| Filip Pytloun | 943d688 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 1 | ================== | 
|  | 2 | OpenStack Keystone | 
|  | 3 | ================== | 
|  | 4 |  | 
| Jakub Pavlik | ffc280d | 2016-05-20 11:19:14 +0200 | [diff] [blame] | 5 | Keystone provides authentication, authorization and service discovery | 
|  | 6 | mechanisms via HTTP primarily for use by projects in the OpenStack family. It | 
|  | 7 | is most commonly deployed as an HTTP interface to existing identity systems, | 
|  | 8 | such as LDAP. | 
| Filip Pytloun | 943d688 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 9 |  | 
|  | 10 | From Kilo release Keystone v3 endpoint has definition without version in url | 
|  | 11 |  | 
|  | 12 | .. code-block:: bash | 
|  | 13 |  | 
|  | 14 | +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+ | 
|  | 15 | |                id                |   region  |        publicurl         |       internalurl        |          adminurl         |            service_id            | | 
|  | 16 | +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+ | 
|  | 17 | | 91663a8db11c487c9253c8c456863494 | RegionOne | http://10.0.150.37:5000/ | http://10.0.150.37:5000/ | http://10.0.150.37:35357/ | 0fd2dba3153d45a1ba7f709cfc2d69c9 | | 
|  | 18 | +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+ | 
|  | 19 |  | 
|  | 20 |  | 
|  | 21 | Sample pillars | 
|  | 22 | ============== | 
|  | 23 |  | 
| Alexander Noskov | 78b81e0 | 2016-12-05 16:20:50 +0400 | [diff] [blame] | 24 | .. caution:: | 
| Adam Tengler | 7c66c88 | 2016-03-14 19:35:49 +0100 | [diff] [blame] | 25 |  | 
| Jakub Pavlik | ffc280d | 2016-05-20 11:19:14 +0200 | [diff] [blame] | 26 | When you use localhost as your database host (keystone:server: | 
|  | 27 | atabase:host), sqlalchemy will try to connect to /var/run/mysql/ | 
|  | 28 | mysqld.sock, may cause issues if you located your mysql socket elsewhere | 
| Adam Tengler | 7c66c88 | 2016-03-14 19:35:49 +0100 | [diff] [blame] | 29 |  | 
| Filip Pytloun | 943d688 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 30 | Full stacked keystone | 
|  | 31 |  | 
|  | 32 | .. code-block:: yaml | 
|  | 33 |  | 
|  | 34 | keystone: | 
|  | 35 | server: | 
|  | 36 | enabled: true | 
|  | 37 | version: juno | 
|  | 38 | service_token: 'service_tokeen' | 
|  | 39 | service_tenant: service | 
|  | 40 | service_password: 'servicepwd' | 
|  | 41 | admin_tenant: admin | 
|  | 42 | admin_name: admin | 
|  | 43 | admin_password: 'adminpwd' | 
|  | 44 | admin_email: stackmaster@domain.com | 
|  | 45 | roles: | 
|  | 46 | - admin | 
|  | 47 | - Member | 
|  | 48 | - image_manager | 
|  | 49 | bind: | 
|  | 50 | address: 0.0.0.0 | 
|  | 51 | private_address: 127.0.0.1 | 
|  | 52 | private_port: 35357 | 
|  | 53 | public_address: 127.0.0.1 | 
|  | 54 | public_port: 5000 | 
|  | 55 | api_version: 2.0 | 
|  | 56 | region: RegionOne | 
|  | 57 | database: | 
|  | 58 | engine: mysql | 
|  | 59 | host: '127.0.0.1' | 
|  | 60 | name: 'keystone' | 
|  | 61 | password: 'LfTno5mYdZmRfoPV' | 
|  | 62 | user: 'keystone' | 
|  | 63 |  | 
|  | 64 | Keystone public HTTPS API | 
|  | 65 |  | 
|  | 66 | .. code-block:: yaml | 
|  | 67 |  | 
|  | 68 | keystone: | 
|  | 69 | server: | 
|  | 70 | enabled: true | 
|  | 71 | version: juno | 
|  | 72 | ... | 
|  | 73 | services: | 
|  | 74 | - name: nova | 
