Este conteúdo não está disponível no idioma selecionado.
Chapter 2. Identity Management Integration
When you plan your OpenStack Identity integration with Red Hat Identity Manager (IdM), ensure that both services are configured and operational and review the impact of the integration on user management and firewall settings. Red Hat Identity Manager IdM depends on SRV records to do load balancing. You should not put a load balancer in front of IdM.
- Prerequisites
- Red Hat Identity Management is configured and operational.
- Red Hat OpenStack Platform is configured and operational.
- DNS name resolution is fully functional and all hosts are registered appropriately.
 
- Permissions and roles
- This integration allows IdM users to authenticate to OpenStack and access resources. OpenStack service accounts (such as keystone and glance), and authorization management (permissions and roles) will remain in the Identity Service database. Permissions and roles are assigned to the IdM accounts using Identity Service management tools.
- High availability options
- This configuration creates a dependency on the availability of a single IdM server: Project users will be affected if Identity Service is unable to authenticate to the IdM Server. It is not recommended to place a load balancer in front of IdM, however you can configure keystone to query a different IdM server, should one become unavailable.
- Outage requirements
- The Identity Service will need to be restarted in order to add the IdM back end.
- Users will be unable to access the dashboard until their accounts have been created in IdM. To reduce downtime, consider pre-staging the IdM accounts well in advance of this change.
 
- Firewall configuration
- Communication between IdM and OpenStack consists of the following: - Authenticating users
- IdM retrieval of the certificate revocation list (CRL) from the controllers every two hours
- Certmonger requests for new certificates upon expiration
 
A periodic certmonger task will continue to request new certificates if the initial request fails.
If firewalls are filtering traffic between IdM and OpenStack, you will need to allow access through the following port:
+
| Source | Destination | Type | Port | 
| OpenStack Controller Node | Red Hat Identity Management | LDAPS | TCP 636 | 
2.1. Configure the IdM server
Run these commands on the IdM server:
- Create the LDAP lookup account. This account is used by Identity Service to query the IdM LDAP service: - kinit admin ipa user-add - # kinit admin # ipa user-add First name: OpenStack Last name: LDAP User [radministrator]: svc-ldap- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Review the password expiration settings of this account, once created. 
- Create a group for OpenStack users, called grp-openstack. Only members of this group can have permissions assigned in OpenStack Identity. - ipa group-add --desc="OpenStack Users" grp-openstack - # ipa group-add --desc="OpenStack Users" grp-openstack- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Set the svc-ldap account password, and add it to the grp-openstack group: - ipa passwd svc-ldap ipa group-add-member --users=svc-ldap grp-openstack - # ipa passwd svc-ldap # ipa group-add-member --users=svc-ldap grp-openstack- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Login as svc-ldap user and perform the password change when prompted: - kinit svc-ldap - # kinit svc-ldap- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
2.2. Configure the LDAPS certificate
					When using multiple domains for LDAP authentication, you might receive various errors, such as Unable to retrieve authorized projects, or Peer's Certificate issuer is not recognized. This can arise if keystone uses the incorrect certificate for a certain domain. As a workaround, merge all of the LDAPS public keys into a single .crt bundle, and configure all of your keystone domains to use this file.
				
- In your IdM environment, locate the LDAPS certificate. This file can be located using /etc/openldap/ldap.conf: - TLS_CACERT /etc/ipa/ca.crt - TLS_CACERT /etc/ipa/ca.crt- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Copy the file to the OpenStack node that runs the keystone service. For example, this command uses scp to copy ca.crt to the node named node.lab.local: - scp /etc/ipa/ca.crt root@node.lab.local:/root/ - # scp /etc/ipa/ca.crt root@node.lab.local:/root/- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- On the OpenStack node, convert the .crt to .pem: - openssl x509 -in ca.crt -out ca.pem -outform PEM - # openssl x509 -in ca.crt -out ca.pem -outform PEM- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Copy the .crt to the certificate directory. This is the location that the keystone service will use to access the certificate: - cp ca.crt /etc/pki/ca-trust/source/anchors - # cp ca.crt /etc/pki/ca-trust/source/anchors- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
					Optionally, if you need to run diagnostic commands, such as ldapsearch, you will also need to add the certificate to the RHEL certificate store. For example:
				
cp ca.pem /etc/pki/ca-trust/source/anchors/ update-ca-trust
# cp ca.pem /etc/pki/ca-trust/source/anchors/
# update-ca-trust2.3. Configure Identity Service
These steps prepare Identity Service for integration with IdM.
					If you are using director, note that the configuration files referenced below are managed by Puppet. Consequently, any custom configuration you add might be overwritten whenever you run the openstack overcloud deploy process. To apply these settings to director-based deployments, see Chapter 4, Using domain-specific LDAP backends with director.
				
