Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / keystone / 6fd899f79c3d7433168f36b5d4fcd7df70856c71 / . / README.rst
blob: c89c7501536d1a40cc08be6cde328f88277968af [file] [log] [blame]
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]1==================
2OpenStack Keystone
3==================
4
Jakub Pavlikffc280d2016-05-20 11:19:14 +0200[diff] [blame]5Keystone provides authentication, authorization and service discovery
6mechanisms via HTTP primarily for use by projects in the OpenStack family. It
7is most commonly deployed as an HTTP interface to existing identity systems,
8such as LDAP.
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]9
10From Kilo release Keystone v3 endpoint has definition without version in url
11
12.. code-block:: bash
13
14 +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
15 | id | region | publicurl | internalurl | adminurl | service_id |
16 +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
17 | 91663a8db11c487c9253c8c456863494 | RegionOne | http://10.0.150.37:5000/ | http://10.0.150.37:5000/ | http://10.0.150.37:35357/ | 0fd2dba3153d45a1ba7f709cfc2d69c9 |
18 +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
19
20
21Sample pillars
22==============
23
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]24.. caution::
Adam Tengler7c66c882016-03-14 19:35:49 +0100[diff] [blame]25
Jakub Pavlikffc280d2016-05-20 11:19:14 +0200[diff] [blame]26 When you use localhost as your database host (keystone:server:
27 atabase:host), sqlalchemy will try to connect to /var/run/mysql/
28 mysqld.sock, may cause issues if you located your mysql socket elsewhere
Adam Tengler7c66c882016-03-14 19:35:49 +0100[diff] [blame]29
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]30Full stacked keystone
31
32.. code-block:: yaml
33
34 keystone:
35 server:
36 enabled: true
37 version: juno
38 service_token: 'service_tokeen'
39 service_tenant: service
40 service_password: 'servicepwd'
41 admin_tenant: admin
42 admin_name: admin
43 admin_password: 'adminpwd'
44 admin_email: stackmaster@domain.com
45 roles:
46 - admin
47 - Member
48 - image_manager
49 bind:
50 address: 0.0.0.0
51 private_address: 127.0.0.1
52 private_port: 35357
53 public_address: 127.0.0.1
54 public_port: 5000
55 api_version: 2.0
56 region: RegionOne
57 database:
58 engine: mysql
59 host: '127.0.0.1'
60 name: 'keystone'
61 password: 'LfTno5mYdZmRfoPV'
62 user: 'keystone'
63
64Keystone public HTTPS API
65
66.. code-block:: yaml
67
68 keystone:
69 server:
70 enabled: true
71 version: juno
72 ...
73 services:
74 - name: nova
75 type: compute
76 description: OpenStack Compute Service
77 user:
78 name: nova
79 password: password
80 bind:
81 public_address: cloud.domain.com
82 public_protocol: https
83 public_port: 8774
84 internal_address: 10.0.0.20
85 internal_port: 8774
86 admin_address: 10.0.0.20
87 admin_port: 8774
88
89Keystone memcached storage for tokens
90
91.. code-block:: yaml
92
93 keystone:
94 server:
95 enabled: true
96 version: juno
97 ...
98 token_store: cache
99 cache:
100 engine: memcached
101 host: 127.0.0.1
102 port: 11211
103 services:
104 ...
105
106Keystone clustered memcached storage for tokens
107
108.. code-block:: yaml
109
110 keystone:
111 server:
112 enabled: true
113 version: juno
114 ...
115 token_store: cache
116 cache:
117 engine: memcached
118 members:
119 - host: 192.160.0.1
120 port: 11211
121 - host: 192.160.0.2
122 port: 11211
123 services:
124 ...
125
126Keystone client
127
128.. code-block:: yaml
129
130 keystone:
131 client:
132 enabled: true
133 server:
134 host: 10.0.0.2
135 public_port: 5000
136 private_port: 35357
137 service_token: 'token'
138 admin_tenant: admin
139 admin_name: admin
140 admin_password: 'passwd'
141
142Keystone cluster
143
144.. code-block:: yaml
145
146 keystone:
147 control:
148 enabled: true
149 provider:
150 os15_token:
151 host: 10.0.0.2
152 port: 35357
153 token: token
154 os15_tcp_core_stg:
155 host: 10.0.0.5
156 port: 5000
157 tenant: admin
158 name: admin
159 password: password
160
161Keystone fernet tokens for OpenStack Kilo release
162
163.. code-block:: yaml
164
165 keystone:
166 server:
167 ...
