Understanding OpenStack Authentication: Keystone PKI

最新推荐文章于 2024-09-17 19:22:22 发布
转载 最新推荐文章于 2024-09-17 19:22:22 发布 · 1.1k 阅读 · 0
文章标签:

#keystone #openstack

本文详细介绍了OpenStack Grizzly版本中引入的PKI Token机制。PKI Token通过使用证书授权的方式,允许API端点在不直接调用Keystone的情况下验证用户Token的有效性,从而减少了网络流量并提高了Keystone的性能。

现在知道为什么keystone要支持PKI Token了

http://www.mirantis.com/blog/understanding-openstack-authentication-keystone-pki/

by  Bartek Kupidura
July 10, 2013


The latest stable release of OpenStack, codenamed Grizzly, revolutionizes the way user authentication works. You may have read some of the few articles available on this new authentication scheme. This post attempts to capture the full scope of this new feature. It focuses not on how Keystone issues tokens but rather the later stage, where existing tokens are used by clients to sign their API calls. These requests are later validated by OpenStack API endpoints. You’ll see first why you need tokens and then how PKI tokens can be used by OpenStack API endpoints to conduct user token verification without explicit calls to Keystone. We begin by explaining how clients connect to OpenStack.

OpenStack, APIs, and clients

So where does OpenStack begin and end? The users will say that it’s their cloud GUI or CLI. From the architectural perspective, however, OpenStack middleware ends on its API endpoints: nova-api, glance-api, and so on—they all expose their APIs over http. You can connect to these APIs using different clients. Clients can be either certified by a cloud vendor and deployed on its infrastructure (for example, a Horizon instance) or installed anywhere else (a python-novaclient installed on any laptop, pointing to a remote nova-api).

This boundary implies one important condition. Since the clients can reside anywhere, they cannot be trusted. Any request coming from them to any OpenStack API endpoint needs to be authenticated before it can be processed further.

Tokens—what they are and why you need them

So what do you have to do in this case? Does that mean you should supply each single API request with a username and password? Not so easy. Or maybe store them in some environment variables? Insecure. The answer to this is tokens. Tokens have one significant plus: they are temporary and short lived, which means it is safer to cache them on clients than username/password pairs.

In general, a token is a piece of data given to a user by Keystone upon providing a valid username/password combination. As said above, what is closely related to a token is its expiration date (which typically is hours or even minutes). The user client can cache the token and inject it into an OpenStack API request. The OpenStack API endpoints take the token out of user requests and validate it against the Keystone authentication backend, thereby confirming the legitimacy of the call.

We’ll now turn your attention to two token approaches—Universally Unique IDentifier (UUID) and Public Key Infrastructure (PKI) tokens—and their evolution, so to speak.

UUID tokens (Folsom and older)

The diagram below shows how tokens were originally generated by Keystone and then used by the client to “sign” every subsequent API request.

UUID token validation flow-3

Based on supplied username/password pair (we assume it’s correct in this scenario and on the diagram):

  • Keystone would:
    • Generate a UUID token.
    • Store the UUID token in its backend.
    • Send a copy of the UUID token back to the client.
  • The client would cache the token.
  • The UUID would be then passed along with each API call by the client.
  • Upon each user request, the API endpoint would send this UUID back to Keystone for validation.
  • Keystone would take the UUID and match it against its auth backend (check UUID string, expiration date).
  • Keystone would return “success” or “failure” message to the API endpoint.

As you can see from the above diagram, for each user call the API endpoints need to conduct online verification with the Keystone service. Imagine thousands of clients performing VM listings, network creation, and so on. This activity results in extensive traffic to the Keystone service. In fact, in production, Keystone proves to be one of the most loaded OpenStack services on the network side, but Grizzly gets rid of this problem quite nicely.

Enter PKI tokens.

PKI tokens (Grizzly and on)

The diagram below shows how token validation is performed with the new method introduced in OpenStack’s Grizzly release.

PKI token validation flow-1

In general terms, with PKI tokens, Keystone is becoming a Certificate Authority (CA). It uses its signing key and certificate to sign (not encrypt) the user token.

