Add k2k identity backend
diff --git a/README.rst b/README.rst
index 59f8a88..3fde09f 100644
--- a/README.rst
+++ b/README.rst
@@ -330,6 +330,25 @@
- wsgi
- shib2
+Use a custom identity driver with custom options
+
+.. code-block:: yaml
+
+ keystone:
+ server:
+ backend: k2k
+ k2k:
+ auth_url: 'https://keystone.example.com/v2.0'
+ read_user: 'example_user'
+ read_pass: 'password'
+ read_tenant_id: 'admin'
+ identity_driver: 'sql'
+ id_prefix: 'k2k:'
+ domain: 'default'
+ caching: true
+ cache_time: 600
+
+
Keystone client
---------------
diff --git a/keystone/files/_k2k.conf b/keystone/files/_k2k.conf
new file mode 100644
index 0000000..ae3696f
--- /dev/null
+++ b/keystone/files/_k2k.conf
@@ -0,0 +1,46 @@
+
+[k2k]
+
+#
+# Specific driver configuration for identity backend k2k
+# (Authentication against other keystone backend as fallback)
+#
+
+# Authentication URL of keystone to authenticate against (v2.0 only)
+# (string value)
+#auth_url = https://keystone.example.com/v2.0
+auth_url = {{ k2k.auth_url }}
+
+# User that is able to read users (string value)
+#read_user = admin
+read_user = {{ k2k.read_user }}
+
+# Password for readonly user (string value)
+#read_pass = password
+read_pass = {{ k2k.read_pass }}
+
+# Tenant id to be used to read (string value)
+#read_tenant_id = admin
+read_tenant_id = {{ k2k.read_tenant_id }}
+
+# Keystone identity driver to use before k2k authentication (string value)
+#identity_driver = sql
+identity_driver = {{ k2k.get('identity_driver', 'sql') }}
+
+# UserId prefix to use for assignment mappings etc (string value)
+#id_prefix = k2k:
+id_prefix = {{ k2k.get('id_prefix', 'k2k:') }}
+
+# This value will be set in the User object after authentication (string value)
+#domain = default
+domain = {{ k2k.get('domain', 'default') }}
+
+# Toggle for k2k caching. This has no effect unless global caching is enabled.
+# (boolean value)
+#caching = true
+caching = {{ k2k.get('caching', 'true')|lower }}
+
+# Time to cache identity data (in seconds). This has no effect unless global and
+# identity caching are enabled. (integer value)
+#cache_time = 600
+cache_time = {{ k2k.get('cache_time', 600) }}
diff --git a/keystone/files/mitaka/keystone.conf.Debian b/keystone/files/mitaka/keystone.conf.Debian
index d48f485..53fa9e7 100644
--- a/keystone/files/mitaka/keystone.conf.Debian
+++ b/keystone/files/mitaka/keystone.conf.Debian
@@ -948,11 +948,7 @@
# Entrypoint for the identity backend driver in the keystone.identity
# namespace. Supplied drivers are ldap and sql. (string value)
#driver = sql
-{%- if server.get('backend', 'sql') == 'ldap' %}
-driver = ldap
-{%- else %}
-driver = sql
-{%- endif %}
+driver = {{ server.get('backend', 'sql') }}
# Toggle for identity caching. This has no effect unless global caching is
# enabled. (boolean value)
@@ -971,6 +967,10 @@
# (integer value)
#list_limit = <None>
+{%- if server.get("backend", "sql") == "k2k" and server.k2k is defined %}
+{%- set k2k = server.k2k %}
+{% include "keystone/files/_k2k.conf" %}
+{%- endif %}
[identity_mapping]