168 tokens:
169 engine: fernet
Jakub Pavlik6b0b74a2016-09-01 10:49:14 +0200[diff] [blame]170 max_active_keys: 3
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]171 ...
172
Oleksii Chupryn6fd899f2017-04-21 10:20:51 +0300[diff] [blame^]173Keystone auth methods
174
175.. code-block:: yaml
176
177 keystone:
178 server:
179 ...
180 auth_methods:
181 - external
182 - password
183 - token
184 - oauth1
185 ...
186
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]187Keystone domain with LDAP backend, using SQL for role/project assignment
188
189.. code-block:: yaml
190
191 keystone:
192 server:
193 domain:
Filip Pytlounaf25d8d2016-01-12 14:21:39 +0100[diff] [blame]194 description: "Testing domain"
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]195 backend: ldap
196 assignment:
197 backend: sql
198 ldap:
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]199 url: "ldaps://idm.domain.com"
200 suffix: "dc=cloud,dc=domain,dc=com"
201 # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]202 uid: keystone
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]203 password: password
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]204
Filip Pytloun1abfdd72016-01-18 11:35:17 +0100[diff] [blame]205Using LDAP backend for default domain
206
207.. code-block:: yaml
208
209 keystone:
210 server:
211 backend: ldap
212 assignment:
213 backend: sql
214 ldap:
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]215 url: "ldaps://idm.domain.com"
216 suffix: "dc=cloud,dc=domain,dc=com"
217 # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
Filip Pytloun1abfdd72016-01-18 11:35:17 +0100[diff] [blame]218 uid: keystone
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]219 password: password
220
221Simple service endpoint definition (defaults to RegionOne)
222
223.. code-block:: yaml
224
225 keystone:
226 server:
227 service:
228 ceilometer:
229 type: metering
230 description: OpenStack Telemetry Service
231 user:
232 name: ceilometer
233 password: password
234 bind:
235 ...
236
237Region-aware service endpoints definition
238
239.. code-block:: yaml
240
241 keystone:
242 server:
243 service:
244 ceilometer_region01:
245 service: ceilometer
246 type: metering
247 region: region01
248 description: OpenStack Telemetry Service
249 user:
250 name: ceilometer
251 password: password
252 bind:
253 ...
254 ceilometer_region02:
255 service: ceilometer
256 type: metering
257 region: region02
258 description: OpenStack Telemetry Service
259 bind:
260 ...
261
Jakub Pavlik72e31d62016-04-08 16:26:57 +0200[diff] [blame]262Enable ceilometer notifications
263
264.. code-block:: yaml
265
266 keystone:
267 server:
268 notification: true
269 message_queue:
270 engine: rabbitmq
271 host: 127.0.0.1
272 port: 5672
273 user: openstack
274 password: password
275 virtual_host: '/openstack'
276 ha_queues: true
Filip Pytloun1abfdd72016-01-18 11:35:17 +0100[diff] [blame]277
Jakub Pavlik205ef802016-12-14 12:48:42 +0100[diff] [blame]278Client-side RabbitMQ HA setup
279
280.. code-block:: yaml
281
282 keystone:
283 server:
284 ....
285 message_queue:
286 engine: rabbitmq
287 members:
288 - host: 10.0.16.1
289 - host: 10.0.16.2
290 - host: 10.0.16.3
291 user: openstack
292 password: pwd
293 virtual_host: '/openstack'
294 ....
