent to the client through the network , The token is also cached on the client .

3、 The client sends API Request to service endpoint , The service endpoint extracts token information , Use the locally stored signing public key certificate for signature verification .

4、 The service endpoint handles legitimate requests , Reject requests that fail validation .