Merge "Multi-region service endpoint support"
diff --git a/README.rst b/README.rst
index dc1fd5a..085040d 100644
--- a/README.rst
+++ b/README.rst
@@ -176,11 +176,11 @@
assignment:
backend: sql
ldap:
- url: "ldaps://idm01.workshop.cloudlab.cz"
- suffix: "dc=workshop,dc=cloudlab,dc=cz"
- # Will bind as uid=keystone,cn=users,cn=accounts,dc=workshop,dc=cloudlab,dc=cz
+ url: "ldaps://idm.domain.com"
+ suffix: "dc=cloud,dc=domain,dc=com"
+ # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
uid: keystone
- password: cloudlab
+ password: password
Using LDAP backend for default domain
@@ -192,11 +192,53 @@
assignment:
backend: sql
ldap:
- url: "ldaps://idm01.workshop.cloudlab.cz"
- suffix: "dc=workshop,dc=cloudlab,dc=cz"
- # Will bind as uid=keystone,cn=users,cn=accounts,dc=workshop,dc=cloudlab,dc=cz
+ url: "ldaps://idm.domain.com"
+ suffix: "dc=cloud,dc=domain,dc=com"
+ # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
uid: keystone
- password: cloudlab
+ password: password
+
+Simple service endpoint definition (defaults to RegionOne)
+
+.. code-block:: yaml
+
+ keystone:
+ server:
+ service:
+ ceilometer:
+ type: metering
+ description: OpenStack Telemetry Service
+ user:
+ name: ceilometer
+ password: password
+ bind:
+ ...
+
+Region-aware service endpoints definition
+
+.. code-block:: yaml
+
+ keystone:
+ server:
+ service:
+ ceilometer_region01:
+ service: ceilometer
+ type: metering
+ region: region01
+ description: OpenStack Telemetry Service
+ user:
+ name: ceilometer
+ password: password
+ bind:
+ ...
+ ceilometer_region02:
+ service: ceilometer
+ type: metering
+ region: region02
+ description: OpenStack Telemetry Service
+ bind:
+ ...
+
Read more
=========
@@ -208,13 +250,3 @@
* http://www.sebastien-han.fr/blog/2012/12/12/cleanup-keystone-tokens/
* http://www-01.ibm.com/support/knowledgecenter/SS4KMC_2.2.0/com.ibm.sco.doc_2.2/t_memcached_keystone.html?lang=en
* https://bugs.launchpad.net/tripleo/+bug/1203910
-
-Things to improve
-=================
-
-* Keystone as service provider (SP) - must be running under Apache (same as with PKI token)
-* Keystone with MongoDB backend - where is it?
-* IdP is owned by domain, domain corresponds to billable account - IdP administration
-* IdP Shiboleth alternatives - mod_auth_mellon
-
-Generally this SP/IdP stuff is a little unstable - how to let SP know identity has changed, no visibility in UI (IBM has some not in upstream yet)
diff --git a/keystone/server.sls b/keystone/server.sls
index 60a9d1f..311b4b0 100644
--- a/keystone/server.sls
+++ b/keystone/server.sls
@@ -63,6 +63,7 @@
- pkg: keystone_packages
{%- for domain_name, domain in server.domain.iteritems() %}
+
/etc/keystone/domains/keystone.{{ domain_name }}.conf:
file.managed:
- source: salt://keystone/files/keystone.domain.conf
@@ -75,6 +76,7 @@
domain_name: {{ domain_name }}
{%- if domain.get('ldap', {}).get('tls', {}).get('cacert', False) %}
+
keystone_domain_{{ domain_name }}_cacert:
file.managed:
- name: /etc/keystone/domains/{{ domain_name }}.pem
@@ -83,6 +85,7 @@
- file: /etc/keystone/domains
- watch_in:
- service: keystone_service
+
{%- endif %}
keystone_domain_{{ domain_name }}:
@@ -92,11 +95,13 @@
- require:
- file: /root/keystonercv3
- service: keystone_service
+
{%- endfor %}
{%- endif %}
{%- if server.get('ldap', {}).get('tls', {}).get('cacert', False) %}
+
keystone_ldap_default_cacert:
file.managed:
- name: {{ server.ldap.tls.cacertfile }}
@@ -105,6 +110,7 @@
- pkg: keystone_packages
- watch_in:
- service: keystone_service
+
{%- endif %}
keystone_service:
@@ -199,7 +205,7 @@
keystone_{{ service_name }}_endpoint:
keystone.endpoint_present:
- - name: {{ service_name }}
+ - name: {{ service.get('service', service_name) }}
- publicurl: '{{ service.bind.get('public_protocol', 'http') }}://{{ service.bind.public_address }}:{{ service.bind.public_port }}{{ service.bind.public_path }}'
- internalurl: '{{ service.bind.get('internal_protocol', 'http') }}://{{ service.bind.internal_address }}:{{ service.bind.internal_port }}{{ service.bind.internal_path }}'
- adminurl: '{{ service.bind.get('admin_protocol', 'http') }}://{{ service.bind.admin_address }}:{{ service.bind.admin_port }}{{ service.bind.admin_path }}'