keystone概念及其使用指南

blog

Keystone版本发布计划

https://releases.openstack.org/

V3 API

https://developer.openstack.org/api-guide/quick-start/
https://developer.openstack.org/api-ref/identity/v3/

Policy详细解释

https://docs.openstack.org/security-guide/identity/policies.html

Keystone的组成

1. 管理身份验证(managing authentication): 验证用户身份
2. 授权(authorization): 基于角色role的权限管理
3. 服务目录(catalog of services): 提服务目录(ServiceCatalog：包括service和endpoint)服务，类似于UDDI服务的概念，用户(无论是Dashboard, APIClient)都需要访问Keystone获取服务列表，以及每个服务的地址(Openstack中称为Endpoint)

操作User指南

获取token，返回在header

1. 通过password

curl -k -i -H "Content-Type: application/json" -d '
    { "auth": {
        "identity": {
          "methods": ["password"],
          "password": {
            "user": {
              "name": "admin",
              "domain": { "name": "Default" },
              "password": "secret"
            }
          }
        },
    "scope": {
      "project": {
        "name": "admin",
        "domain": { "name": "Default" }
      }
    } 
   }
}' https://localhost:5000/v3/auth/tokens 
->
HTTP/2 201
server: nginx/1.11.6
date: Mon, 27 Feb 2017 06:30:58 GMT
content-type: application/json
content-length: 1006
x-subject-token: c8d4845f8e46483b80704b9605368339 # token here
vary: X-Auth-Token
x-openstack-request-id: req-3b7f6de4-f8ea-4322-8da8-d3448d985bcf
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,X-Subject-Token,X-Auth-Token
access-control-expose-headers: X-Subject-Token,X-Auth-Token,Content-Type
{
    "token": {
        "audit_ids": [
            "Cwibi1HTRtWSJcG9bXFH_w"
        ],
        "catalog": [
            {
                "endpoints": [
                    {
                        "id": "5ae2ea0e24b34e608aa709fe6b84bb38",
                        "interface": "public",
                        "region": null,
                        "region_id": null,
                        "url": "https://172.17.0.2:5000/v3"
                    },
                    {
                        "id": "6dc04da36bf147d791988d449d1bf20a",
                        "interface": "admin",
                        "region": null,
                        "region_id": null,
                        "url": "https://172.17.0.2:35357/v3"
                    },
                    {
                        "id": "c70fb80469a049ef9a45a79e1d9917a7",
                        "interface": "internal",
                        "region": null,
                        "region_id": null,
                        "url": "https://172.17.0.2:5000/v3"
                    }
                ],
                "id": "7c8cf541b6b4475baa208e1f627610e6",
                "name": "keystone",
                "type": "identity"
            }
        ],
        "expires_at": "2017-02-27T07:30:58.875615Z",
        "issued_at": "2017-02-27T06:30:58.875650Z",
        "methods": [
            "password"
        ],
        "project": {
            "domain": {
                "id": "default",
                "name": "Default"
            },
            "id": "d73adc212580440d981087e5d9cb5047",
            "name": "admin"
        },
        "roles": [
            {
                "id": "07a7ac0117dd4e18ae689e94fc300c35",
                "name": "admin"
            }
        ],
        "user": {
            "domain": {
                "id": "default",
                "name": "Default"
            },
            "id": "50b7b2d339eb480986e34bc9e2359781",
            "name": "admin"
        }
    }
}
# unscoped token
curl -k -i -H "Content-Type: application/json" -d '
    { "auth": {
        "identity": {
          "methods": ["password"],
          "password": {
            "user": {
              "name": "admin",
              "domain": { "name": "Default" },
              "password": "secret"
            }
          }
        }
   }
}' https://localhost:5000/v3/auth/tokens 
->
{
    "token": {
        "audit_ids": [
            "c8n9Wn8wThKYqsL0L-XbKQ"
        ],
        "expires_at": "2017-02-28T05:06:25.908083Z",
        "issued_at": "2017-02-28T04:06:25.908108Z",
        "methods": [
            "password"
        ],
        "user": {
            "domain": {
                "id": "default",
                "name": "Default"
            },
            "id": "50b7b2d339eb480986e34bc9e2359781",
            "name": "admin"
        }
    }
}