2.3.1. Configure the controller
If you intend to update any configuration files, you need to be aware that certain OpenStack services now run within containers; this applies to keystone, nova, and cinder, among others. As a result, there are certain administration practices to consider:
- 
								Do not update any configuration file you might find on the physical node’s host operating system, for example, /etc/cinder/cinder.conf. This is because the containerized service does not reference this file.
- Do not update the configuration file running within the container. This is because any changes are lost once you restart the container. - Instead, if you need to add any changes to containerized services, you will need to update the configuration file that is used to generate the container. These are stored within - /var/lib/config-data/puppet-generated/- For example: 
- 
								keystone: /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf
- 
								cinder: /var/lib/config-data/puppet-generated/cinder/etc/cinder/cinder.conf
- nova: - /var/lib/config-data/puppet-generated/nova/etc/nova/nova.conf- Any changes will then be applied once you restart the container. For example: - sudo docker restart keystone
Perform this procedure on the controller running the keystone service:
- Configure SELinux: - setsebool -P authlogin_nsswitch_use_ldap=on - # setsebool -P authlogin_nsswitch_use_ldap=on- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The output might include messages similar to this. They can be ignored: - Full path required for exclude: net:[4026532245]. - Full path required for exclude: net:[4026532245].- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create the domains directory: - mkdir /var/lib/config-data/puppet-generated/keystone/etc/keystone/domains/ chown 42425:42425 /var/lib/config-data/puppet-generated/keystone/etc/keystone/domains/ - # mkdir /var/lib/config-data/puppet-generated/keystone/etc/keystone/domains/ # chown 42425:42425 /var/lib/config-data/puppet-generated/keystone/etc/keystone/domains/- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Configure Identity Service to use multiple back ends: Note- You might need to install - crudiniusing- yum install crudini.- crudini --set /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf identity domain_specific_drivers_enabled true crudini --set /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf identity domain_config_dir /etc/keystone/domains crudini --set /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf assignment driver sql - # crudini --set /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf identity domain_specific_drivers_enabled true # crudini --set /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf identity domain_config_dir /etc/keystone/domains # crudini --set /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf assignment driver sql- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- If you are using director, note that - /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.confis managed by Puppet. Consequently, any custom configuration you add might be overwritten whenever you run the- openstack overcloud deployprocess. As a result, you might need to re-add this configuration manually each time. For director-based deployments, see Chapter 4, Using domain-specific LDAP backends with director.
- Enable multiple domains in dashboard. Add these lines to /var/lib/config-data/puppet-generated/horizon/etc/openstack-dashboard/local_settings: - OPENSTACK_API_VERSIONS = { "identity": 3 } OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'Default'- OPENSTACK_API_VERSIONS = { "identity": 3 } OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'Default'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- If you are using director, note that - /var/lib/config-data/puppet-generated/horizon/etc/openstack-dashboard/local_settingsis managed by Puppet. Consequently, any custom configuration you add might be overwritten whenever you run the- openstack overcloud deployprocess. As a result, you might need to re-add this configuration manually each time.- Restart the horizon container to apply the settings: - sudo docker restart horizon - $ sudo docker restart horizon- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Configure an additional back end: - Create the keystone domain for IdM integration. You will need to decide on a name to use for your new keystone domain, and then create the domain. For example, this command creates a keystone domain named - LAB:- openstack domain create LAB - $ openstack domain create LAB- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create the configuration file: - To add the IdM back end, enter the LDAP settings in a new file called - /var/lib/config-data/puppet-generated/keystone/etc/keystone/domains/keystone.LAB.conf(where- LABis the domain name created previously). You will need to edit the sample settings below to suit your IdM deployment:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Explanation of each setting: - Expand - Setting - Description - url- The IdM server to use for authentication. Uses LDAPS port - 636.- user- The account in IdM to use for LDAP queries. - password- The plaintext password of the IdM account used above. - user_filter- Filters the users presented to Identity Service. As a result, only members of the grp-openstack group can have permissions defined in Identity Service. - user_tree_dn- The path to the OpenStack accounts in IdM. - user_objectclass- Defines the type of LDAP user. For IdM, use the - inetUsertype.- user_id_attribute- Maps the IdM value to use for user IDs. - user_name_attribute- Maps the IdM value to use for names. - user_mail_attribute- Maps the IdM value to use for user email addresses. - user_pass_attribute- Leave this value blank. Note- Integration with an IdM group will only return direct members, and not nested groups. As a result, queries that rely on - LDAP_MATCHING_RULE_IN_CHAINor- memberof:1.2.840.113556.1.4.1941:will not currently work with IdM.
 
