4.9. 在 Controller 节点上安装和配置 Mellon

keycloak-httpd-client-install 工具执行配置 mod_auth_mellon 所需的许多步骤，并使其对 RH-SSO IdP 进行身份验证。在运行 mellon 的节点上运行 keycloak-httpd-client-install 工具。在本例中，mellon 在 overcloud 控制器上运行，保护 Identity 服务(keystone)。

注意

Red Hat OpenStack Platform 是具有多个 overcloud Controller 节点的高可用性部署，每个节点都运行相同的副本。因此，您必须在每个 Controller 节点上复制 mellon 配置。要做到这一点，在 controller-0 上安装和配置 mellon，并收集在 tar 文件中创建的 keycloak-httpd-client-install 工具的配置文件。使用 Object Storage (swift)将存档复制到每个 Controller，并在那里解压缩文件。

运行 RH-SSO 客户端安装：

ssh heat-admin@controller-0

  $ ssh heat-admin@controller-0
  $ dnf -y install keycloak-httpd-client-install
  $ sudo keycloak-httpd-client-install \
   --client-originate-method registration \
   --mellon-https-port $FED_KEYSTONE_HTTPS_PORT \
   --mellon-hostname $FED_KEYSTONE_HOST  \
   --mellon-root /v3 \
   --keycloak-server-url $FED_RHSSO_URL  \
   --keycloak-admin-password  $FED_RHSSO_ADMIN_PASSWORD \
   --app-name v3 \
   --keycloak-realm $FED_RHSSO_REALM \
   -l "/v3/auth/OS-FEDERATION/websso/mapped" \
   -l "/v3/auth/OS-FEDERATION/identity_providers/rhsso/protocols/mapped/websso" \
   -l "/v3/OS-FEDERATION/identity_providers/rhsso/protocols/mapped/auth"

Copy to Clipboard

Toggle word wrap

注意

您可以使用 configure-federation 脚本执行上述步骤： $ ./configure-federation client-install

客户端 RPM 安装后，您应该看到类似如下的输出：

  [Step  1] Connect to Keycloak Server
  [Step  2] Create Directories
  [Step  3] Set up template environment
  [Step  4] Set up Service Provider X509 Certificates
  [Step  5] Build Mellon httpd config file
  [Step  6] Build Mellon SP metadata file
  [Step  7] Query realms from Keycloak server
  [Step  8] Create realm on Keycloak server
  [Step  9] Query realm clients from Keycloak server
  [Step 10] Get new initial access token
  [Step 11] Creating new client using registration service
  [Step 12] Enable saml.force.post.binding
  [Step 13] Add group attribute mapper to client
  [Step 14] Add Redirect URIs to client
  [Step 15] Retrieve IdP metadata from Keycloak server
  [Step 16] Completed Successfully

  [Step  1] Connect to Keycloak Server
  [Step  2] Create Directories
  [Step  3] Set up template environment
  [Step  4] Set up Service Provider X509 Certificates
  [Step  5] Build Mellon httpd config file
  [Step  6] Build Mellon SP metadata file
  [Step  7] Query realms from Keycloak server
  [Step  8] Create realm on Keycloak server
  [Step  9] Query realm clients from Keycloak server
  [Step 10] Get new initial access token
  [Step 11] Creating new client using registration service
  [Step 12] Enable saml.force.post.binding
  [Step 13] Add group attribute mapper to client
  [Step 14] Add Redirect URIs to client
  [Step 15] Retrieve IdP metadata from Keycloak server
  [Step 16] Completed Successfully

Copy to Clipboard

Toggle word wrap

4.9. 在 Controller 节点上安装和配置 Mellon

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links