Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / keystone / 494a17d047a9c7216354cd1ccbb9fdfa0133e181 / . / README.rst
blob: 8b80ef4777c8cbc676d30d76ab77c9b88db4fbaf [file] [log] [blame]
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]1==================
2OpenStack Keystone
3==================
4
Jakub Pavlikffc280d2016-05-20 11:19:14 +0200[diff] [blame]5Keystone provides authentication, authorization and service discovery
6mechanisms via HTTP primarily for use by projects in the OpenStack family. It
7is most commonly deployed as an HTTP interface to existing identity systems,
8such as LDAP.
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]9
10From Kilo release Keystone v3 endpoint has definition without version in url
11
12.. code-block:: bash
13
14 +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
15 | id | region | publicurl | internalurl | adminurl | service_id |
16 +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
17 | 91663a8db11c487c9253c8c456863494 | RegionOne | http://10.0.150.37:5000/ | http://10.0.150.37:5000/ | http://10.0.150.37:35357/ | 0fd2dba3153d45a1ba7f709cfc2d69c9 |
18 +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
19
20
21Sample pillars
22==============
23
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]24.. caution::
Adam Tengler7c66c882016-03-14 19:35:49 +0100[diff] [blame]25
Jakub Pavlikffc280d2016-05-20 11:19:14 +0200[diff] [blame]26 When you use localhost as your database host (keystone:server:
27 atabase:host), sqlalchemy will try to connect to /var/run/mysql/
28 mysqld.sock, may cause issues if you located your mysql socket elsewhere
Adam Tengler7c66c882016-03-14 19:35:49 +0100[diff] [blame]29
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]30Full stacked keystone
31
32.. code-block:: yaml
33
34 keystone:
35 server:
36 enabled: true
37 version: juno
38 service_token: 'service_tokeen'
39 service_tenant: service
40 service_password: 'servicepwd'
41 admin_tenant: admin
42 admin_name: admin
43 admin_password: 'adminpwd'
44 admin_email: stackmaster@domain.com
45 roles:
46 - admin
47 - Member
48 - image_manager
49 bind:
50 address: 0.0.0.0
51 private_address: 127.0.0.1
52 private_port: 35357
53 public_address: 127.0.0.1
54 public_port: 5000
55 api_version: 2.0
56 region: RegionOne
57 database:
58 engine: mysql
59 host: '127.0.0.1'
60 name: 'keystone'
61 password: 'LfTno5mYdZmRfoPV'
62 user: 'keystone'
63
64Keystone public HTTPS API
65
66.. code-block:: yaml
67
68 keystone:
69 server:
70 enabled: true
71 version: juno
72 ...
73 services:
74 - name: nova
75 type: compute
76 description: OpenStack Compute Service
77 user:
78 name: nova
79 password: password
80 bind:
81 public_address: cloud.domain.com
82 public_protocol: https
83 public_port: 8774
84 internal_address: 10.0.0.20
85 internal_port: 8774
86 admin_address: 10.0.0.20
87 admin_port: 8774
88
Adam Tenglerb1ebaca2017-05-04 21:06:08 +0000[diff] [blame]89Keystone with custom policies. Keys with specified rules are created or set to this value if they already exists. Keys with no value (like our "existing_rule") are deleted from the policy file.
90
91.. code-block:: yaml
92
93 keystone:
94 server:
95 enabled: true
96 policy:
97 new_rule: "rule:admin_required"
98 existing_rule:
99
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]100Keystone memcached storage for tokens
101
102.. code-block:: yaml
103
104 keystone:
105 server:
106 enabled: true
107 version: juno
108 ...
109 token_store: cache
110 cache:
111 engine: memcached
112 host: 127.0.0.1
113 port: 11211
114 services:
115 ...
116
117Keystone clustered memcached storage for tokens
118
119.. code-block:: yaml
120
121 keystone:
122 server:
123 enabled: true
124 version: juno
125 ...
126 token_store: cache
127 cache:
128 engine: memcached
129 members:
130 - host: 192.160.0.1
131 port: 11211
132 - host: 192.160.0.2
133 port: 11211
134 services:
135 ...
