关于openstack的keystone admin用户请求令牌成功使用demo用户请求认证令牌失败

最新推荐文章于 2024-04-16 17:53:13 发布

bbbzi

最新推荐文章于 2024-04-16 17:53:13 发布

阅读量2.3k

点赞数 1

文章标签： linux openstack centos

本文链接：https://blog.youkuaiyun.com/bbbzi/article/details/103538976

版权

在opnestack 创建服务实体和API端点都无误做完
在验证操作的时候因为安全性的原因，关闭临时认证令牌机制

vim /usr/share/keystone/keystone-dist-paste.ini
[pipeline:public_api]
# The last item in this pipeline must be public_service or an equivalent
# application. It cannot be a filter.
#pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension user_crud_extension public_service

[pipeline:admin_api]
# The last item in this pipeline must be admin_service or an equivalent
# application. It cannot be a filter.
#pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension s3_extension crud_extension admin_service

[pipeline:api_v3]
# The last item in this pipeline must be service_v3 or an equivalent
# application. It cannot be a filter.
#pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension oauth1_extension endpoint_filter_extension service_v3

验证操作使用 admin 用户，请求认证令牌

[root@controller ~]# openstack --os-auth-url http://controller:35357/v3 --os-project-domain-id default --os-user-domain-id default --os-project-name admin --os-username admin --os-auth-type password  token issue
+------------+----------------------------------+
| Field      | Value                            |
+------------+----------------------------------+
| expires    | 2019-12-14T07:38:36.258468Z      |
| id         | c98aa29ee0e04cfa96a03d52cd53a2c2 |
| project_id | a4ba22b6b3c4412a9c7d001963538101 |
| user_id    | fd9d47fbc72142cdaa2c90a94ce09a67 |
+------------+----------------------------------+

成功使用demo用户请求令牌

Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL.
Internal Server Error (HTTP 500)

报错，各种百度谷歌看官方文档都找不到问题
查看log

[root@controller ~]# tail /var/log/keystone/keystone.log
2019-12-14 13:37:48.257 3329 INFO keystone.common.wsgi [req-e1bcf787-5e95-44e3-a6fc-38f28ce82dd1 - - - - -] GET http://controller:35357/v3/projects?name=demo
2019-12-14 13:37:48.258 3329 WARNING keystone.common.controller [req-e1bcf787-5e95-44e3-a6fc-38f28ce82dd1 - - - - -] RBAC: Bypassing authorization
2019-12-14 13:37:48.621 3328 INFO keystone.common.wsgi [req-46c83dcb-73be-4aa3-b97f-d5600933849d - - - - -] PUT http://controller:35357/v3/projects/c325bb1a339941e690376089acea9f70/users/4f13f859d4d84917aa7c3936bb57d98a/roles/82bfad0e55014b14a04ff3973b7a55b0
2019-12-14 13:37:48.622 3328 WARNING keystone.common.controller [req-46c83dcb-73be-4aa3-b97f-d5600933849d - - - - -] RBAC: Bypassing authorization
2019-12-14 13:44:17.482 3327 INFO keystone.common.wsgi [req-eae3aaf0-b57e-4575-8fa8-c7cad3fecbaa - - - - -] GET http://controller:35357/v3/
2019-12-14 13:44:17.603 3331 INFO keystone.common.wsgi [req-d121ac3e-4e10-4e36-aee3-cabf855a568c - - - - -] POST http://controller:35357/v3/auth/tokens
2019-12-14 13:44:18.917 3331 INFO keystone.common.kvs.core [req-d121ac3e-4e10-4e36-aee3-cabf855a568c - - - - -] Using default dogpile sha1_mangle_key as KVS region token-driver key_mangler
2019-12-14 13:44:58.656 3330 INFO keystone.common.wsgi [req-5dbb459d-af41-46c8-ab50-6eddc0fdf8de - - - - -] GET http://controller:35357/v3/
2019-12-14 13:44:59.131 3329 INFO keystone.common.wsgi [req-886eded3-eba2-487a-a930-211893323eaa - - - - -] POST http://controller:35357/v3/auth/tokens
2019-12-14 13:45:00.211 3329 INFO keystone.common.kvs.core [req-886eded3-eba2-487a-a930-211893323eaa - - - - -] Using default dogpile sha1_mangle_key as KVS region token-driver key_mangler

蒙蔽……然后经过一小时的百度和谷歌，去查看了/var/log/httpd/keystone-error.log

2019-12-14 14:18:12.052221 LookupError: The [pipeline:public_api] section in /usr/share/keystone/keystone-dist-paste.ini is missing a 'pipeline' setting

啊啊啊啊啊啊啊！
把/usr/share/keystone/keystone-dist-paste.ini 注释掉的东西修改回来
再次尝试

[root@controller ~]# openstack token issue
+------------+----------------------------------+
| Field      | Value                            |
+------------+----------------------------------+
| expires    | 2019-12-14T07:24:11.492284Z      |
| id         | 5fb26aef0a744898acd96a505458341c |
| project_id | c325bb1a339941e690376089acea9f70 |
| user_id    | 4f13f859d4d84917aa7c3936bb57d98a |
+------------+----------------------------------+

把/usr/share/keystone/keystone-dist-paste.ini 原先注释掉的跳过认证删掉注释就好了
但是为什么注释掉了，admin还是能使用35357端口申请令牌成功？demo（普通用户不行）
初步接触openstack这个退环境的云平台有好多坑