blob: 6f80924591a887e98bb6c2777d90295c3d71f7ba [file] [log] [blame]
Filip Pytloun943d6882015-10-06 16:28:32 +02001==================
2OpenStack Keystone
3==================
4
Jakub Pavlikffc280d2016-05-20 11:19:14 +02005Keystone provides authentication, authorization and service discovery
6mechanisms via HTTP primarily for use by projects in the OpenStack family. It
7is most commonly deployed as an HTTP interface to existing identity systems,
8such as LDAP.
Filip Pytloun943d6882015-10-06 16:28:32 +02009
10From Kilo release Keystone v3 endpoint has definition without version in url
11
12.. code-block:: bash
13
14 +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
15 | id | region | publicurl | internalurl | adminurl | service_id |
16 +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
17 | 91663a8db11c487c9253c8c456863494 | RegionOne | http://10.0.150.37:5000/ | http://10.0.150.37:5000/ | http://10.0.150.37:35357/ | 0fd2dba3153d45a1ba7f709cfc2d69c9 |
18 +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
19
20
21Sample pillars
22==============
23
Alexander Noskov78b81e02016-12-05 16:20:50 +040024.. caution::
Adam Tengler7c66c882016-03-14 19:35:49 +010025
Jakub Pavlikffc280d2016-05-20 11:19:14 +020026 When you use localhost as your database host (keystone:server:
27 atabase:host), sqlalchemy will try to connect to /var/run/mysql/
28 mysqld.sock, may cause issues if you located your mysql socket elsewhere
Adam Tengler7c66c882016-03-14 19:35:49 +010029
Filip Pytloun943d6882015-10-06 16:28:32 +020030Full stacked keystone
31
32.. code-block:: yaml
33
34 keystone:
35 server:
36 enabled: true
37 version: juno
38 service_token: 'service_tokeen'
39 service_tenant: service
40 service_password: 'servicepwd'
41 admin_tenant: admin
42 admin_name: admin
43 admin_password: 'adminpwd'
44 admin_email: stackmaster@domain.com
45 roles:
46 - admin
47 - Member
48 - image_manager
49 bind:
50 address: 0.0.0.0
51 private_address: 127.0.0.1
52 private_port: 35357
53 public_address: 127.0.0.1
54 public_port: 5000
55 api_version: 2.0
56 region: RegionOne
57 database:
58 engine: mysql
59 host: '127.0.0.1'
60 name: 'keystone'
61 password: 'LfTno5mYdZmRfoPV'
62 user: 'keystone'
63
64Keystone public HTTPS API
65
66.. code-block:: yaml
67
68 keystone:
69 server:
70 enabled: true
71 version: juno
72 ...
73 services:
74 - name: nova
75 type: compute
76 description: OpenStack Compute Service
77 user:
78 name: nova
79 password: password
80 bind:
81 public_address: cloud.domain.com
82 public_protocol: https
83 public_port: 8774
84 internal_address: 10.0.0.20
85 internal_port: 8774
86 admin_address: 10.0.0.20
87 admin_port: 8774
88
89Keystone memcached storage for tokens
90
91.. code-block:: yaml
92
93 keystone:
94 server:
95 enabled: true
96 version: juno
97 ...
98 token_store: cache
99 cache:
100 engine: memcached
101 host: 127.0.0.1
102 port: 11211
103 services:
104 ...
105
106Keystone clustered memcached storage for tokens
107
108.. code-block:: yaml
109
110 keystone:
111 server:
112 enabled: true
113 version: juno
114 ...
115 token_store: cache
116 cache:
117 engine: memcached
118 members:
119 - host: 192.160.0.1
120 port: 11211
121 - host: 192.160.0.2
122 port: 11211
123 services:
124 ...
125
126Keystone client
127
128.. code-block:: yaml
129
130 keystone:
131 client:
132 enabled: true
133 server:
134 host: 10.0.0.2
135 public_port: 5000
136 private_port: 35357
137 service_token: 'token'
138 admin_tenant: admin
139 admin_name: admin
140 admin_password: 'passwd'
141
142Keystone cluster
143
144.. code-block:: yaml
145
146 keystone:
147 control:
148 enabled: true
149 provider:
150 os15_token:
151 host: 10.0.0.2
152 port: 35357
153 token: token
154 os15_tcp_core_stg:
155 host: 10.0.0.5
156 port: 5000
157 tenant: admin
158 name: admin
159 password: password
160
161Keystone fernet tokens for OpenStack Kilo release
162
163.. code-block:: yaml
164
165 keystone:
166 server:
167 ...