什么是scoped和unscoped token？

What is the difference between a scoped and unscoped token?
An unscoped token is one where the user is authenticated but not for a specific project or domain. This type of token is useful for making queries such as determining what projects a user has access to. A scoped token is created when the user is authenticated for a specific project or domain. Scoped tokens have role information associated with them and are the types of tokens used by the other OpenStack services to determine what types of operations are permitted.

unscoped token用于查询一个用户具体访问了什么项目；而scoped token用于其他的OpenStack服务鉴别哪些类型的操作是被允许的。

2. 通过token

curl -k -i -H "Content-Type: application/json" -d '
    { "auth": {
        "identity": {
            "methods": [
                "token"
            ],
            "token": {
                "id": "'$OS_TOKEN'"
            }
        },
    "scope": {
      "project": {
        "name": "admin",
        "domain": { "name": "Default" }
      }
    } 
   }
}' https://localhost:5000/v3/auth/tokens 

列出所有user

# 先从返回header中获取token，然后设置OS_TOKEN
curl -k -s -H "X-Auth-Token: $OS_TOKEN" \
       https://localhost:5000/v3/users | python -mjson.tool
->
{
    "links": {
        "next": null,
        "previous": null,
        "self": "https://localhost:5000/v3/users"
    },
    "users": [
        {
            "domain_id": "default",
            "enabled": true,
            "id": "50b7b2d339eb480986e34bc9e2359781",
            "links": {
                "self": "https://localhost:5000/v3/users/50b7b2d339eb480986e34bc9e2359781"
            },
            "name": "admin"
        }
    ]
}

创建user

curl -k -s \
 -H "X-Auth-Token: $OS_TOKEN" \
 -H "Content-Type: application/json" \
 -d '{"user": {"name": "lambeta", "password": "changeme"}}' \
 https://localhost:5000/v3/users | python -mjson.tool
-> 
{
    "user": {
        "domain_id": "default",
        "enabled": true,
        "id": "624082e8dc4044268a5232ebeb5260ff",
        "links": {
            "self": "https://localhost:5000/v3/users/624082e8dc4044268a5232ebeb5260ff"
        },
        "name": "lambeta"
    }
}

查看user详情

curl -k -s \
 -H "X-Auth-Token: $OS_TOKEN" \
    https://localhost:5000/v3/users/{user_id}
->
{
    "user": {
        "domain_id": "default",
        "enabled": true,
        "id": "624082e8dc4044268a5232ebeb5260ff",
        "links": {
            "self": "https://localhost:5000/v3/users/624082e8dc4044268a5232ebeb5260ff"
        },
        "name": "lambeta"
    }
}

把user添加到group

curl -k -s -X PATCH \
 -H "X-Auth-Token: $OS_TOKEN" \
 -H "Content-Type: application/json" \
 -d '{
    "user": {
        "default_project_id": "a4e03469459b4750bd316a3117e4e475",
        "enabled": true
    }
}' \
https://localhost:5000/v3/users/624082e8dc4044268a5232ebeb5260ff
->
{
    "user": {
        "default_project_id": "a4e03469459b4750bd316a3117e4e475",
        "domain_id": "default",
        "enabled": true,
        "extra": {},
        "id": "624082e8dc4044268a5232ebeb5260ff",
        "links": {
            "self": "https://localhost:5000/v3/users/624082e8dc4044268a5232ebeb5260ff"
        },
        "name": "lambeta"
    }
}