- Change ownership of the config file to the keystone user: - chown 42425:42425 /var/lib/config-data/puppet-generated/keystone/etc/keystone/domains/keystone.LAB.conf - # chown 42425:42425 /var/lib/config-data/puppet-generated/keystone/etc/keystone/domains/keystone.LAB.conf- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Grant the admin user access to the domain: Note- This does not grant the OpenStack admin account any permissions in IdM. In this case, the term domain refers to OpenStack’s usage of the keystone domain. - Get the - IDof the LAB domain:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Get the - IDvalue of the admin user:- openstack user list --domain default | grep admin - $ openstack user list --domain default | grep admin | 3d75388d351846c6a880e53b2508172a | admin |- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Get the - IDvalue of the admin role:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Use the returned domain and admin IDs to construct the command that adds the admin user to the admin role of the keystone LAB domain: - openstack role add --domain 6800b0496429431ab1c4efbb3fe810d4 --user 3d75388d351846c6a880e53b2508172a 785c70b150ee4c778fe4de088070b4cf - $ openstack role add --domain 6800b0496429431ab1c4efbb3fe810d4 --user 3d75388d351846c6a880e53b2508172a 785c70b150ee4c778fe4de088070b4cf- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Restart the keystone service to apply the changes: - sudo docker restart keystone - $ sudo docker restart keystone- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- View the list of users in the IdM domain by adding the keystone domain name to the command: - openstack user list --domain LAB - $ openstack user list --domain LAB- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- View the service accounts in the local keystone database: - openstack user list --domain default - $ openstack user list --domain default- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
2.3.2. Allow IdM group members to access Projects
To allow authenticated users access to OpenStack resources, the recommended method is to authorize certain IdM groups to grant access to Projects. This saves the OpenStack administrators from having to allocate each user to a role in a Project. Instead, the IdM groups are granted roles in Projects. As a result, IdM users that are members of these IdM groups will be able to access pre-determined Projects.
If you would prefer to manually manage the authorization of individual IdM users, see the Section 2.3.3, “Allow IdM users to access Projects”.
This section presumes that the IdM administrator has already completed these steps:
- 
							Create a group named grp-openstack-adminin IdM.
- 
							Create a group named grp-openstack-demoin IdM.
- Add your IdM users to one of the above groups, as needed.
- 
							Add your IdM users to the grp-openstackgroup.
- 
							Have a designated project in mind. This example uses a project called demo, created usingopenstack project create --domain default --description "Demo Project" demo.
These steps assign a role to an IdM group. Group members will then have permission to access OpenStack resources.
- Retrieve a list of IdM groups: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Retrieve a list of roles: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Grant the IdM groups access to Projects by adding them to one or more of these roles. For example, if you want users in the - grp-openstack-demogroup to be general users of the- demoproject, you must add the group to the- _member_role:- openstack role add --project demo --group d971bb3bd5e64a454cbd0cc7af4c0773e78d61b5f81321809f8323216938cae8 _member_ - $ openstack role add --project demo --group d971bb3bd5e64a454cbd0cc7af4c0773e78d61b5f81321809f8323216938cae8 _member_- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
					As a result, members of grp-openstack-demo are able to log in to the dashboard by entering their IdM username and password, when also entering LAB in the Domain field:
				
						If users receive the error Error: Unable to retrieve container list., and expect to be able to manage containers, then they must be added to the SwiftOperator role.
					