|  | 75 | type: compute | 
|  | 76 | description: OpenStack Compute Service | 
|  | 77 | user: | 
|  | 78 | name: nova | 
|  | 79 | password: password | 
|  | 80 | bind: | 
|  | 81 | public_address: cloud.domain.com | 
|  | 82 | public_protocol: https | 
|  | 83 | public_port: 8774 | 
|  | 84 | internal_address: 10.0.0.20 | 
|  | 85 | internal_port: 8774 | 
|  | 86 | admin_address: 10.0.0.20 | 
|  | 87 | admin_port: 8774 | 
|  | 88 |  | 
|  | 89 | Keystone memcached storage for tokens | 
|  | 90 |  | 
|  | 91 | .. code-block:: yaml | 
|  | 92 |  | 
|  | 93 | keystone: | 
|  | 94 | server: | 
|  | 95 | enabled: true | 
|  | 96 | version: juno | 
|  | 97 | ... | 
|  | 98 | token_store: cache | 
|  | 99 | cache: | 
|  | 100 | engine: memcached | 
|  | 101 | host: 127.0.0.1 | 
|  | 102 | port: 11211 | 
|  | 103 | services: | 
|  | 104 | ... | 
|  | 105 |  | 
|  | 106 | Keystone clustered memcached storage for tokens | 
|  | 107 |  | 
|  | 108 | .. code-block:: yaml | 
|  | 109 |  | 
|  | 110 | keystone: | 
|  | 111 | server: | 
|  | 112 | enabled: true | 
|  | 113 | version: juno | 
|  | 114 | ... | 
|  | 115 | token_store: cache | 
|  | 116 | cache: | 
|  | 117 | engine: memcached | 
|  | 118 | members: | 
|  | 119 | - host: 192.160.0.1 | 
|  | 120 | port: 11211 | 
|  | 121 | - host: 192.160.0.2 | 
|  | 122 | port: 11211 | 
|  | 123 | services: | 
|  | 124 | ... | 
|  | 125 |  | 
|  | 126 | Keystone client | 
|  | 127 |  | 
|  | 128 | .. code-block:: yaml | 
|  | 129 |  | 
|  | 130 | keystone: | 
|  | 131 | client: | 
|  | 132 | enabled: true | 
|  | 133 | server: | 
|  | 134 | host: 10.0.0.2 | 
|  | 135 | public_port: 5000 | 
|  | 136 | private_port: 35357 | 
|  | 137 | service_token: 'token' | 
|  | 138 | admin_tenant: admin | 
|  | 139 | admin_name: admin | 
|  | 140 | admin_password: 'passwd' | 
|  | 141 |  | 
|  | 142 | Keystone cluster | 
|  | 143 |  | 
|  | 144 | .. code-block:: yaml | 
|  | 145 |  | 
|  | 146 | keystone: | 
|  | 147 | control: | 
|  | 148 | enabled: true | 
|  | 149 | provider: | 
|  | 150 | os15_token: | 
|  | 151 | host: 10.0.0.2 | 
|  | 152 | port: 35357 | 
|  | 153 | token: token | 
|  | 154 | os15_tcp_core_stg: | 
|  | 155 | host: 10.0.0.5 | 
|  | 156 | port: 5000 | 
|  | 157 | tenant: admin | 
|  | 158 | name: admin | 
|  | 159 | password: password | 
|  | 160 |  | 
|  | 161 | Keystone fernet tokens for OpenStack Kilo release | 
|  | 162 |  | 
|  | 163 | .. code-block:: yaml | 
|  | 164 |  | 
|  | 165 | keystone: | 
|  | 166 | server: | 
|  | 167 | ... | 
|  | 168 | tokens: | 
|  | 169 | engine: fernet | 
| Jakub Pavlik | 6b0b74a | 2016-09-01 10:49:14 +0200 | [diff] [blame] | 170 | max_active_keys: 3 | 
| Filip Pytloun | 943d688 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 171 | ... | 
|  | 172 |  | 
| Filip Pytloun | 6b9ec2b | 2016-01-12 13:52:01 +0100 | [diff] [blame] | 173 | Keystone domain with LDAP backend, using SQL for role/project assignment | 
|  | 174 |  | 
|  | 175 | .. code-block:: yaml | 
|  | 176 |  | 
|  | 177 | keystone: | 
|  | 178 | server: | 
|  | 179 | domain: | 
| Filip Pytloun | af25d8d | 2016-01-12 14:21:39 +0100 | [diff] [blame] | 180 | description: "Testing domain" | 
| Filip Pytloun | 6b9ec2b | 2016-01-12 13:52:01 +0100 | [diff] [blame] | 181 | backend: ldap | 
|  | 182 | assignment: | 
|  | 183 | backend: sql | 
|  | 184 | ldap: | 
