openstack 遇到的问题一

本文涉及的产品
云数据库 RDS MySQL,集群系列 2核4GB
推荐场景:
搭建个人博客
RDS MySQL Serverless 基础系列,0.5-2RCU 50GB
RDS MySQL Serverless 高可用系列,价值2615元额度,1个月
简介:

1 keystone-manage db_sync 这个已经是最全面的了。

Solution MySQL ERROR 1045 Access denied for 'user'@'localhost' - breaks OpenStack


mysql -u root -p
. . .
Server version: 5.5.24-0ubuntu0.12.04.1 (Ubuntu)
. . .

mysql> SELECT user,host,password FROM mysql.user;
+------------------+------------+-------------------------+
| user             | host       | password                |
+------------------+------------+-------------------------+
| root             | localhost  | *77B48D6366D102139D3719 |
| root             | mysqltests | *77B48D6366D102139D3719 |
| root             | 127.0.0.1  | *77B48D6366D102139D3719 |
| root             | ::1        | *77B48D6366D102139D3719 |
|                  | localhost  |                         |
|                  | mysqltests |                         |
| debian-sys-maint | localhost  | *04D30B480932109EFD77E1 |
+------------------+------------+-------------------------+
7 rows in set (0.00 sec)

mysql> show grants;
+---------------------------------------------------------+
| Grants for root@localhost                               |
+---------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost'       |

|       IDENTIFIED BY PASSWORD '*77B48D6366D102139D3719'  |

|       WITH GRANT OPTION                                 |
| GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT   |

|                                       OPTION            |
+---------------------------------------------------------+
2 rows in set (0.00 sec)


The mysql.user Table

At first glance, we have 2 users (root and debian-sys-maint). That's wrong, because mysql's "user" is a 'user'@'host' pair association. So we have 7 in total: 'root' is defined (with the same password) for any combination of 'localhost' (the first 4 lines), then we have 2 strange lines with empty username, and finally the debian backdoor 'debian-sys-maint'.


The grants

The 'show grants' above shows only grants for 'root'. But if we run the next staement, we see what access is provided to any user connecting from 'localhost':

mysql> show grants for ''@'localhost';
+--------------------------------------+
| Grants for @localhost                |
+--------------------------------------+
| GRANT USAGE ON *.* TO ''@'localhost' |
+--------------------------------------+

Which (indirectly) explains why running this command (as Linux user 'ori') doesn't require a password:

[16:16:57]ori@mysqltests[~]

mysqladmin ping
mysqld is alive


Where this one fails:

[16:14:59]ori@mysqltests[~]
mysqladmin -uroot ping
mysqladmin: connect to server at 'localhost' failed
error: 'Access denied for user 'root'@'localhost' (using password: NO)'


Honestly, in the beginning i thought there's some balck magic here related to the user ('ori', in this case) defined during ubuntu installation, or a special Linux group memebership, or some apparmor profile or god-knows what else.


But there's no black magic after all, and it's all inside mysql:

The first thing to bear in mind is that the empty USER field '' is a wildcard, same as '%' for host.

The second is that mysql prefers the explicit match over the wildcard. For example, user 'root' can match either [1] the explicit 'root'@localhost' row or [2] the wildcard ''@'localhost' row. Since there's an explicit entry for [1] in the table mysql.user, it'll be used. This in turn requires a password so when i try to connect as 'root' without a password i'm rejected.

When i connect as 'ori' - which isn't even a mysql user, there's only one possible match - ''@'localhost' and this line in the table doesn't have a password.

This nicely explains why the above mysqladmin command works for 'ori' and fails for 'root'.


To sum it up: mysql controls access (or connection request) based on the USER table. Which user, from which host and whether a password is required.

Once connected, the GRANTS determine what the user is allowed to do. When connected as 'ori' i'm limited to "USAGE" (e.g. check if server is up, what version and the like of inoffensive commands).


So far so good - but why 'glance'@'localhost' is denied access on the OpenStack controller?

When the static IP address of the conroller wasn't in /etc/hosts (or after it was commented-out), there was only one match for 'glance' = 'glance'@'%'

This, in turn, comes from the connection string (in /etc/glance/glance-registry.conf) which is:

sql_connection = mysql://glance:openstack@10.0.0.40/glance

It specifies user, password and host.

The line I've added for 10.0.0.40 in /etc/hosts, told mysql (indirectly) that host 'ostk-controller1' is actually 'localhsot'. From now on, there are 2 possible matches for 'glance', and the one picked by mysql is ''@'localhost'. This row, however, doesn't require a password - which the sql_connection string provide.