On top of that, each API endpoint holds a copy of Keystone’s:

  • Signing certificate
  • Revocation list
  • CA certificate

The API endpoints use these bits to validate the user requests. There is no need for direct request to Keystone with each validation. What is verified instead is the signature Keystone puts on the user token and Keystone’s revocation list. API endpoints use the above data to carry out this process offline.

PKI tokens under the hood

To use PKI tokens in Grizzly, we need to generate all the keys and certs. We can do that using the following command:

This command generates the following files:

  • CA private key
  • CA certificate
  • Signing private key
  • Signing certificate

Token generation and format

With PKI, Keystone now uses Cryptographic Message Syntax (CMS). Keystone produces CMS token out of the following data:

  • Service catalog
  • User roles
  • Metadata

An example of the input data follows:

The CMS token is just the above metadata in CMS format, signed with Keystone’s signing key. It typically takes the form of a lengthy, seemingly random string:

The command used for this is:

Token verification and expiration

As the diagram shows, PKI tokens enable Openstack API endpoints to conduct offline verification of token validity by checking Keystone’s signature.

Three things should be validated:

  • Token signature
  • Token expiration date
  • Whether the token has been deleted (revoked)
Checking token signature

In order to do check the signature, all of the API endpoints need Keystone certs. These files can be obtained directly from the Keystone Service:

If the API service cannot find these files on its local disk, it will automatically download them from Keystone. The following command is used to verify the signature on the token:

If the signature is valid, the above command returns the metadata contained in CMS, which is further consumed by the API endpoint.

Checking token expiration date

One of the extracted metadata fields is token’s expiration date, which is compared against current time.

Handling deleted tokens

The deletion of tokens is enforced by putting a given token onto a revocation list within the Keystone CA. By default, this list is being updated (pulled from Keystone) by API endpoints every second from the following URL:

The form of the list is a plain json file:

While “expires” field does not need further explanation, the “id” field looks somewhat cryptic. It is the md5 hash calculated out of the CMS user token: md5(cms_token). API endpoints also calculate md5 hashes out of CMS token received with user requests and search the matching md5-s on the “revoked” list. If no match is found, then the token is considered to be valid.

Summary

OpenStack API endpoints can use PKI tokens to conduct user token verification without explicit calls to Keystone. This can positively impact Keystone performance in the case of large installations where the number of user calls to OpenStack APIs can be overwhelming. One caveat, however: PKI does not guarantee privacy of the tokens. It is only used for signing, and not encryption. If you want to prevent tokens from being hijacked, you should secure all of the API endpoints using the HTTPS protocol.


