4.9. 在 Controller 节点上安装和配置 Mellon
keycloak-httpd-client-install 工具执行配置 mod_auth_mellon 所需的许多步骤,并使其对 RH-SSO IdP 进行身份验证。在运行 mellon 的节点上运行 keycloak-httpd-client-install 工具。在本例中,mellon 在 overcloud 控制器上运行,保护 Identity 服务(keystone)。
注意
Red Hat OpenStack Platform 是具有多个 overcloud Controller 节点的高可用性部署,每个节点都运行相同的副本。因此,您必须在每个 Controller 节点上复制 mellon 配置。要做到这一点,在 controller-0 上安装和配置 mellon,并收集在 tar 文件中创建的 keycloak-httpd-client-install 工具的配置文件。使用 Object Storage (swift)将存档复制到每个 Controller,并在那里解压缩文件。
运行 RH-SSO 客户端安装:
$ ssh heat-admin@controller-0 $ dnf -y install keycloak-httpd-client-install $ sudo keycloak-httpd-client-install \ --client-originate-method registration \ --mellon-https-port $FED_KEYSTONE_HTTPS_PORT \ --mellon-hostname $FED_KEYSTONE_HOST \ --mellon-root /v3 \ --keycloak-server-url $FED_RHSSO_URL \ --keycloak-admin-password $FED_RHSSO_ADMIN_PASSWORD \ --app-name v3 \ --keycloak-realm $FED_RHSSO_REALM \ -l "/v3/auth/OS-FEDERATION/websso/mapped" \ -l "/v3/auth/OS-FEDERATION/identity_providers/rhsso/protocols/mapped/websso" \ -l "/v3/OS-FEDERATION/identity_providers/rhsso/protocols/mapped/auth"
注意您可以使用 configure-federation 脚本执行上述步骤:
$ ./configure-federation client-install
客户端 RPM 安装后,您应该看到类似如下的输出:
[Step 1] Connect to Keycloak Server [Step 2] Create Directories [Step 3] Set up template environment [Step 4] Set up Service Provider X509 Certificates [Step 5] Build Mellon httpd config file [Step 6] Build Mellon SP metadata file [Step 7] Query realms from Keycloak server [Step 8] Create realm on Keycloak server [Step 9] Query realm clients from Keycloak server [Step 10] Get new initial access token [Step 11] Creating new client using registration service [Step 12] Enable saml.force.post.binding [Step 13] Add group attribute mapper to client [Step 14] Add Redirect URIs to client [Step 15] Retrieve IdP metadata from Keycloak server [Step 16] Completed Successfully