168 tokens:
169 engine: fernet
Jakub Pavlik6b0b74a2016-09-01 10:49:14 +0200170 max_active_keys: 3
Filip Pytloun943d6882015-10-06 16:28:32 +0200171 ...
172
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100173Keystone domain with LDAP backend, using SQL for role/project assignment
174
175.. code-block:: yaml
176
177 keystone:
178 server:
179 domain:
Filip Pytlounaf25d8d2016-01-12 14:21:39 +0100180 description: "Testing domain"
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100181 backend: ldap
182 assignment:
183 backend: sql
184 ldap:
Ales Komarekaabbda62016-03-15 08:38:35 +0100185 url: "ldaps://idm.domain.com"
186 suffix: "dc=cloud,dc=domain,dc=com"
187 # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100188 uid: keystone
Ales Komarekaabbda62016-03-15 08:38:35 +0100189 password: password
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100190
Filip Pytloun1abfdd72016-01-18 11:35:17 +0100191Using LDAP backend for default domain
192
193.. code-block:: yaml
194
195 keystone:
196 server:
197 backend: ldap
198 assignment:
199 backend: sql
200 ldap:
Ales Komarekaabbda62016-03-15 08:38:35 +0100201 url: "ldaps://idm.domain.com"
202 suffix: "dc=cloud,dc=domain,dc=com"
203 # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
Filip Pytloun1abfdd72016-01-18 11:35:17 +0100204 uid: keystone
Ales Komarekaabbda62016-03-15 08:38:35 +0100205 password: password
206
207Simple service endpoint definition (defaults to RegionOne)
208
209.. code-block:: yaml
210
211 keystone:
212 server:
213 service:
214 ceilometer:
215 type: metering
216 description: OpenStack Telemetry Service
217 user:
218 name: ceilometer
219 password: password
220 bind:
221 ...
222
223Region-aware service endpoints definition
224
225.. code-block:: yaml
226
227 keystone:
228 server:
229 service:
230 ceilometer_region01:
231 service: ceilometer
232 type: metering
233 region: region01
234 description: OpenStack Telemetry Service
235 user:
236 name: ceilometer
237 password: password
238 bind:
239 ...
240 ceilometer_region02:
241 service: ceilometer
242 type: metering
243 region: region02
244 description: OpenStack Telemetry Service
245 bind:
246 ...
247
Jakub Pavlik72e31d62016-04-08 16:26:57 +0200248Enable ceilometer notifications
249
250.. code-block:: yaml
251
252 keystone:
253 server:
254 notification: true
255 message_queue:
256 engine: rabbitmq
257 host: 127.0.0.1
258 port: 5672
259 user: openstack
260 password: password
261 virtual_host: '/openstack'
262 ha_queues: true
Filip Pytloun1abfdd72016-01-18 11:35:17 +0100263
Jakub Pavlik205ef802016-12-14 12:48:42 +0100264Client-side RabbitMQ HA setup
265
266.. code-block:: yaml
267
268 keystone:
269 server:
270 ....
271 message_queue:
272 engine: rabbitmq
273 members:
274 - host: 10.0.16.1
275 - host: 10.0.16.2
276 - host: 10.0.16.3
277 user: openstack
278 password: pwd
279 virtual_host: '/openstack'
280 ....