OpenStackkeystone(用户认证)
weixin_42795092的博客
03-09 3247
1)管理用户及其权限2)维护OpenStack Services 的 Endpoint3)Authentication(认证)和 Authorization(授权)keystone的名词概念。
OpenStackUnderstanding OpenStack Authentication: Keystone PKI
代码改变世界
07-13 3055
文章转自mirantis,如需再次转载,请注明。 Understanding OpenStack Authentication: Keystone PKI by Bartek Kupidura July 10, 2013 The latest stable release of OpenStack, codenamed Grizzly, revolution
理解OpenStack认证:Keystone PKI
weixin_30258027的博客
04-29 278
原文链接:https://www.mirantis.com/blog/understanding-openstack-authentication-keystone-pki/ The latest stable release of OpenStack, codenamed Grizzly, revolutionizes the way user authentic...
用OpenSSL做自签名的证书(by quqi99)
技术并艺术着
08-19 4127
作者:张华 发表于:2014-04-18 版权声明:可以任意转载,转载时请务必以超链接形式标明文章原始出处和作者信息及本版权声明 (http://blog.youkuaiyun.com/quqi99 ) 注:csdn居然丢文章,这篇2014年的就丢了,这是从互联网上找到的其他网站的转载备份。 加密技术回顾 非对称加密算法如RSA的特点如下: 1, 公钥加密私钥解密, 大家都可以用我的公钥给我发加密的数据了, 因为只有我有私钥才能解密. 2, 私钥加密公钥解密叫数字签名(例如所谓的UEFI secure boot就是在
安装及配置keystone
weixin_34032827的博客
04-10 321
[9] Install Keystone # Install from EPEL OpenStack,EPEL [root@cloud01 ~]#yum –enablerepo=epel-openstack-grizzly,epel -y install openstack-keystone opens...
openstack之:keystone 学习总结记录
magices的博客
08-23 3683
在了解 keystone 之前,我们来简单介绍下用户身份校验大概有几种方式 广义认证方式简介 广义上讲,用户身份认证并不仅限于领域。广义上的身份识别技术有如下几种:静态密码、动态密码(短信密码、动态口令牌)、令牌、USB KEY、数字证书、生物识别技术。 在以上几种认证方式中,我们IT人员在数据中心通常能够遇到的是:静态密码、动态口令牌、数字证书、令牌认证(token)。 静态密码 在四种认证方式中,最常见的就是静态密码。如果要加强动态密码的安全性,通常是通过增加密码的复杂度,设置密码过期时间的方法。大多数
openstackkeystone介绍
查士丁尼绵_的博客
09-17 1659
KeystoneOpenStack的身份认证服务,提供用户管理、服务注册与RBAC权限控制等功能。其核心概念包括:domain(多租户隔离)、user(用户实体)、project(资源分组)、role(权限策略)和token(访问凭证)。Keystone支持三种认证方式(Token、外部、本地)和服务端点管理。RBAC通过policy文件实现权限控制,如限制非admin用户创建云硬盘。常用操作包括用户/服务的创建与管理,以及端点配置。以Nova创建实例为例,展示了KeystoneOpenStack组件间
【云计算】实验3:Keystone 组件
qq_45614178的博客
01-21 3009
云计算实验:Keystone 组件
Openstack身份服务Keystone深入剖析
本文全面介绍了OpenStack身份服务Keystone的架构、组件、部署配置、API使用和管理以及扩展与未来展望。文章首先概述了Keystone的基本概念和作用,然后详细分析了其系统架构和关键组件,并对认证机制、授权和令牌进行...
Keystone-manage 命令
weixin_34375054的博客
07-09 614
本文介绍Icehouse发行版的keystone-manage命令  keystone-manage是用来同keystone服务进行交互的命令行工具,通常该命令只用于不能通过HTTP API完成的操作,比如数据的import/export或数据库迁移等等。 用法 keystone-manage [options] action [additional args] action   ...
openstack glance连接认证keystone出现错误的一个解决思路
热门推荐
sfdst的博客
04-21 1万+
搭建好了keystone服务后,对自己本身的认证是成功的 说明keystone配置是正确的。 之后开始配置glance服务,配置好了,出现了如下报错。 [root@linux-node1 ~]# glance  image-list 503 Service Unavailable: The server is currently unavailable. Please try again a
创建自己的PKI公/私密钥对和公钥证书
weixin_34175509的博客
11-05 225