136
137Keystone client
138
139.. code-block:: yaml
140
141 keystone:
142 client:
143 enabled: true
144 server:
145 host: 10.0.0.2
146 public_port: 5000
147 private_port: 35357
148 service_token: 'token'
149 admin_tenant: admin
150 admin_name: admin
151 admin_password: 'passwd'
152
153Keystone cluster
154
155.. code-block:: yaml
156
157 keystone:
158 control:
159 enabled: true
160 provider:
161 os15_token:
162 host: 10.0.0.2
163 port: 35357
164 token: token
165 os15_tcp_core_stg:
166 host: 10.0.0.5
167 port: 5000
168 tenant: admin
169 name: admin
170 password: password
171
172Keystone fernet tokens for OpenStack Kilo release
173
174.. code-block:: yaml
175
176 keystone:
177 server:
178 ...
179 tokens:
180 engine: fernet
Jakub Pavlik6b0b74a2016-09-01 10:49:14 +0200[diff] [blame]181 max_active_keys: 3
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]182 ...
183
Oleksii Chupryn6fd899f2017-04-21 10:20:51 +0300[diff] [blame]184Keystone auth methods
185
186.. code-block:: yaml
187
188 keystone:
189 server:
190 ...
191 auth_methods:
192 - external
193 - password
194 - token
195 - oauth1
196 ...
197
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]198Keystone domain with LDAP backend, using SQL for role/project assignment
199
200.. code-block:: yaml
201
202 keystone:
203 server:
204 domain:
Ramon Melero96ff9122017-08-15 11:02:50 -0500[diff] [blame]205 external:
206 description: "Testing domain"
207 backend: ldap
208 assignment:
209 backend: sql
210 ldap:
211 url: "ldaps://idm.domain.com"
212 suffix: "dc=cloud,dc=domain,dc=com"
213 # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
214 uid: keystone
215 password: password
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]216
Filip Pytloun1abfdd72016-01-18 11:35:17 +0100[diff] [blame]217Using LDAP backend for default domain
218
219.. code-block:: yaml
220
221 keystone:
222 server:
223 backend: ldap
224 assignment:
225 backend: sql
226 ldap:
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]227 url: "ldaps://idm.domain.com"
228 suffix: "dc=cloud,dc=domain,dc=com"
229 # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
Filip Pytloun1abfdd72016-01-18 11:35:17 +0100[diff] [blame]230 uid: keystone
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]231 password: password
232
233Simple service endpoint definition (defaults to RegionOne)
234
235.. code-block:: yaml
236
237 keystone:
238 server:
239 service:
240 ceilometer:
241 type: metering
242 description: OpenStack Telemetry Service
243 user:
244 name: ceilometer
245 password: password
246 bind:
247 ...
248
249Region-aware service endpoints definition
250
251.. code-block:: yaml
252
253 keystone:
254 server:
255 service:
256 ceilometer_region01:
257 service: ceilometer
258 type: metering
259 region: region01
260 description: OpenStack Telemetry Service
261 user:
262 name: ceilometer
263 password: password
264 bind:
265 ...
266 ceilometer_region02:
267 service: ceilometer
268 type: metering
269 region: region02
270 description: OpenStack Telemetry Service
271 bind:
272 ...
273
Jakub Pavlik72e31d62016-04-08 16:26:57 +0200[diff] [blame]274Enable ceilometer notifications
275
276.. code-block:: yaml
277
278 keystone:
279 server:
280 notification: true
281 message_queue:
282 engine: rabbitmq
283 host: 127.0.0.1
284 port: 5672
285 user: openstack
286 password: password
287 virtual_host: '/openstack'
288 ha_queues: true
Filip Pytloun1abfdd72016-01-18 11:35:17 +0100[diff] [blame]289
Jakub Pavlik205ef802016-12-14 12:48:42 +0100[diff] [blame]290Client-side RabbitMQ HA setup
291
292.. code-block:: yaml
293
294 keystone:
295 server:
296 ....
297 message_queue:
298 engine: rabbitmq
299 members:
300 - host: 10.0.16.1
301 - host: 10.0.16.2
302 - host: 10.0.16.3
303 user: openstack
304 password: pwd
305 virtual_host: '/openstack'
306 ....
307
Kirill Bespalov00984452017-08-01 17:44:11 +0300[diff] [blame]308Client-side RabbitMQ TLS configuration:
309
310|
311
312By default system-wide CA certs are used. Nothing should be specified except `ssl.enabled`.
313
314.. code-block:: yaml
315
316 keystone:
317 server:
318 ....
319 message_queue:
320 ssl:
321 enabled: True
322
323Use `cacert_file` option to specify the CA-cert file path explicitly:
324
325.. code-block:: yaml
326
327 keystone:
328 server:
329 ....
