Blame - README.rst - salt-formulas/keystone

blob: dc1fd5a8b73ad71c4115c85f4f89efc718d5f0c1 [file] [log] [blame]

Filip Pytloun	943d688	2015-10-06 16:28:32 +0200	[diff] [blame]	1	==================
				2	OpenStack Keystone
				3	==================
				4
				5	Keystone provides authentication, authorization and service discovery mechanisms via HTTP primarily for use by projects in the OpenStack family. It is most commonly deployed as an HTTP interface to existing identity systems, such as LDAP.
				6
				7	From Kilo release Keystone v3 endpoint has definition without version in url
				8
				9	.. code-block:: bash
				10
				11	+----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
				12	\| id \| region \| publicurl \| internalurl \| adminurl \| service_id \|
				13	+----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
				14	\| 91663a8db11c487c9253c8c456863494 \| RegionOne \| http://10.0.150.37:5000/ \| http://10.0.150.37:5000/ \| http://10.0.150.37:35357/ \| 0fd2dba3153d45a1ba7f709cfc2d69c9 \|
				15	+----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
				16
				17
				18	Sample pillars
				19	==============
				20
Adam Tengler	7c66c88	2016-03-14 19:35:49 +0100	[diff] [blame^]	21	.. caution::
				22
				23	When you use localhost as your database host (keystone:server:database:host), sqlalchemy will try to connect to /var/run/mysql/mysqld.sock, may cause issues if you located your mysql socket elsewhere
				24
Filip Pytloun	943d688	2015-10-06 16:28:32 +0200	[diff] [blame]	25	Full stacked keystone
				26
				27	.. code-block:: yaml
				28
				29	keystone:
				30	server:
				31	enabled: true
				32	version: juno
				33	service_token: 'service_tokeen'
				34	service_tenant: service
				35	service_password: 'servicepwd'
				36	admin_tenant: admin
				37	admin_name: admin
				38	admin_password: 'adminpwd'
				39	admin_email: stackmaster@domain.com
				40	roles:
				41	- admin
				42	- Member
				43	- image_manager
				44	bind:
				45	address: 0.0.0.0
				46	private_address: 127.0.0.1
				47	private_port: 35357
				48	public_address: 127.0.0.1
				49	public_port: 5000
				50	api_version: 2.0
				51	region: RegionOne
				52	database:
				53	engine: mysql
				54	host: '127.0.0.1'
				55	name: 'keystone'
				56	password: 'LfTno5mYdZmRfoPV'
				57	user: 'keystone'
				58
				59	Keystone public HTTPS API
				60
				61	.. code-block:: yaml
				62
				63	keystone:
				64	server:
				65	enabled: true
				66	version: juno
				67	...
				68	services:
				69	- name: nova
				70	type: compute
				71	description: OpenStack Compute Service
				72	user:
				73	name: nova
				74	password: password
				75	bind:
				76	public_address: cloud.domain.com
				77	public_protocol: https
				78	public_port: 8774
				79	internal_address: 10.0.0.20
				80	internal_port: 8774
				81	admin_address: 10.0.0.20
				82	admin_port: 8774
				83
				84	Keystone memcached storage for tokens
				85
				86	.. code-block:: yaml
				87
				88	keystone:
				89	server:
				90	enabled: true
				91	version: juno
				92	...
				93	token_store: cache
				94	cache:
				95	engine: memcached
				96	host: 127.0.0.1
				97	port: 11211
				98	services:
				99	...
				100
				101	Keystone clustered memcached storage for tokens
				102
				103	.. code-block:: yaml
				104
				105	keystone:
				106	server:
				107	enabled: true
				108	version: juno
				109	...
				110	token_store: cache
				111	cache:
				112	engine: memcached
				113	members:
				114	- host: 192.160.0.1
				115	port: 11211
				116	- host: 192.160.0.2
				117	port: 11211
				118	services:
				119	...
