محمد زارع
محمد زارع
خواندن ۲ دقیقه·۶ ماه پیش

نصب openstack با devstack و اتصال به keycloak

فایل local.conf:

[[local|localrc]] DATABASE_PASSWORD=secret ADMIN_PASSWORD=secret SERVICE_PASSWORD=secret RABBIT_PASSWORD=secret IP_VERSION=4

با این کانفیگ devstack را نصب می کنیم.

در horizon لاگین کرده و یک پروژه با اسم sso می سازیم. یک گروه sso هم میسازیم و آن را member پروژه sso می کنیم.

openstack identity provider create --remote-id https://keycloak.example.ir/realms/Mpaas --domain default sso openstack mapping create --rules rules.json sso_oidc_mapping openstack federation protocol create --identity-provider sso --mapping sso_oidc_mapping openid

فایل rules.json به صورت زیر باید باشد:

rulse.json: [ { &quotlocal&quot: [ { &quotuser&quot: { &quotname&quot: &quot{0}&quot }, &quotgroup&quot: { &quotname&quot: &quotsso&quot, &quotdomain&quot: { &quotname&quot: &quotdefault&quot } } } ], &quotremote&quot: [ { &quottype&quot: &quotOIDC-preferred_username&quot } ] } ]

در آخر فایل etc/keystone/keyston.conf مقدار زیر را اضافه می کنیم.

[auth] methods = external,password,token,mapped,openid [openid] remote_id_attribute = HTTP_OIDC_ISS [federation] trusted_dashboard = https://iaas.example.ir/api/openstack/skyline/api/v1/websso remote_id_attribute = HTTP_OIDC_ISS

در آخر فایل opt/stack/horizon/openstack_dashboard/local/local_settings.py مقادیر زیر را اضافه می کنیم:

WEBSSO_ENABLED = True WEBSSO_CHOICES = ( (&quotopenid&quot, _(&quotAuthenticate Externally&quot)), )

فایل /etc/apache2/sites-enabled/horizon.conf به صورت زیر خواهد بود:

<VirtualHost *:80> WSGIScriptAlias /dashboard /opt/stack/horizon/openstack_dashboard/wsgi.py WSGIDaemonProcess horizon user=stack group=stack processes=3 threads=10 ome=/opt/stack/horizon display-name=%{GROUP} WSGIApplicationGroup %{GLOBAL} SetEnv APACHE_RUN_USER stack SetEnv APACHE_RUN_GROUP stack WSGIProcessGroup horizon DocumentRoot /opt/stack/horizon/.blackhole/ Alias /dashboard/media /opt/stack/horizon/openstack_dashboard/static Alias /dashboard/static /opt/stack/horizon/static RedirectMatch &quot^/$&quot &quot/dashboard/&quot <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /opt/stack/horizon/> Options Indexes FollowSymLinks MultiViews AllowOverride None # Apache 2.4 uses mod_authz_host for access control now (instead of # &quotAllow&quot) <IfVersion < 2.4> Order allow,deny Allow from all </IfVersion> <IfVersion >= 2.4> Require all granted </IfVersion> </Directory> <IfVersion >= 2.4> ErrorLogFormat &quot%{cu}t %M&quot </IfVersion> ErrorLog /var/log/apache2/horizon_error.log LogLevel warn CustomLog /var/log/apache2/horizon_access.log combined # Configure OIDC OIDCSSLValidateServer Off OIDCOAuthSSLValidateServer Off OIDCCookieSameSite On OIDCPKCEMethod &quotS256&quot OIDCOAuthClientID keystone OIDCOAuthClientSecret 9Bnci8fIcspdDh0doMGvDrRze0Dywjcp OIDCOAuthVerifyJwksUri https://sso.example.ir/realms/Mpaas/protocol/openid- onnect/certs OIDCClaimPrefix &quotOIDC-&quot #OIDCResponseType &quotid_token&quot OIDCScope &quotopenid email profile&quot OIDCRemoteUserClaim preferred_username OIDCProviderMetadataURL https://sso.example.ir/realms/Mpaas/.well-known/openid- onfiguration OIDCClientID keystone OIDCClientSecret 9Bnci8fIcspdDh0doMGvDrRze0Dywjcp OIDCCryptoPassphrase openstack OIDCRedirectURI http://192.168.1.3/identity/v3/OS- EDERATION/identity_providers/myidp/protocols/openid/auth OIDCRedirectURI http://192.168.1.3/identity/v3/auth/OS-FEDERATION/websso OIDCRedirectURI http://192.168.1.3/identity/v3/auth/OS- EDERATION/identity_providers/myidp/protocols/openid/websso # For keystone <LocationMatch /identity/v3/OS-FEDERATION/identity_providers/.*?/protocols/openid/auth> AuthType oauth20 Require valid-user LogLevel debug </LocationMatch> # For horizon <Location ~ &quot/identity/v3/auth/OS-FEDERATION/websso/openid&quot> AuthType openid-connect Require valid-user LogLevel debug </Location> <Location ~ &quot/identity/v3/auth/OS- EDERATION/identity_providers/myidp/protocols/openid/websso&quot> AuthType openid-connect Require valid-user </Location> </VirtualHost> WSGIPythonHome /opt/stack/data/venv WSGISocketPrefix /var/run/apache2

سرویس apache و keystone را ریستارت می کنیم و تمام.

openstackopt stackstack horizongt ltlt ifversion
شاید از این پست‌ها خوشتان بیاید