330 message_queue:
331 ssl:
332 enabled: True
333 cacert_file: /etc/ssl/rabbitmq-ca.pem
334
335To manage content of the `cacert_file` use the `cacert` option:
336
337.. code-block:: yaml
338
339 keystone:
340 server:
341 ....
342 message_queue:
343 ssl:
344 enabled: True
345 cacert: |
346
347 -----BEGIN CERTIFICATE-----
348 ...
349 -----END CERTIFICATE-------
350
351 cacert_file: /etc/openstack/rabbitmq-ca.pem
352
353
354Notice:
355 * The `message_queue.port` is set to **5671** (AMQPS) by default if `ssl.enabled=True`.
356 * Use `message_queue.ssl.version` if you need to specify protocol version. By default is TLSv1 for python < 2.7.9 and TLSv1_2 for version above.
357
Petr Michalec98fc6d62016-12-03 11:30:35 +0100[diff] [blame]358Enable CADF audit notification
359
360.. code-block:: yaml
361
362 keystone:
363 server:
364 notification: true
365 notification_format: cadf
366
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]367Run keystone under Apache
368
369.. code-block:: yaml
370
371 keystone:
372 server:
373 service_name: apache2
374 apache:
375 server:
376 enabled: true
377 default_mpm: event
378 site:
379 keystone:
380 enabled: true
381 type: keystone
382 name: wsgi
383 host:
384 name: ${linux:network:fqdn}
385 modules:
386 - wsgi
387
Oleksii Chuprynfcecf192017-04-21 12:20:46 +0300[diff] [blame]388Enable SAML2 Federated keystone
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]389
390.. code-block:: yaml
391
392 keystone:
393 server:
Oleksii Chupryn6fd899f2017-04-21 10:20:51 +0300[diff] [blame]394 auth_methods:
395 - password
396 - token
397 - saml2
Oleksii Chuprynebe09a52017-04-21 11:08:14 +0300[diff] [blame]398 federation:
Oleksii Chuprynfcecf192017-04-21 12:20:46 +0300[diff] [blame]399 saml2:
400 protocol: saml2
401 remote_id_attribute: Shib-Identity-Provider
402 shib_url_scheme: https
403 shib_compat_valid_user: 'on'
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]404 federation_driver: keystone.contrib.federation.backends.sql.Federation
Oleksii Chupryn5f110b02017-03-30 09:54:27 +0300[diff] [blame]405 federated_domain_name: Federated
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]406 trusted_dashboard:
Oleksii Chuprynfcecf192017-04-21 12:20:46 +0300[diff] [blame]407 - https://${_param:cluster_public_host}/horizon/auth/websso/
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]408 apache:
409 server:
410 pkgs:
411 - apache2
412 - libapache2-mod-shib2
413 modules:
414 - wsgi
415 - shib2
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]416
Oleksii Chuprynfcecf192017-04-21 12:20:46 +0300[diff] [blame]417Enable OIDC Federated keystone
418
419.. code-block:: yaml
420
421 keystone:
422 server:
423 auth_methods:
424 - password
425 - token
426 - oidc
427 federation:
428 oidc:
429 protocol: oidc
430 remote_id_attribute: HTTP_OIDC_ISS
431 remote_id_attribute_value: https://accounts.google.com
432 oidc_claim_prefix: "OIDC-"
433 oidc_response_type: id_token
434 oidc_scope: "openid email profile"
435 oidc_provider_metadata_url: https://accounts.google.com/.well-known/openid-configuration
436 oidc_client_id: <openid_client_id>
437 oidc_client_secret: <openid_client_secret>
438 oidc_crypto_passphrase: openstack
439 oidc_redirect_uri: https://key.example.com:5000/v3/auth/OS-FEDERATION/websso/oidc/redirect
440 oidc_oauth_introspection_endpoint: https://www.googleapis.com/oauth2/v1/tokeninfo
441 oidc_oauth_introspection_token_param_name: access_token
442 oidc_oauth_remote_user_claim: user_id
443 oidc_ssl_validate_server: 'off'
444 federated_domain_name: Federated
445 federation_driver: keystone.contrib.federation.backends.sql.Federation
446 trusted_dashboard:
447 - https://${_param:cluster_public_host}/auth/websso/
448 apache:
449 server:
450 pkgs:
451 - apache2
452 - libapache2-mod-auth-openidc
453 modules:
454 - wsgi
455 - auth_openidc
456
457Notes: Ubuntu Trusty repository doesn't contain libapache2-mod-auth-openidc package. Additonal repository should be added to source list.