				120
				121	Keystone client
				122
				123	.. code-block:: yaml
				124
				125	keystone:
				126	client:
				127	enabled: true
				128	server:
				129	host: 10.0.0.2
				130	public_port: 5000
				131	private_port: 35357
				132	service_token: 'token'
				133	admin_tenant: admin
				134	admin_name: admin
				135	admin_password: 'passwd'
				136
				137	Keystone cluster
				138
				139	.. code-block:: yaml
				140
				141	keystone:
				142	control:
				143	enabled: true
				144	provider:
				145	os15_token:
				146	host: 10.0.0.2
				147	port: 35357
				148	token: token
				149	os15_tcp_core_stg:
				150	host: 10.0.0.5
				151	port: 5000
				152	tenant: admin
				153	name: admin
				154	password: password
				155
				156	Keystone fernet tokens for OpenStack Kilo release
				157
				158	.. code-block:: yaml
				159
				160	keystone:
				161	server:
				162	...
				163	tokens:
				164	engine: fernet
				165	...
				166
Filip Pytloun	6b9ec2b	2016-01-12 13:52:01 +0100	[diff] [blame]	167	Keystone domain with LDAP backend, using SQL for role/project assignment
				168
				169	.. code-block:: yaml
				170
				171	keystone:
				172	server:
				173	domain:
Filip Pytloun	af25d8d	2016-01-12 14:21:39 +0100	[diff] [blame]	174	description: "Testing domain"
Filip Pytloun	6b9ec2b	2016-01-12 13:52:01 +0100	[diff] [blame]	175	backend: ldap
				176	assignment:
				177	backend: sql
				178	ldap:
				179	url: "ldaps://idm01.workshop.cloudlab.cz"
				180	suffix: "dc=workshop,dc=cloudlab,dc=cz"
				181	# Will bind as uid=keystone,cn=users,cn=accounts,dc=workshop,dc=cloudlab,dc=cz
				182	uid: keystone
				183	password: cloudlab
				184
Filip Pytloun	1abfdd7	2016-01-18 11:35:17 +0100	[diff] [blame]	185	Using LDAP backend for default domain
				186
				187	.. code-block:: yaml
				188
				189	keystone:
				190	server:
				191	backend: ldap
				192	assignment:
				193	backend: sql
				194	ldap:
				195	url: "ldaps://idm01.workshop.cloudlab.cz"
				196	suffix: "dc=workshop,dc=cloudlab,dc=cz"
				197	# Will bind as uid=keystone,cn=users,cn=accounts,dc=workshop,dc=cloudlab,dc=cz
				198	uid: keystone
				199	password: cloudlab
				200
Filip Pytloun	943d688	2015-10-06 16:28:32 +0200	[diff] [blame]	201	Read more
				202	=========
				203
				204	* http://docs.openstack.org/developer/keystone/configuration.html
				205	* http://docs.openstack.org/developer/keystone/architecture.html
				206	* http://docs.saltstack.com/ref/states/all/salt.states.keystone.html
				207	* http://docs.saltstack.com/ref/modules/all/salt.modules.keystone.html
				208	* http://www.sebastien-han.fr/blog/2012/12/12/cleanup-keystone-tokens/
				209	* http://www-01.ibm.com/support/knowledgecenter/SS4KMC_2.2.0/com.ibm.sco.doc_2.2/t_memcached_keystone.html?lang=en
				210	* https://bugs.launchpad.net/tripleo/+bug/1203910
				211
				212	Things to improve
				213	=================
				214
				215	* Keystone as service provider (SP) - must be running under Apache (same as with PKI token)
				216	* Keystone with MongoDB backend - where is it?
				217	* IdP is owned by domain, domain corresponds to billable account - IdP administration
				218	* IdP Shiboleth alternatives - mod_auth_mellon
				219
				220	Generally this SP/IdP stuff is a little unstable - how to let SP know identity has changed, no visibility in UI (IBM has some not in upstream yet)