1. 创建certificate request configuration file cert_req.conf************************************************ [ req ] default_bits = 2048 default_keyfile = keystonekey.pem default_md = default p...
openstack kilo keystone token问题及性能优化
流金岁月的专栏
06-10 4458
1. 将token存放至memcached 由于token在每次访问都会产生,默认有效期是24小时,增长速度非常快,token表数据越来越多,很可能一天就产生几百MB的数据。这种情况下,可以考虑写个定时脚本清理token表。更好的方法是将token放到memcaced中,利用memcached特性,自动删除不使用的缓存,有关memcached的配置参考《ubuntu 14.04 memcache
2021-7-19-OpenStack基础知识学习
Yurliduan的博客
07-21 2674
OpenStack基础知识学习 参考文献:Wolf_Coder,百度百科 1,云计算 1.1,出现原因 由亚马逊公司提出。1.随着业务增加公司内部的服务器不够使用,进行虚拟化技术—》2.随着公司组织架构复杂,对虚拟化技术进行二次研发—》3.公司业务要求不同,没有一定的回收策略。虚拟化技术满足不了公司业务,开发一个云计算平台。 OpenStack:是由Rackspace和NASA(美国国家航空航天局)共同开发的云计算平台, 是一个开源的 IaaS(基础设施及服务)云计算平台,让任何人都可以自行建立和提供云端运
配置OpenStack各服务组件使用SSL通信(HTTPS)
Nicholas的专栏
09-19 2339
第1章 配置keystone组件使用SSL mkdir -p /root/ssl/private mkdir -p /root/ssl/certs 制作三个密钥证书文件 openssl genrsa -out /root/ssl/private/cakey.pem 1024 openssl req -new -x509 -extensions v3_ca -key /root/ssl/p...
pip 安装keystone_源码安装keystone,生成pki证书出错
weixin_29817791的博客
01-13 451
[root@linux-node1 keystone]# keystone-manage pki_setup --keystone-user root --keystone-group rootTraceback (most recent call last):File "/usr/bin/keystone-manage", line 37, infrom keystone import cliF...
[root@controller ~]# openstack endpoint list The request you have made requires authentication. (HTTP 401) (Request-ID: req-c1151a07-88ef-4718-a5b9-3365e11adb40) [root@controller ~]# [root@controller ~]# [root@controller ~]# [root@controller ~]# openstack endpoint list The request you have made requires authentication. (HTTP 401) (Request-ID: req-ed5f9b8c-92ac-4181-9ac0-b9735ad6a64d)
最新发布
05-04
<think>好的,我现在需要帮助用户解决两个问题:一是处理OpenStack命令的HTTP 401认证错误,二是删除环境变量中的某一行。首先,我得回顾之前的对话,确保信息连贯。 用户之前询问如何删除环境变量中的一行,我给出了详细的步骤,包括使用sed命令修改配置文件,并提醒备份和验证。现在用户再次提到删除环境变量,应该沿用之前的方法,但可能还需要考虑当前会话中的变量。 接下来是HTTP 401错误。用户提到运行`openstack endpoint list`时出现这个错误,通常与认证失效有关。根据用户提供的环境变量,比如OS_AUTH_URL、OS_USERNAME等,可能存在配置错误或过期的问题。我需要检查这些变量是否正确,特别是密码是否有效,项目名称是否正确,以及Keystone的端点是否可达。 引用中提到的PKI令牌可能相关,但用户的问题更基础,可能是简单的认证失败。需要验证环境变量是否正确设置,比如是否有拼写错误,比如OS_PROjGT_DOMAIN_NAME看起来可能应该是OS_PROJECT_DOMAIN_NAME。用户的环境变量输出中有typo,这可能是问题根源。 另外,用户可能没有正确source配置文件,或者环境变量被覆盖。需要指导用户检查现有变量,删除错误行,并重新加载配置。同时,建议使用`openstack token issue`测试认证,以缩小问题范围。 还要考虑Keystone服务本身的状态,是否正常运行,以及网络连接是否正常。可能需要用户检查服务状态和网络连通性。 总结来说,解决方案应包括纠正环境变量中的拼写错误,删除无效变量,重新认证,以及验证服务状态。同时,确保用户正确执行了删除环境变量的步骤,并应用到当前会话中。