295
Petr Michalec98fc6d62016-12-03 11:30:35 +0100[diff] [blame]296Enable CADF audit notification
297
298.. code-block:: yaml
299
300 keystone:
301 server:
302 notification: true
303 notification_format: cadf
304
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]305Run keystone under Apache
306
307.. code-block:: yaml
308
309 keystone:
310 server:
311 service_name: apache2
312 apache:
313 server:
314 enabled: true
315 default_mpm: event
316 site:
317 keystone:
318 enabled: true
319 type: keystone
320 name: wsgi
321 host:
322 name: ${linux:network:fqdn}
323 modules:
324 - wsgi
325
326Enable Federated keystone
327
328.. code-block:: yaml
329
330 keystone:
331 server:
Oleksii Chupryn6fd899f2017-04-21 10:20:51 +0300[diff] [blame^]332 auth_methods:
333 - password
334 - token
335 - saml2
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]336 websso:
337 protocol: saml2
338 remote_id_attribute: Shib-Identity-Provider
339 federation_driver: keystone.contrib.federation.backends.sql.Federation
Oleksii Chupryn5f110b02017-03-30 09:54:27 +0300[diff] [blame]340 federated_domain_name: Federated
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]341 trusted_dashboard:
342 - http://${_param:proxy_vip_address_public}/horizon/auth/websso/
Oleksii Chupryn45e4d602017-03-07 16:40:44 +0200[diff] [blame]343 shib_url_scheme: https
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]344 apache:
345 server:
346 pkgs:
347 - apache2
348 - libapache2-mod-shib2
349 modules:
350 - wsgi
351 - shib2
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]352
mnederlof5d9ccac2017-03-02 15:47:50 +0100[diff] [blame]353Use a custom identity driver with custom options
354
355.. code-block:: yaml
356
357 keystone:
358 server:
359 backend: k2k
360 k2k:
361 auth_url: 'https://keystone.example.com/v2.0'
362 read_user: 'example_user'
363 read_pass: 'password'
364 read_tenant_id: 'admin'
365 identity_driver: 'sql'
366 id_prefix: 'k2k:'
367 domain: 'default'
368 caching: true
369 cache_time: 600
370
371
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]372Keystone client
373---------------
374
375Service endpoints enforcement with service token
376
377.. code-block:: yaml
378
379 keystone:
380 client:
381 enabled: true
382 server:
383 keystone01:
384 admin:
385 host: 10.0.0.2
386 port: 35357
387 token: 'service_token'
388 service:
389 nova:
390 type: compute
391 description: OpenStack Compute Service
392 endpoints:
393 - region: region01
394 public_address: 172.16.10.1
395 public_port: 8773
396 public_path: '/v2'
397 internal_address: 172.16.10.1
398 internal_port: 8773
399 internal_path: '/v2'
400 admin_address: 172.16.10.1
401 admin_port: 8773
402 admin_path: '/v2'
403
404Project, users, roles enforcement with admin user
405
406.. code-block:: yaml
407
408 keystone:
409 client:
410 enabled: true
411 server:
412 keystone01:
413 admin:
414 host: 10.0.0.2
415 port: 5000
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100[diff] [blame]416 project: admin
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]417 user: admin
418 password: 'passwd'
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100[diff] [blame]419 region_name: RegionOne
420 protocol: https
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]421 roles:
422 - admin
423 - member
424 project:
425 tenant01:
426 description: "test env"
Jiri Broulik59000e92017-02-06 18:14:06 +0100[diff] [blame]427 quota:
428 instances: 100
429 cores: 24
430 ram: 151200
431 floating_ips: 50
432 fixed_ips: -1
433 metadata_items: 128
434 injected_files: 5
435 injected_file_content_bytes: 10240
436 injected_file_path_bytes: 255
437 key_pairs: 100
438 security_groups: 20
439 security_group_rules: 40
440 server_groups: 20
441 server_group_members: 20
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]442 user:
443 user01:
444 email: jdoe@domain.com
445 is_admin: true
446 password: some
447 user02:
448 email: jdoe2@domain.com
449 password: some
450 roles:
451 - custom-roles
452
Richard Felkl5ff315e2017-02-01 23:26:23 +0100[diff] [blame]453Multiple servers example
454
455.. code-block:: yaml
456
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100[diff] [blame]457 keystone:
458 client:
459 enabled: true
460 server:
461 keystone01:
462 admin:
463 host: 10.0.0.2
464 port: 5000
465 project: 'admin'
466 user: admin
467 password: 'workshop'
468 region_name: RegionOne
469 protocol: https
470 keystone02:
471 admin:
472 host: 10.0.0.3
473 port: 5000
474 project: 'admin'
475 user: admin
476 password: 'workshop'
477 region_name: RegionOne
Richard Felkl5ff315e2017-02-01 23:26:23 +0100[diff] [blame]478
Jiri Broulik59000e92017-02-06 18:14:06 +0100[diff] [blame]479
480Tenant quotas
481
482.. code-block:: yaml
483
484 keystone:
485 client:
486 enabled: true
487 server:
488 keystone01:
489 admin:
490 host: 10.0.0.2
491 port: 5000
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100[diff] [blame]492 project: admin
Jiri Broulik59000e92017-02-06 18:14:06 +0100[diff] [blame]493 user: admin
494 password: 'passwd'
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100[diff] [blame]495 region_name: RegionOne
496 protocol: https
Jiri Broulik59000e92017-02-06 18:14:06 +0100[diff] [blame]497 roles:
498 - admin
499 - member
500 project:
501 tenant01:
502 description: "test env"
503 quota:
504 instances: 100
505 cores: 24
506 ram: 151200
507 floating_ips: 50
508 fixed_ips: -1
509 metadata_items: 128
510 injected_files: 5
511 injected_file_content_bytes: 10240
512 injected_file_path_bytes: 255
513 key_pairs: 100
514 security_groups: 20
515 security_group_rules: 40
516 server_groups: 20
517 server_group_members: 20
518
Oleksii Chupryn4fec2132017-04-03 17:35:28 +0300[diff] [blame]519Extra config params in keystone.conf (since Mitaka release)
520
521.. code-block:: yaml
522
523 keystone:
524 server:
525 ....
526 extra_config:
527 ini_section1:
528 param1: value
529 param2: value
530 ini_section2:
531 param1: value
532 param2: value
533 ....
534
Jiri Broulik59000e92017-02-06 18:14:06 +0100[diff] [blame]535Usage
536=====
537
538Apply state `keystone.client.service` first and then `keystone.client` state.
539
540
Jakub Pavlikffc280d2016-05-20 11:19:14 +0200[diff] [blame]541Documentation and Bugs
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]542======================
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]543
Jakub Pavlikffc280d2016-05-20 11:19:14 +0200[diff] [blame]544To learn how to deploy OpenStack Salt, consult the documentation available
545online at:
546
547 https://wiki.openstack.org/wiki/OpenStackSalt
548
549In the unfortunate event that bugs are discovered, they should be reported to
550the appropriate bug tracker. If you obtained the software from a 3rd party
551operating system vendor, it is often wise to use their own bug tracker for
552reporting problems. In all other cases use the master OpenStack bug tracker,
553available at:
554
555 http://bugs.launchpad.net/openstack-salt
556
557Developers wishing to work on the OpenStack Salt project should always base
558their work on the latest formulas code, available from the master GIT
559repository at:
560
561 https://git.openstack.org/cgit/openstack/salt-formula-keystone
562
563Developers should also join the discussion on the IRC list, at:
564
565 https://wiki.openstack.org/wiki/Meetings/openstack-salt
Filip Pytloun4cc5c0f2017-02-02 13:02:03 +0100[diff] [blame]566
567Documentation and Bugs
568======================
569
570To learn how to install and update salt-formulas, consult the documentation
571available online at:
572
573 http://salt-formulas.readthedocs.io/
574
575In the unfortunate event that bugs are discovered, they should be reported to
576the appropriate issue tracker. Use Github issue tracker for specific salt
577formula:
578
579 https://github.com/salt-formulas/salt-formula-keystone/issues
580
581For feature requests, bug reports or blueprints affecting entire ecosystem,
582use Launchpad salt-formulas project:
583
584 https://launchpad.net/salt-formulas
585
586You can also join salt-formulas-users team and subscribe to mailing list:
587
588 https://launchpad.net/~salt-formulas-users
589
590Developers wishing to work on the salt-formulas projects should always base
591their work on master branch and submit pull request against specific formula.
592
593 https://github.com/salt-formulas/salt-formula-keystone
594
595Any questions or feedback is always welcome so feel free to join our IRC
596channel:
597
598 #salt-formulas @ irc.freenode.net