| Ales Komarek | aabbda6 | 2016-03-15 08:38:35 +0100 | [diff] [blame] | 185 | url: "ldaps://idm.domain.com" | 
|  | 186 | suffix: "dc=cloud,dc=domain,dc=com" | 
|  | 187 | # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com | 
| Filip Pytloun | 6b9ec2b | 2016-01-12 13:52:01 +0100 | [diff] [blame] | 188 | uid: keystone | 
| Ales Komarek | aabbda6 | 2016-03-15 08:38:35 +0100 | [diff] [blame] | 189 | password: password | 
| Filip Pytloun | 6b9ec2b | 2016-01-12 13:52:01 +0100 | [diff] [blame] | 190 |  | 
| Filip Pytloun | 1abfdd7 | 2016-01-18 11:35:17 +0100 | [diff] [blame] | 191 | Using LDAP backend for default domain | 
|  | 192 |  | 
|  | 193 | .. code-block:: yaml | 
|  | 194 |  | 
|  | 195 | keystone: | 
|  | 196 | server: | 
|  | 197 | backend: ldap | 
|  | 198 | assignment: | 
|  | 199 | backend: sql | 
|  | 200 | ldap: | 
| Ales Komarek | aabbda6 | 2016-03-15 08:38:35 +0100 | [diff] [blame] | 201 | url: "ldaps://idm.domain.com" | 
|  | 202 | suffix: "dc=cloud,dc=domain,dc=com" | 
|  | 203 | # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com | 
| Filip Pytloun | 1abfdd7 | 2016-01-18 11:35:17 +0100 | [diff] [blame] | 204 | uid: keystone | 
| Ales Komarek | aabbda6 | 2016-03-15 08:38:35 +0100 | [diff] [blame] | 205 | password: password | 
|  | 206 |  | 
|  | 207 | Simple service endpoint definition (defaults to RegionOne) | 
|  | 208 |  | 
|  | 209 | .. code-block:: yaml | 
|  | 210 |  | 
|  | 211 | keystone: | 
|  | 212 | server: | 
|  | 213 | service: | 
|  | 214 | ceilometer: | 
|  | 215 | type: metering | 
|  | 216 | description: OpenStack Telemetry Service | 
|  | 217 | user: | 
|  | 218 | name: ceilometer | 
|  | 219 | password: password | 
|  | 220 | bind: | 
|  | 221 | ... | 
|  | 222 |  | 
|  | 223 | Region-aware service endpoints definition | 
|  | 224 |  | 
|  | 225 | .. code-block:: yaml | 
|  | 226 |  | 
|  | 227 | keystone: | 
|  | 228 | server: | 
|  | 229 | service: | 
|  | 230 | ceilometer_region01: | 
|  | 231 | service: ceilometer | 
|  | 232 | type: metering | 
|  | 233 | region: region01 | 
|  | 234 | description: OpenStack Telemetry Service | 
|  | 235 | user: | 
|  | 236 | name: ceilometer | 
|  | 237 | password: password | 
|  | 238 | bind: | 
|  | 239 | ... | 
|  | 240 | ceilometer_region02: | 
|  | 241 | service: ceilometer | 
|  | 242 | type: metering | 
|  | 243 | region: region02 | 
|  | 244 | description: OpenStack Telemetry Service | 
|  | 245 | bind: | 
|  | 246 | ... | 
|  | 247 |  | 
| Jakub Pavlik | 72e31d6 | 2016-04-08 16:26:57 +0200 | [diff] [blame] | 248 | Enable ceilometer notifications | 
|  | 249 |  | 
|  | 250 | .. code-block:: yaml | 
|  | 251 |  | 
|  | 252 | keystone: | 
|  | 253 | server: | 
|  | 254 | notification: true | 
|  | 255 | message_queue: | 
|  | 256 | engine: rabbitmq | 
|  | 257 | host: 127.0.0.1 | 
|  | 258 | port: 5672 | 
|  | 259 | user: openstack | 
|  | 260 | password: password | 
|  | 261 | virtual_host: '/openstack' | 
|  | 262 | ha_queues: true | 
| Filip Pytloun | 1abfdd7 | 2016-01-18 11:35:17 +0100 | [diff] [blame] | 263 |  | 
| Jakub Pavlik | 205ef80 | 2016-12-14 12:48:42 +0100 | [diff] [blame] | 264 | Client-side RabbitMQ HA setup | 
|  | 265 |  | 
|  | 266 | .. code-block:: yaml | 
|  | 267 |  | 
|  | 268 | keystone: | 
|  | 269 | server: | 
|  | 270 | .... | 
|  | 271 | message_queue: | 
|  | 272 | engine: rabbitmq | 
|  | 273 | members: | 