</think>### 分步解决方案:解决OpenStack认证错误并清理环境变量 #### 一、定位并修复HTTP 401认证错误(优先级高) **步骤1:验证当前环境变量** ```bash env | grep ^OS_ # 输出示例中暴露了配置错误:OS_PROjGT_DOMAIN_NAME应为OS_PROJECT_DOMAIN_NAME ``` *关键发现*:输出中存在`OS_PROjGT_DOMAIN_NAME=Default`,这是明显的拼写错误(正确变量名为`OS_PROJECT_DOMAIN_NAME`) **步骤2:纠正环境变量** ```bash # 删除错误变量行(根据您提供的环境变量示例) unset OS_PROjGT_DOMAIN_NAME # 添加正确变量(若需要) export OS_PROJECT_DOMAIN_NAME=Default ``` **步骤3:验证基础认证要素** ```bash # 必须存在的核心变量检查 echo $OS_AUTH_URL # 应返回http://controller:5000/v3 echo $OS_USERNAME # 应返回admin echo $OS_PASSWORD # 应返回openstack echo $OS_PROJECT_NAME # 应返回admin ``` **步骤4:测试API连通性** ```bash curl -v -X GET $OS_AUTH_URL 2>&1 | grep "HTTP/" # 验证Keystone端点可达性 # 预期输出:HTTP/1.1 200 OK 或 300 Multiple Choices ``` **步骤5:获取新token** ```bash openstack token issue # 若此命令仍报401错误,说明根本性认证失败 ``` #### 二、环境变量行删除操作(结合用户历史配置) **步骤1:定位错误变量行** 根据用户提供的环境变量输出: ```bash OS_PROjGT_DOMAIN_NAME=Default # 需要删除的错误行 OS_PROJECT_NAME=admin # 正确配置 ``` **步骤2:使用精准删除方法** ```bash # 删除拼写错误的行(支持多配置文件操作) sudo sed -i '/^OS_PROjGT_DOMAIN_NAME=/d' /etc/environment ~/.bashrc ~/.profile # 同时清理可能存在的其他错误变量 sed -i '/^OS_PROjGT_/d' ~/.bashrc # 通配符匹配 ``` **步骤3:立即生效配置** ```bash # 同时处理当前会话和持久化配置 unset OS_PROjGT_DOMAIN_NAME # 当前会话立即生效 source ~/.bashrc # 重新加载配置文件 ``` #### 三、认证故障深度排查 **场景1:密码过期(常见于企业环境)** ```bash # 尝试手动指定密码 openstack --os-password="openstack" endpoint list ``` **场景2:项目作用域错误** ```bash # 显式指定项目参数 openstack --os-project-name=admin --os-project-domain-name=Default endpoint list ``` **场景3:服务目录异常** ```bash # 检查Keystone服务状态 openstack service list | grep identity # 预期应显示keystone服务状态为enabled ``` #### 四、自动化修复脚本 创建`fix_openstack_auth.sh`: ```bash #!/bin/bash # 清理错误变量 sudo sed -i '/^OS_PROjGT_DOMAIN_NAME=/d' /etc/environment sed -i '/^OS_PROjGT_DOMAIN_NAME=/d' ~/.bashrc # 重置核心变量 cat >> ~/.bashrc <<EOF export OS_AUTH_URL=http://controller:5000/v3 export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=openstack EOF # 环境生效 source ~/.bashrc ``` #### 五、HTTPS强化配置(根据引用[1]建议) 若环境支持: ```bash # 修改认证端点为HTTPS export OS_AUTH_URL=https://controller:5000/v3 # 测试加密连接 openstack --insecure token issue # --insecure仅用于测试阶段 ``` *注*:生产环境需配置有效SSL证书,引用[1]指出PKI令牌需配合HTTPS保证安全性[^1] ### 技术原理图解 ``` 认证流程: 用户请求 -> 客户端(环境变量) -> Keystone(验证) -> 返回Token │ ▲ │(401错误可能出现在) │ ▼ │ API Endpoint <- Token验证 ``` *故障点*: 1. 环境变量错误(如拼写错误)导致凭证无法传递 2. Keystone服务不可达(网络/端口问题) 3. Token验证失败(密码错误/项目权限问题) ### 验证方法 ```bash # 综合验证命令 openstack --debug token issue 2>&1 | grep -E 'Auth|Request' # 正常输出应包含"Validating user credentials"和"Success"字样 ``` ### 引用文献说明 [^1]: PKI令牌机制虽然能提升Keystone性能,但需要配合HTTPS保证安全性,这与解决基础认证错误有间接关联 [^2]: 客户端配置要求中的"网络可达"和"正确凭据"是解决401错误的核心要点 [^3]: 服务进程启动参数验证可帮助排查Keystone自身问题,但本案例更可能由客户端配置引起
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值