458
mnederlof5d9ccac2017-03-02 15:47:50 +0100[diff] [blame]459Use a custom identity driver with custom options
460
461.. code-block:: yaml
462
463 keystone:
464 server:
465 backend: k2k
466 k2k:
467 auth_url: 'https://keystone.example.com/v2.0'
468 read_user: 'example_user'
469 read_pass: 'password'
470 read_tenant_id: 'admin'
471 identity_driver: 'sql'
472 id_prefix: 'k2k:'
473 domain: 'default'
474 caching: true
475 cache_time: 600
476
Ondrej Smola16e1bb72017-04-18 23:37:49 +0200[diff] [blame]477Enable CORS parameters
478
479.. code-block:: yaml
480
481 keystone:
482 server:
483 cors:
484 allowed_origin: https:localhost.local,http:localhost.local
485 expose_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
486 allow_methods: GET,PUT,POST,DELETE,PATCH
487 allow_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
488 allow_credentials: True
489 max_age: 86400
490
491
mnederlof5d9ccac2017-03-02 15:47:50 +0100[diff] [blame]492
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]493Keystone client
494---------------
495
496Service endpoints enforcement with service token
497
498.. code-block:: yaml
499
500 keystone:
501 client:
502 enabled: true
503 server:
504 keystone01:
505 admin:
506 host: 10.0.0.2
507 port: 35357
508 token: 'service_token'
509 service:
510 nova:
511 type: compute
512 description: OpenStack Compute Service
513 endpoints:
514 - region: region01
515 public_address: 172.16.10.1
516 public_port: 8773
517 public_path: '/v2'
518 internal_address: 172.16.10.1
519 internal_port: 8773
520 internal_path: '/v2'
521 admin_address: 172.16.10.1
522 admin_port: 8773
523 admin_path: '/v2'
524
525Project, users, roles enforcement with admin user
526
527.. code-block:: yaml
528
529 keystone:
530 client:
531 enabled: true
532 server:
533 keystone01:
534 admin:
535 host: 10.0.0.2
536 port: 5000
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100[diff] [blame]537 project: admin
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]538 user: admin
539 password: 'passwd'
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100[diff] [blame]540 region_name: RegionOne
541 protocol: https
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]542 roles:
543 - admin
544 - member
545 project:
546 tenant01:
547 description: "test env"
Jiri Broulik59000e92017-02-06 18:14:06 +0100[diff] [blame]548 quota:
549 instances: 100
550 cores: 24
551 ram: 151200
552 floating_ips: 50
553 fixed_ips: -1
554 metadata_items: 128
555 injected_files: 5
556 injected_file_content_bytes: 10240
557 injected_file_path_bytes: 255
558 key_pairs: 100
559 security_groups: 20
560 security_group_rules: 40
561 server_groups: 20
562 server_group_members: 20
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]563 user:
564 user01:
565 email: jdoe@domain.com
566 is_admin: true
567 password: some
568 user02:
569 email: jdoe2@domain.com
570 password: some
571 roles:
572 - custom-roles
573
Richard Felkl5ff315e2017-02-01 23:26:23 +0100[diff] [blame]574Multiple servers example
575
576.. code-block:: yaml
577
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100[diff] [blame]578 keystone:
579 client:
580 enabled: true
581 server:
582 keystone01:
583 admin:
584 host: 10.0.0.2
585 port: 5000
586 project: 'admin'
587 user: admin
588 password: 'workshop'
589 region_name: RegionOne
590 protocol: https
591 keystone02:
592 admin:
593 host: 10.0.0.3
594 port: 5000
595 project: 'admin'
596 user: admin
597 password: 'workshop'
598 region_name: RegionOne
Richard Felkl5ff315e2017-02-01 23:26:23 +0100[diff] [blame]599
Jiri Broulik59000e92017-02-06 18:14:06 +0100[diff] [blame]600
601Tenant quotas
602
603.. code-block:: yaml
604
605 keystone:
606 client:
607 enabled: true
608 server:
609 keystone01:
610 admin:
611 host: 10.0.0.2
612 port: 5000
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100[diff] [blame]613 project: admin
Jiri Broulik59000e92017-02-06 18:14:06 +0100[diff] [blame]614 user: admin
615 password: 'passwd'
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100[diff] [blame]616 region_name: RegionOne
617 protocol: https
Jiri Broulik59000e92017-02-06 18:14:06 +0100[diff] [blame]618 roles:
619 - admin
620 - member
621 project:
622 tenant01:
623 description: "test env"
624 quota:
625 instances: 100
626 cores: 24
627 ram: 151200
628 floating_ips: 50
629 fixed_ips: -1
630 metadata_items: 128
631 injected_files: 5
632 injected_file_content_bytes: 10240
633 injected_file_path_bytes: 255
634 key_pairs: 100
635 security_groups: 20
636 security_group_rules: 40
637 server_groups: 20
638 server_group_members: 20
639
Oleksii Chupryn4fec2132017-04-03 17:35:28 +0300[diff] [blame]640Extra config params in keystone.conf (since Mitaka release)
641
642.. code-block:: yaml
643
644 keystone:
645 server:
646 ....
