Heat中stack domain使用和配置

2014-07-02 Lingxian Kong 更多博文 » 博客 » GitHub »

原文链接 https://lingxiankong.github.io/2014-07-02-heat-stack-domain.html
注:以下为加速网络访问所做的原文缓存,经过重新格式化,可能存在格式方面的问题,或偶有遗漏信息,请以原文为准。


stack domain解决以下几个问题:

  • 从虚拟机内部访问Heat服务时的身份认证。
  • 用domain的方式实现,创建的用户对非管理员不可见
  • 创建的用户的操作权限是被隔离的

配置的步骤如下:
1、安装python-openstackclient,因为keystoneclient不支持V3 API,将来也不会支持,参考这里的讨论
2、创建domain

UVP:/home/kong # openstack --os-token 2012 --os-url=http://172.25.150.8:5000/v3 --os-identity-api-version=3 domain create heat --description "Owns users and projects created by heat"
+-------------+------------------------------------------------------------------------------------+
| Field       | Value                                                                              |
+-------------+------------------------------------------------------------------------------------+
| description | Owns users and projects created by heat                                            |
| enabled     | True                                                                               |
| id          | a660f3993095439d9abe9aa52ae3929e                                                   |
| links       | {u'self': u'http://172.25.150.8:5000/v3/domains/a660f3993095439d9abe9aa52ae3929e'} |
| name        | heat                                                                               |
+-------------+------------------------------------------------------------------------------------+

3、创建domain管理员

UVP:/home/kong # openstack --os-token 2012 --os-url=http://172.25.150.8:5000/v3 --os-identity-api-version=3 user create --password passwd --domain a660f3993095439d9abe9aa52ae3929e heat_domain_admin --description "Manages users and projects created by heat"
+-------------+----------------------------------------------------------------------------------+
| Field       | Value                                                                            |
+-------------+----------------------------------------------------------------------------------+
| description | Manages users and projects created by heat                                       |
| domain_id   | a660f3993095439d9abe9aa52ae3929e                                                 |
| enabled     | True                                                                             |
| id          | c177ddec383d44d2879d3687fa7b0e4c                                                 |
| links       | {u'self': u'http://172.25.150.8:5000/v3/users/c177ddec383d44d2879d3687fa7b0e4c'} |
| name        | heat_domain_admin                                                                |
+-------------+----------------------------------------------------------------------------------+
UVP:/home/kong # openstack --os-token 2012 --os-url=http://172.25.150.8:5000/v3 --os-identity-api-version=3 role add --user c177ddec383d44d2879d3687fa7b0e4c --domain a660f3993095439d9abe9aa52ae3929e admin

4、创建角色

UVP:/home/kong # keystone role-create --name heat_stack_user
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|    id    | 5e40547550d840e5a31e973b45f9a022 |
|   name   |         heat_stack_user          |
+----------+----------------------------------+

4、在Heat中配置

stack_domain_admin = heat_domain_admin
stack_domain_admin_password = passwd
stack_user_domain = a660f3993095439d9abe9aa52ae3929e

这样,Heat在创建stack的资源时(比如waitconditionhandle),会在stack_domain_admin内创建一个租户(与stack相关联,保存在stack的stack_user_project_id属性),进而创建用户(保存在资源的user_id字段),用户的角色由配置项heat_stack_user_role定义,默认值是heat_stack_user


参考文档:
http://hardysteven.blogspot.com/2014/04/heat-auth-model-updates-part-2-stack.html