|  | 274 | - host: 10.0.16.1 | 
|  | 275 | - host: 10.0.16.2 | 
|  | 276 | - host: 10.0.16.3 | 
|  | 277 | user: openstack | 
|  | 278 | password: pwd | 
|  | 279 | virtual_host: '/openstack' | 
|  | 280 | .... | 
|  | 281 |  | 
| Petr Michalec | 98fc6d6 | 2016-12-03 11:30:35 +0100 | [diff] [blame] | 282 | Enable CADF audit notification | 
|  | 283 |  | 
|  | 284 | .. code-block:: yaml | 
|  | 285 |  | 
|  | 286 | keystone: | 
|  | 287 | server: | 
|  | 288 | notification: true | 
|  | 289 | notification_format: cadf | 
|  | 290 |  | 
| Alexander Noskov | 78b81e0 | 2016-12-05 16:20:50 +0400 | [diff] [blame] | 291 | Run keystone under Apache | 
|  | 292 |  | 
|  | 293 | .. code-block:: yaml | 
|  | 294 |  | 
|  | 295 | keystone: | 
|  | 296 | server: | 
|  | 297 | service_name: apache2 | 
|  | 298 | apache: | 
|  | 299 | server: | 
|  | 300 | enabled: true | 
|  | 301 | default_mpm: event | 
|  | 302 | site: | 
|  | 303 | keystone: | 
|  | 304 | enabled: true | 
|  | 305 | type: keystone | 
|  | 306 | name: wsgi | 
|  | 307 | host: | 
|  | 308 | name: ${linux:network:fqdn} | 
|  | 309 | modules: | 
|  | 310 | - wsgi | 
|  | 311 |  | 
|  | 312 | Enable Federated keystone | 
|  | 313 |  | 
|  | 314 | .. code-block:: yaml | 
|  | 315 |  | 
|  | 316 | keystone: | 
|  | 317 | server: | 
|  | 318 | websso: | 
|  | 319 | protocol: saml2 | 
|  | 320 | remote_id_attribute: Shib-Identity-Provider | 
|  | 321 | federation_driver: keystone.contrib.federation.backends.sql.Federation | 
|  | 322 | trusted_dashboard: | 
|  | 323 | - http://${_param:proxy_vip_address_public}/horizon/auth/websso/ | 
|  | 324 | apache: | 
|  | 325 | server: | 
|  | 326 | pkgs: | 
|  | 327 | - apache2 | 
|  | 328 | - libapache2-mod-shib2 | 
|  | 329 | modules: | 
|  | 330 | - wsgi | 
|  | 331 | - shib2 | 
| Ales Komarek | 74a3ba6 | 2016-10-05 12:16:52 +0200 | [diff] [blame] | 332 |  | 
|  | 333 | Keystone client | 
|  | 334 | --------------- | 
|  | 335 |  | 
|  | 336 | Service endpoints enforcement with service token | 
|  | 337 |  | 
|  | 338 | .. code-block:: yaml | 
|  | 339 |  | 
|  | 340 | keystone: | 
|  | 341 | client: | 
|  | 342 | enabled: true | 
|  | 343 | server: | 
|  | 344 | keystone01: | 
|  | 345 | admin: | 
|  | 346 | host: 10.0.0.2 | 
|  | 347 | port: 35357 | 
|  | 348 | token: 'service_token' | 
|  | 349 | service: | 
|  | 350 | nova: | 
|  | 351 | type: compute | 
|  | 352 | description: OpenStack Compute Service | 
|  | 353 | endpoints: | 
|  | 354 | - region: region01 | 
|  | 355 | public_address: 172.16.10.1 | 
|  | 356 | public_port: 8773 | 
|  | 357 | public_path: '/v2' | 
|  | 358 | internal_address: 172.16.10.1 | 
|  | 359 | internal_port: 8773 | 
|  | 360 | internal_path: '/v2' | 
|  | 361 | admin_address: 172.16.10.1 | 
|  | 362 | admin_port: 8773 | 
|  | 363 | admin_path: '/v2' | 
|  | 364 |  | 
|  | 365 | Project, users, roles enforcement with admin user | 
|  | 366 |  | 
|  | 367 | .. code-block:: yaml | 
|  | 368 |  | 
|  | 369 | keystone: | 
|  | 370 | client: | 
|  | 371 | enabled: true | 
|  | 372 | server: | 
|  | 373 | keystone01: | 
|  | 374 | admin: | 
|  | 375 | host: 10.0.0.2 | 
|  | 376 | port: 5000 | 
|  | 377 | project: 'token' | 
|  | 378 | user: admin | 
|  | 379 | password: 'passwd' | 
|  | 380 | roles: | 
|  | 381 | - admin | 
|  | 382 | - member | 
|  | 383 | project: | 
|  | 384 | tenant01: | 