647 extra_config:
648 ini_section1:
649 param1: value
650 param2: value
651 ini_section2:
652 param1: value
653 param2: value
654 ....
655
Dmitry Ukovf58264b2017-04-20 23:08:42 +0200[diff] [blame]656Configuration of policy.json file
657
658.. code-block:: yaml
659
660
661 keystone:
662 server:
663 ....
664 policy:
665 admin_or_token_subject: 'rule:admin_required or rule:token_subject'
666
Andrey4b287f02017-10-03 18:40:25 -0500[diff] [blame]667Setting up default admin project name and domain
668
669.. code-block:: yaml
670
671
672 keystone:
673 server:
674 ....
675 admin_project:
676 name: "admin"
677 domain: "default"
678
Dmitry Kalashnik494a17d2017-12-06 16:55:55 +0400[diff] [blame^]679Enhanced logging with logging.conf
680----------------------------------
681
682By default logging.conf is disabled.
683
684That is possible to enable per-binary logging.conf with new variables:
685 * openstack_log_appender - set it to true to enable log_config_append for all OpenStack services;
686 * openstack_fluentd_handler_enabled - set to true to enable FluentHandler for all Openstack services.
687
688Only WatchedFileHandler and FluentHandler are available.
689
690Also it is possible to configure this with pillar:
691
692.. code-block:: yaml
693
694 keystone:
695 server:
696 logging:
697 log_appender: true
698 log_handlers:
699 watchedfile:
700 enabled: true
701 fluentd:
702 enabled: true
703
Jiri Broulik59000e92017-02-06 18:14:06 +0100[diff] [blame]704Usage
705=====
706
707Apply state `keystone.client.service` first and then `keystone.client` state.
708
709
Jakub Pavlikffc280d2016-05-20 11:19:14 +0200[diff] [blame]710Documentation and Bugs
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]711======================
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]712
Jakub Pavlikffc280d2016-05-20 11:19:14 +0200[diff] [blame]713To learn how to deploy OpenStack Salt, consult the documentation available
714online at:
715
716 https://wiki.openstack.org/wiki/OpenStackSalt
717
718In the unfortunate event that bugs are discovered, they should be reported to
719the appropriate bug tracker. If you obtained the software from a 3rd party
720operating system vendor, it is often wise to use their own bug tracker for
721reporting problems. In all other cases use the master OpenStack bug tracker,
722available at:
723
724 http://bugs.launchpad.net/openstack-salt
725
726Developers wishing to work on the OpenStack Salt project should always base
727their work on the latest formulas code, available from the master GIT
728repository at:
729
730 https://git.openstack.org/cgit/openstack/salt-formula-keystone
731
732Developers should also join the discussion on the IRC list, at:
733
734 https://wiki.openstack.org/wiki/Meetings/openstack-salt
Filip Pytloun4cc5c0f2017-02-02 13:02:03 +0100[diff] [blame]735
736Documentation and Bugs
737======================
738
739To learn how to install and update salt-formulas, consult the documentation
740available online at:
741
742 http://salt-formulas.readthedocs.io/
743
744In the unfortunate event that bugs are discovered, they should be reported to
745the appropriate issue tracker. Use Github issue tracker for specific salt
746formula:
747
748 https://github.com/salt-formulas/salt-formula-keystone/issues
749
750For feature requests, bug reports or blueprints affecting entire ecosystem,
751use Launchpad salt-formulas project:
752
753 https://launchpad.net/salt-formulas
754
755You can also join salt-formulas-users team and subscribe to mailing list:
756
757 https://launchpad.net/~salt-formulas-users
758
759Developers wishing to work on the salt-formulas projects should always base
760their work on master branch and submit pull request against specific formula.
761
762 https://github.com/salt-formulas/salt-formula-keystone
763
764Any questions or feedback is always welcome so feel free to join our IRC
765channel:
766
767 #salt-formulas @ irc.freenode.net