操作Project指南

列出Project

curl -k -s \
 -H "X-Auth-Token: $OS_TOKEN" \
 https://localhost:5000/v3/projects | python -mjson.tool
->
{
    "links": {
        "next": null,
        "previous": null,
        "self": "https://localhost:5000/v3/projects"
    },
    "projects": [
        {
            "description": "Service Project",
            "domain_id": "default",
            "enabled": true,
            "id": "a4e03469459b4750bd316a3117e4e475",
            "is_domain": false,
            "links": {
                "self": "https://localhost:5000/v3/projects/a4e03469459b4750bd316a3117e4e475"
            },
            "name": "service",
            "parent_id": "default"
        },
        {
            "description": "Bootstrap project for initializing the cloud.",
            "domain_id": "default",
            "enabled": true,
            "id": "d73adc212580440d981087e5d9cb5047",
            "is_domain": false,
            "links": {
                "self": "https://localhost:5000/v3/projects/d73adc212580440d981087e5d9cb5047"
            },
            "name": "admin",
            "parent_id": "default"
        }
    ]
}

列出User所属的所有Project

curl -k -s -H "X-Auth-Token: $TOKEN" \
https://localhost:5000/v3/users/{user_id}/projects
->
{
    "links": {
        "next": null,
        "previous": null,
        "self": "https://localhost:35357/v3/users/624082e8dc4044268a5232ebeb5260ff/projects"
    },
    "projects": [
        {
            "description": "Service Project",
            "domain_id": "default",
            "enabled": true,
            "id": "a4e03469459b4750bd316a3117e4e475",
            "is_domain": false,
            "links": {
                "self": "https://localhost:35357/v3/projects/a4e03469459b4750bd316a3117e4e475"
            },
            "name": "service",
            "parent_id": "default"
        }
    ]
}

操作Group指南

列出所有group

curl -k -s -H "X-Auth-Token: $OS_TOKEN" \
        https://localhost:5000/v3/groups | python -mjson.tool
{
    "groups": [],
    "links": {
        "next": null,
        "previous": null,
        "self": "https://localhost:5000/v3/groups"
    }
}

列出user所属的所有group

curl -k -s -H "X-Auth-Token: $OS_TOKEN" \
https://localhost:5000/v3/users/{user_id}/groups
->
{
    "groups": [],
    "links": {
        "next": null,
        "previous": null,
        "self": "https://localhost:5000/v3/users/624082e8dc4044268a5232ebeb5260ff/groups"
    }
}

操作Role指南

列出所有角色

curl -k -s -H "X-Auth-Token: $OS_TOKEN" \
       https://localhost:5000/v3/roles | python -mjson.tool
->
{
    "links": {
        "next": null,
        "previous": null,
        "self": "https://localhost:5000/v3/roles"
    },
    "roles": [
        {
            "domain_id": null,
            "id": "07a7ac0117dd4e18ae689e94fc300c35",
            "links": {
                "self": "https://localhost:5000/v3/roles/07a7ac0117dd4e18ae689e94fc300c35"
            },
            "name": "admin"
        },
        {
            "domain_id": null,
            "id": "fa82d48b40794b21a1d71a96e0c89309",
            "links": {
                "self": "https://localhost:5000/v3/roles/fa82d48b40794b21a1d71a96e0c89309"
            },
            "name": "user"
        }
    ]
}

注意，这里的role和domain没有关联！

创建一个新角色

curl -k -s -X POST -H "X-Auth-Token: $OS_TOKEN" \
                   -H "Content-Type: application/json" \ #需要带json类型的头
                   -d '{"role": {"name": "developer"}}' \
       https://localhost:5000/v3/roles
->
{"role": {"domain_id": null, 
          "id": "1fa6114345e94379b7fe274ee04a234e", 
          "links": {"self":"https://localhost:5000/v3/roles/1fa6114345e94379b7fe274ee04a234e"}, 
          "name": "developer"
          }
}

把角色赋给Project下的某个User

curl -k -s -X PUT -H "X-Auth-Token: $OS_TOKEN" \
                   -H "Content-Type: application/json" \
        https://locahost:5000/v3/projects/{project_id}/users/{user_id}/roles/{role_id}