281
Petr Michalec98fc6d62016-12-03 11:30:35 +0100282Enable CADF audit notification
283
284.. code-block:: yaml
285
286 keystone:
287 server:
288 notification: true
289 notification_format: cadf
290
Alexander Noskov78b81e02016-12-05 16:20:50 +0400291Run keystone under Apache
292
293.. code-block:: yaml
294
295 keystone:
296 server:
297 service_name: apache2
298 apache:
299 server:
300 enabled: true
301 default_mpm: event
302 site:
303 keystone:
304 enabled: true
305 type: keystone
306 name: wsgi
307 host:
308 name: ${linux:network:fqdn}
309 modules:
310 - wsgi
311
312Enable Federated keystone
313
314.. code-block:: yaml
315
316 keystone:
317 server:
318 websso:
319 protocol: saml2
320 remote_id_attribute: Shib-Identity-Provider
321 federation_driver: keystone.contrib.federation.backends.sql.Federation
Oleksii Chupryn5f110b02017-03-30 09:54:27 +0300322 federated_domain_name: Federated
Alexander Noskov78b81e02016-12-05 16:20:50 +0400323 trusted_dashboard:
324 - http://${_param:proxy_vip_address_public}/horizon/auth/websso/
Oleksii Chupryn45e4d602017-03-07 16:40:44 +0200325 shib_url_scheme: https
Alexander Noskov78b81e02016-12-05 16:20:50 +0400326 apache:
327 server:
328 pkgs:
329 - apache2
330 - libapache2-mod-shib2
331 modules:
332 - wsgi
333 - shib2
Ales Komarek74a3ba62016-10-05 12:16:52 +0200334
mnederlof5d9ccac2017-03-02 15:47:50 +0100335Use a custom identity driver with custom options
336
337.. code-block:: yaml
338
339 keystone:
340 server:
341 backend: k2k
342 k2k:
343 auth_url: 'https://keystone.example.com/v2.0'
344 read_user: 'example_user'
345 read_pass: 'password'
346 read_tenant_id: 'admin'
347 identity_driver: 'sql'
348 id_prefix: 'k2k:'
349 domain: 'default'
350 caching: true
351 cache_time: 600
352
Ondrej Smola16e1bb72017-04-18 23:37:49 +0200353Enable CORS parameters
354
355.. code-block:: yaml
356
357 keystone:
358 server:
359 cors:
360 allowed_origin: https:localhost.local,http:localhost.local
361 expose_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
362 allow_methods: GET,PUT,POST,DELETE,PATCH
363 allow_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
364 allow_credentials: True
365 max_age: 86400
366
367
mnederlof5d9ccac2017-03-02 15:47:50 +0100368
Ales Komarek74a3ba62016-10-05 12:16:52 +0200369Keystone client
370---------------
371
372Service endpoints enforcement with service token
373
374.. code-block:: yaml
375
376 keystone:
377 client:
378 enabled: true
379 server:
380 keystone01:
381 admin:
382 host: 10.0.0.2
383 port: 35357
384 token: 'service_token'
385 service:
386 nova:
387 type: compute
388 description: OpenStack Compute Service
389 endpoints:
390 - region: region01
391 public_address: 172.16.10.1
392 public_port: 8773
393 public_path: '/v2'
394 internal_address: 172.16.10.1
395 internal_port: 8773
396 internal_path: '/v2'
397 admin_address: 172.16.10.1
398 admin_port: 8773
399 admin_path: '/v2'
400
401Project, users, roles enforcement with admin user
402
403.. code-block:: yaml
404
405 keystone:
406 client:
407 enabled: true
408 server:
409 keystone01:
410 admin:
411 host: 10.0.0.2
412 port: 5000
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100413 project: admin
Ales Komarek74a3ba62016-10-05 12:16:52 +0200414 user: admin
415 password: 'passwd'
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100416 region_name: RegionOne
417 protocol: https
Ales Komarek74a3ba62016-10-05 12:16:52 +0200418 roles:
419 - admin
420 - member
421 project:
422 tenant01:
423 description: "test env"
Jiri Broulik59000e92017-02-06 18:14:06 +0100424 quota:
425 instances: 100
426 cores: 24
427 ram: 151200
428 floating_ips: 50
429 fixed_ips: -1
430 metadata_items: 128
431 injected_files: 5
432 injected_file_content_bytes: 10240
433 injected_file_path_bytes: 255
434 key_pairs: 100
435 security_groups: 20
436 security_group_rules: 40
437 server_groups: 20
438 server_group_members: 20
Ales Komarek74a3ba62016-10-05 12:16:52 +0200439 user:
440 user01:
441 email: jdoe@domain.com
442 is_admin: true
443 password: some
444 user02:
445 email: jdoe2@domain.com
446 password: some
447 roles:
448 - custom-roles
449
Richard Felkl5ff315e2017-02-01 23:26:23 +0100450Multiple servers example
451
452.. code-block:: yaml
453