And that's why all OpenStack services couldn't connect to mysql.


Check against the USER table below, this was taken from ostk-controller (not the test VM):

mysql> SELECT user,host,password FROM mysql.user;
+------------------+------------------+-------------------------+
| user 
| host             | password |

+------------------+------------------+-------------------------+
| root 
| localhost        | *3A4A03AC22526F6B591010 |

| root | ostk-controller1 | *3A4A03AC22526F6B591010 |

| root | 127.0.0.1        | *3A4A03AC22526F6B591010 |

| root             | ::1              | *3A4A03AC22526F6B591010 |
|                  | localhost        | 
|

|                  | ostk-controller1 |                         |
| debian-sys-maint | localhost        | *F714636CE8A7836873F7C8 |
| nova             | %                | *3A4A03AC22526F6B591010 |
| glance           | %                | *3A4A03AC22526F6B591010 |
| keystone         | %                | *3A4A03AC22526F6B591010 |
+------------------+------------------+-------------------------+
10 rows in set (0.00 sec)

Solution for ERROR 1045

After understanding why, let's improve on the poor workaround.

I'd like to credit an answer by Paul DuBois from 2004 for this solution(it's worth noting that the subject was "Re: Any way to make anyhost '%' include localhost").


Borrowing from there, here's the remedy:

in MySQL:

mysql -uroot -p

DELETE FROM mysql.user WHERE Host='localhost' AND User='';

DELETE FROM mysql.user WHERE Host='ostk-controller1' AND User='';

FLUSH PRIVILEGES;


in /etc/hosts:

Replace the line

127.0.1.1ostk-controller1

by this one:

10.0.0.40 ostk-controller1

Quoting from Debian's reference manual:

For a system with a permanent IP address, that permanent IP address should be used here instead of 127.0.1.1


finally restart networking and mysqld - or simply reboot.


A Second Solution

Months after going through the above study, i found out why some OpenStack installations don't hit this issue; The keystone installation instructions (from Ubuntu, for Essex, can be found here) create each OSTK user in mysql twice, as in:

mysql> CREATE DATABASE keystone;
CREATE USER ‘keystone’@’localhost’ IDENTIFIED BY ‘Secret_pass’;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone’@’localhost’
WITH GRANT OPTION;
CREATE USER ‘keystone’@’%’ IDENTIFIED BY ‘Secret_pass’;
GRANT ALL PRIVILEGES ON keystone.* TO ‘keystone’@’%’
IDENTIFIED BY ‘Secret_pass’;
FLUSH PRIVILEGES;


本文转自luojinghappy 51CTO博客,原文链接:http://blog.51cto.com/luojinghappy/1342663,如需转载请自行联系原作者
相关实践学习
如何在云端创建MySQL数据库
开始实验后,系统会自动创建一台自建MySQL的 源数据库 ECS 实例和一台 目标数据库 RDS。
全面了解阿里云能为你做什么
阿里云在全球各地部署高效节能的绿色数据中心,利用清洁计算为万物互联的新世界提供源源不断的能源动力,目前开服的区域包括中国(华北、华东、华南、香港)、新加坡、美国(美东、美西)、欧洲、中东、澳大利亚、日本。目前阿里云的产品涵盖弹性计算、数据库、存储与CDN、分析与搜索、云通信、网络、管理与监控、应用服务、互联网中间件、移动服务、视频服务等。通过本课程,来了解阿里云能够为你的业务带来哪些帮助     相关的阿里云产品:云服务器ECS 云服务器 ECS(Elastic Compute Service)是一种弹性可伸缩的计算服务,助您降低 IT 成本,提升运维效率,使您更专注于核心业务创新。产品详情: https://www.aliyun.com/product/ecs
相关文章
|
存储 API 虚拟化
|
存储 API Swift
一文秒懂什么是OpenStack?
一文秒懂什么是OpenStack?
485 0
|
存储 监控 调度
OpenStack
OpenStack
229 0
|
存储 API 云计算
Openstack
OpenStack云平台技术是云计算技术中的主流技术,已得到大量主流商业厂商和研究机构的大力支持。在未来的几年中,OpenStack会对云计算以及IT领域产生极大的影响。
4759 1
openstack4j
Identity // V2 authentication OSClientV2 os = OSFactory.builderV2() .endpoint("http://127.
1051 0
|
存储 数据库 云计算