操作Domain指南

创建一个Domain

curl -k -s -H "X-Auth-Token: $OS_TOKEN" \
       -H "Content-Type: application/json" -d '{ "domain": { "name": "acme"}}'
       https://localhost:5000/v3/domains | python -mjson.tool

操作Policy指南

创建Policy

curl -k -s -H "X-Auth-Token: $OS_TOKEN"  \
            -H "Content-Type: application/json" \
-d '{
    "policy": {
        "blob": "{'foobar_user': 'role:developer'}",
        "type": "application/json"
    }
}' \
https://localhost:5000/v3/policies
->
{
    "policy": {
        "blob": "{foobar_user: role:developer}",
        "id": "6159494901ff4706ac877eff50530463",
        "links": {
            "self": "https://localhost:5000/v3/policies/6159494901ff4706ac877eff50530463"
        },
        "type": "application/json"
    }
}

列出所有Policy

curl -k -s -H "X-Auth-Token: $OS_TOKEN" https://localhost:5000/v3/policies

Policy详解

目的

控制API的访问和授权，所以Keystone创建了RBAC (Role-Based Access Control) 的策略来管控每个开放的API。

模样

# /usr/share/defaults/keystone/policy.json
"admin_required": "role:admin or is_admin:1"
"identity:list_grants": "rule:admin_required"
"identity:create_trust": "user_id:%(trust.trustor_user_id)s",
->
| service:API: [rule | 'rule':alias]
| target: rule

分析service:API: rule

以"identity:list_grants": "rule:admin_required"为例：

• identity: service，这里指的就是Keystone服务自身；
• list_grants: API以及对API操作；

• rule:admin_required: 对应rule:alias，真正的定义发生在"admin_required": "role:admin or is_admin:1"；意为当用户具有admin角色时才具有这样的权限。

修改Policy

切换用户

curl -k -i -H "Content-Type: application/json" -d '
    { "auth": {
        "identity": {
          "methods": ["password"],
          "password": {
            "user": {
              "name": "lambeta",
              "domain": { "name": "Default" },
              "password": "changeme"
            }
          }
        },
    "scope": {
      "project": {
        "name": "service",
        "domain": { "name": "Default" }
      }
    } 
   }
}' https://localhost:5000/v3/auth/tokens 
# 获取token

列出project下指定user的所有roles (list_grants)

curl -k  -H"X-Auth-Token:$TOKEN" -H "Content-type: application/json" https://localhost:35357/v3/projects/a4e03469459b4750bd316a3117e4e475/users/624082e8dc4044268a5232ebeb5260ff/roles |json
->
{
    "error": {
        "code": 403,
        "message": "You are not authorized to perform the requested action: identity:list_grants",
        "title": "Forbidden"
    }
}

列出user下的所有project (list_user_projects)

curl -k -H"X-Auth-Token:$TOKEN" -H "Content-type: application/json" https://localhost:35357/v3/users/624082e8dc4044268a5232ebeb5260ff/projects |json
->
{
    "links": {
        "next": null,
        "previous": null,
        "self": "https://localhost:35357/v3/users/624082e8dc4044268a5232ebeb5260ff/projects"
    },
    "projects": [
        {
            "description": "Service Project",
            "domain_id": "default",
            "enabled": true,
            "id": "a4e03469459b4750bd316a3117e4e475",
            "is_domain": false,
            "links": {
                "self": "https://localhost:35357/v3/projects/a4e03469459b4750bd316a3117e4e475"
            },
            "name": "service",
            "parent_id": "default"
        }
    ]
}

当前用户已经是lambeta，但是依然可以操作这个API，是因为存在这样几条policy：

"owner" : "user_id:%(user_id)s",
"admin_or_owner": "rule:admin_required or rule:owner",
"identity:list_user_projects": "rule:admin_or_owner"

[1] Policy Enforcement in OpenStack
[2] jq