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100454 keystone:
455 client:
456 enabled: true
457 server:
458 keystone01:
459 admin:
460 host: 10.0.0.2
461 port: 5000
462 project: 'admin'
463 user: admin
464 password: 'workshop'
465 region_name: RegionOne
466 protocol: https
467 keystone02:
468 admin:
469 host: 10.0.0.3
470 port: 5000
471 project: 'admin'
472 user: admin
473 password: 'workshop'
474 region_name: RegionOne
Richard Felkl5ff315e2017-02-01 23:26:23 +0100475
Jiri Broulik59000e92017-02-06 18:14:06 +0100476
477Tenant quotas
478
479.. code-block:: yaml
480
481 keystone:
482 client:
483 enabled: true
484 server:
485 keystone01:
486 admin:
487 host: 10.0.0.2
488 port: 5000
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100489 project: admin
Jiri Broulik59000e92017-02-06 18:14:06 +0100490 user: admin
491 password: 'passwd'
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100492 region_name: RegionOne
493 protocol: https
Jiri Broulik59000e92017-02-06 18:14:06 +0100494 roles:
495 - admin
496 - member
497 project:
498 tenant01:
499 description: "test env"
500 quota:
501 instances: 100
502 cores: 24
503 ram: 151200
504 floating_ips: 50
505 fixed_ips: -1
506 metadata_items: 128
507 injected_files: 5
508 injected_file_content_bytes: 10240
509 injected_file_path_bytes: 255
510 key_pairs: 100
511 security_groups: 20
512 security_group_rules: 40
513 server_groups: 20
514 server_group_members: 20
515
Oleksii Chupryn4fec2132017-04-03 17:35:28 +0300516Extra config params in keystone.conf (since Mitaka release)
517
518.. code-block:: yaml
519
520 keystone:
521 server:
522 ....
523 extra_config:
524 ini_section1:
525 param1: value
526 param2: value
527 ini_section2:
528 param1: value
529 param2: value
530 ....
531
Jiri Broulik59000e92017-02-06 18:14:06 +0100532Usage
533=====
534
535Apply state `keystone.client.service` first and then `keystone.client` state.
536
537
Jakub Pavlikffc280d2016-05-20 11:19:14 +0200538Documentation and Bugs
Ales Komarek74a3ba62016-10-05 12:16:52 +0200539======================
Filip Pytloun943d6882015-10-06 16:28:32 +0200540
Jakub Pavlikffc280d2016-05-20 11:19:14 +0200541To learn how to deploy OpenStack Salt, consult the documentation available
542online at:
543
544 https://wiki.openstack.org/wiki/OpenStackSalt
545
546In the unfortunate event that bugs are discovered, they should be reported to
547the appropriate bug tracker. If you obtained the software from a 3rd party
548operating system vendor, it is often wise to use their own bug tracker for
549reporting problems. In all other cases use the master OpenStack bug tracker,
550available at:
551
552 http://bugs.launchpad.net/openstack-salt
553
554Developers wishing to work on the OpenStack Salt project should always base
555their work on the latest formulas code, available from the master GIT
556repository at:
557
558 https://git.openstack.org/cgit/openstack/salt-formula-keystone
559
560Developers should also join the discussion on the IRC list, at:
561
562 https://wiki.openstack.org/wiki/Meetings/openstack-salt
Filip Pytloun4cc5c0f2017-02-02 13:02:03 +0100563
564Documentation and Bugs
565======================
566
567To learn how to install and update salt-formulas, consult the documentation
568available online at:
569
570 http://salt-formulas.readthedocs.io/
571
572In the unfortunate event that bugs are discovered, they should be reported to
573the appropriate issue tracker. Use Github issue tracker for specific salt
574formula:
575
576 https://github.com/salt-formulas/salt-formula-keystone/issues
577
578For feature requests, bug reports or blueprints affecting entire ecosystem,
579use Launchpad salt-formulas project:
580
581 https://launchpad.net/salt-formulas
582
583You can also join salt-formulas-users team and subscribe to mailing list:
584
585 https://launchpad.net/~salt-formulas-users
586
587Developers wishing to work on the salt-formulas projects should always base
588their work on master branch and submit pull request against specific formula.
589
590 https://github.com/salt-formulas/salt-formula-keystone
591
592Any questions or feedback is always welcome so feel free to join our IRC
593channel:
594
595 #salt-formulas @ irc.freenode.net