2.3.3. Allow IdM users to access Projects
					IdM users that are members of the grp-openstack IdM group can be granted permission to log in to a Project in the dashboard:
				
- Retrieve a list of IdM users: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Retrieve a list of roles: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Grant users access to Projects by adding them to one or more of these roles. For example, if you want - user1to be a general user of the- demoproject, you add them to the- memberrole:- openstack role add --project demo --user 1f24ec1f11aeb90520079c29f70afa060d22e2ce92b2eba7784c841ac418091e _member_ - # openstack role add --project demo --user 1f24ec1f11aeb90520079c29f70afa060d22e2ce92b2eba7784c841ac418091e _member_- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Or, if you want - user1to be an administrative user of the- demoproject, you add them to the- adminrole:- openstack role add --project demo --user 1f24ec1f11aeb90520079c29f70afa060d22e2ce92b2eba7784c841ac418091e admin - # openstack role add --project demo --user 1f24ec1f11aeb90520079c29f70afa060d22e2ce92b2eba7784c841ac418091e admin- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - As a result, - user1is able to log in to the dashboard by entering their IdM username and password, when also entering- LABin the- Domainfield:
						If users receive the error Error: Unable to retrieve container list., and expect to be able to manage containers, then they must be added to the SwiftOperator role.
					
2.4. Grant access to the Domain tab
				To allow the admin user to see the Domain tab, you will need to assign it the admin role in the default domain:
			
- Find the - adminuser’s UUID:- openstack user list | grep admin - $ openstack user list | grep admin | a6a8adb6356f4a879f079485dad1321b | admin |- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Add the - adminrole in the- defaultdomain to the- adminuser:- openstack role add --domain default --user a6a8adb6356f4a879f079485dad1321b admin - $ openstack role add --domain default --user a6a8adb6356f4a879f079485dad1321b admin- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - As a result, the - adminuser can now see the- Domaintab.
2.5. Creating a new project
				After you have completed these integration steps, when you create a new project you will need to decide whether to create it in the Default domain, or in the keystone domain you’ve just created. This decision can be reached by considering your workflow, and how you administer user accounts. The Default domain can be be thought of as an internal domain, used for service accounts and the admin project, so it might make sense for your AD-backed users to be placed within a different keystone domain; this does not strictly need to be the same keystone domain as the IdM users are in, and for separation purposes, there might be multiple keystone domains.
			
2.5.1. Changes to the dashboard log in process
					Configuring multiple domains in Identity Service enables a new Domain field in the dashboard login page.
 Users are expected to enter the domain that matches their login credentials. This field must be manually filled with one of the domains present in keystone. Use the openstack command to list the available entries.
				
					In this example, IdM accounts will need to specify the LAB domain. The built-in keystone accounts, such as admin, must specify Default as their domain:
				
2.5.2. Changes to the command line
					For certain commands, you might need to specify the applicable domain. For example, appending --domain LAB in this command returns users in the LAB domain (that are members of the grp-openstack group):
				
openstack user list --domain LAB
$ openstack user list --domain LAB
					Appending --domain Default returns the built-in keystone accounts:
				
openstack user list --domain Default
$ openstack user list --domain Default2.5.3. Test IdM integration
This procedure validates IdM integration by testing user access to dashboard features:
- 
							Create a test user in IdM, and add the user to the grp-openstackIdM group.
- 
							Add the user to the _member_role of thedemotenant.
- Log in to the dashboard using the credentials of the IdM test user.
- Click on each of the tabs to confirm that they are presented successfully without error messages.
- Use the dashboard to build a test instance.
If you experience issues with these steps, perform steps 3-5 with the built-in admin account. If successful, this demonstrates that OpenStack is still working as expected, and that an issue exists somewhere within the IdM ←→ Identity integration settings. See Section 2.7, “Troubleshooting”.
2.6. Create a RC file for a non-admin user
You might need to create a RC file for a non-admin user. For example:
2.7. Troubleshooting
2.7.1. Test LDAP connections
Use ldapsearch to remotely perform test queries against the IdM server. A successful result here indicates that network connectivity is working, and the IdM services are up. In this example, a test query is performed against the server idm.lab.local on port 636:
ldapsearch -D "cn=directory manager" -H ldaps://idm.lab.local:636 -b "dc=lab,dc=local" -s sub "(objectclass=*)" -w RedactedComplexPassword
# ldapsearch -D "cn=directory manager" -H ldaps://idm.lab.local:636 -b "dc=lab,dc=local" -s sub "(objectclass=*)" -w RedactedComplexPassword
						ldapsearch is a part of the openldap-clients package. You can install this using # yum install openldap-clients.
					
2.7.2. Test port access
Use nc to check that the LDAPS port (636) is remotely accessible. In this example, a probe is performed against the server idm.lab.local. Press ctrl-c to exit the prompt.
nc -v idm.lab.local 636
# nc -v idm.lab.local 636
Ncat: Version 6.40 ( http://nmap.org/ncat )
Ncat: Connected to 192.168.200.10:636.
^CFailure to establish a connection could indicate a firewall configuration issue.