|  | 385 | description: "test env" | 
|  | 386 | user: | 
|  | 387 | user01: | 
|  | 388 | email: jdoe@domain.com | 
|  | 389 | is_admin: true | 
|  | 390 | password: some | 
|  | 391 | user02: | 
|  | 392 | email: jdoe2@domain.com | 
|  | 393 | password: some | 
|  | 394 | roles: | 
|  | 395 | - custom-roles | 
|  | 396 |  | 
| Jakub Pavlik | ffc280d | 2016-05-20 11:19:14 +0200 | [diff] [blame] | 397 | Documentation and Bugs | 
| Ales Komarek | 74a3ba6 | 2016-10-05 12:16:52 +0200 | [diff] [blame] | 398 | ====================== | 
| Filip Pytloun | 943d688 | 2015-10-06 16:28:32 +0200 | [diff] [blame] | 399 |  | 
| Jakub Pavlik | ffc280d | 2016-05-20 11:19:14 +0200 | [diff] [blame] | 400 | To learn how to deploy OpenStack Salt, consult the documentation available | 
|  | 401 | online at: | 
|  | 402 |  | 
|  | 403 | https://wiki.openstack.org/wiki/OpenStackSalt | 
|  | 404 |  | 
|  | 405 | In the unfortunate event that bugs are discovered, they should be reported to | 
|  | 406 | the appropriate bug tracker. If you obtained the software from a 3rd party | 
|  | 407 | operating system vendor, it is often wise to use their own bug tracker for | 
|  | 408 | reporting problems. In all other cases use the master OpenStack bug tracker, | 
|  | 409 | available at: | 
|  | 410 |  | 
|  | 411 | http://bugs.launchpad.net/openstack-salt | 
|  | 412 |  | 
|  | 413 | Developers wishing to work on the OpenStack Salt project should always base | 
|  | 414 | their work on the latest formulas code, available from the master GIT | 
|  | 415 | repository at: | 
|  | 416 |  | 
|  | 417 | https://git.openstack.org/cgit/openstack/salt-formula-keystone | 
|  | 418 |  | 
|  | 419 | Developers should also join the discussion on the IRC list, at: | 
|  | 420 |  | 
|  | 421 | https://wiki.openstack.org/wiki/Meetings/openstack-salt | 
| Filip Pytloun | 4cc5c0f | 2017-02-02 13:02:03 +0100 | [diff] [blame^] | 422 |  | 
|  | 423 | Documentation and Bugs | 
|  | 424 | ====================== | 
|  | 425 |  | 
|  | 426 | To learn how to install and update salt-formulas, consult the documentation | 
|  | 427 | available online at: | 
|  | 428 |  | 
|  | 429 | http://salt-formulas.readthedocs.io/ | 
|  | 430 |  | 
|  | 431 | In the unfortunate event that bugs are discovered, they should be reported to | 
|  | 432 | the appropriate issue tracker. Use Github issue tracker for specific salt | 
|  | 433 | formula: | 
|  | 434 |  | 
|  | 435 | https://github.com/salt-formulas/salt-formula-keystone/issues | 
|  | 436 |  | 
|  | 437 | For feature requests, bug reports or blueprints affecting entire ecosystem, | 
|  | 438 | use Launchpad salt-formulas project: | 
|  | 439 |  | 
|  | 440 | https://launchpad.net/salt-formulas | 
|  | 441 |  | 
|  | 442 | You can also join salt-formulas-users team and subscribe to mailing list: | 
|  | 443 |  | 
|  | 444 | https://launchpad.net/~salt-formulas-users | 
|  | 445 |  | 
|  | 446 | Developers wishing to work on the salt-formulas projects should always base | 
|  | 447 | their work on master branch and submit pull request against specific formula. | 
|  | 448 |  | 
|  | 449 | https://github.com/salt-formulas/salt-formula-keystone | 
|  | 450 |  | 
|  | 451 | Any questions or feedback is always welcome so feel free to join our IRC | 
|  | 452 | channel: | 
|  | 453 |  | 
|  | 454 | #salt-formulas @ irc.freenode.net |