| Filip Pytloun | 943d688 | 2015-10-06 16:28:32 +0200 | [diff] [blame^] | 1 | ================== |
| 2 | OpenStack Keystone |
| 3 | ================== |
| 4 | |
| 5 | Keystone provides authentication, authorization and service discovery mechanisms via HTTP primarily for use by projects in the OpenStack family. It is most commonly deployed as an HTTP interface to existing identity systems, such as LDAP. |
| 6 | |
| 7 | From Kilo release Keystone v3 endpoint has definition without version in url |
| 8 | |
| 9 | .. code-block:: bash |
| 10 | |
| 11 | +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+ |
| 12 | | id | region | publicurl | internalurl | adminurl | service_id | |
| 13 | +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+ |
| 14 | | 91663a8db11c487c9253c8c456863494 | RegionOne | http://10.0.150.37:5000/ | http://10.0.150.37:5000/ | http://10.0.150.37:35357/ | 0fd2dba3153d45a1ba7f709cfc2d69c9 | |
| 15 | +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+ |
| 16 | |
| 17 | |
| 18 | Sample pillars |
| 19 | ============== |
| 20 | |
| 21 | Full stacked keystone |
| 22 | |
| 23 | .. code-block:: yaml |
| 24 | |
| 25 | keystone: |
| 26 | server: |
| 27 | enabled: true |
| 28 | version: juno |
| 29 | service_token: 'service_tokeen' |
| 30 | service_tenant: service |
| 31 | service_password: 'servicepwd' |
| 32 | admin_tenant: admin |
| 33 | admin_name: admin |
| 34 | admin_password: 'adminpwd' |
| 35 | admin_email: stackmaster@domain.com |
| 36 | roles: |
| 37 | - admin |
| 38 | - Member |
| 39 | - image_manager |
| 40 | bind: |
| 41 | address: 0.0.0.0 |
| 42 | private_address: 127.0.0.1 |
| 43 | private_port: 35357 |
| 44 | public_address: 127.0.0.1 |
| 45 | public_port: 5000 |
| 46 | api_version: 2.0 |
| 47 | region: RegionOne |
| 48 | database: |
| 49 | engine: mysql |
| 50 | host: '127.0.0.1' |
| 51 | name: 'keystone' |
| 52 | password: 'LfTno5mYdZmRfoPV' |
| 53 | user: 'keystone' |
| 54 | |
| 55 | Keystone public HTTPS API |
| 56 | |
| 57 | .. code-block:: yaml |
| 58 | |
| 59 | keystone: |
| 60 | server: |
| 61 | enabled: true |
| 62 | version: juno |
| 63 | ... |
| 64 | services: |
| 65 | - name: nova |
| 66 | type: compute |
| 67 | description: OpenStack Compute Service |
| 68 | user: |
| 69 | name: nova |
| 70 | password: password |
| 71 | bind: |
| 72 | public_address: cloud.domain.com |
| 73 | public_protocol: https |
| 74 | public_port: 8774 |
| 75 | internal_address: 10.0.0.20 |
| 76 | internal_port: 8774 |
| 77 | admin_address: 10.0.0.20 |
| 78 | admin_port: 8774 |
| 79 | |
| 80 | Keystone memcached storage for tokens |
| 81 | |
| 82 | .. code-block:: yaml |
| 83 | |
| 84 | keystone: |
| 85 | server: |
| 86 | enabled: true |
| 87 | version: juno |
| 88 | ... |
| 89 | token_store: cache |
| 90 | cache: |
| 91 | engine: memcached |
| 92 | host: 127.0.0.1 |
| 93 | port: 11211 |
| 94 | services: |
| 95 | ... |
| 96 | |
| 97 | Keystone clustered memcached storage for tokens |
| 98 | |
| 99 | .. code-block:: yaml |
| 100 | |
| 101 | keystone: |
| 102 | server: |
| 103 | enabled: true |
| 104 | version: juno |
| 105 | ... |
| 106 | token_store: cache |
| 107 | cache: |
| 108 | engine: memcached |
| 109 | members: |
| 110 | - host: 192.160.0.1 |
| 111 | port: 11211 |
| 112 | - host: 192.160.0.2 |
| 113 | port: 11211 |
| 114 | services: |
| 115 | ... |
| 116 | |
| 117 | Keystone client |
| 118 | |
| 119 | .. code-block:: yaml |
| 120 | |
| 121 | keystone: |
| 122 | client: |
| 123 | enabled: true |
| 124 | server: |
| 125 | host: 10.0.0.2 |
| 126 | public_port: 5000 |
| 127 | private_port: 35357 |
| 128 | service_token: 'token' |
| 129 | admin_tenant: admin |
| 130 | admin_name: admin |
| 131 | admin_password: 'passwd' |
| 132 | |
| 133 | Keystone cluster |
| 134 | |
| 135 | .. code-block:: yaml |
| 136 | |
| 137 | keystone: |
| 138 | control: |
| 139 | enabled: true |
| 140 | provider: |
| 141 | os15_token: |
| 142 | host: 10.0.0.2 |
| 143 | port: 35357 |
| 144 | token: token |
| 145 | os15_tcp_core_stg: |
| 146 | host: 10.0.0.5 |
| 147 | port: 5000 |
| 148 | tenant: admin |
| 149 | name: admin |
| 150 | password: password |
| 151 | |
| 152 | Keystone fernet tokens for OpenStack Kilo release |
| 153 | |
| 154 | .. code-block:: yaml |
| 155 | |
| 156 | keystone: |
| 157 | server: |
| 158 | ... |
| 159 | tokens: |
| 160 | engine: fernet |
| 161 | ... |
| 162 | |
| 163 | Read more |
| 164 | ========= |
| 165 | |
| 166 | * http://docs.openstack.org/developer/keystone/configuration.html |
| 167 | * http://docs.openstack.org/developer/keystone/architecture.html |
| 168 | * http://docs.saltstack.com/ref/states/all/salt.states.keystone.html |
| 169 | * http://docs.saltstack.com/ref/modules/all/salt.modules.keystone.html |
| 170 | * http://www.sebastien-han.fr/blog/2012/12/12/cleanup-keystone-tokens/ |
| 171 | * http://www-01.ibm.com/support/knowledgecenter/SS4KMC_2.2.0/com.ibm.sco.doc_2.2/t_memcached_keystone.html?lang=en |
| 172 | * https://bugs.launchpad.net/tripleo/+bug/1203910 |
| 173 | |
| 174 | Things to improve |
| 175 | ================= |
| 176 | |
| 177 | * Keystone as service provider (SP) - must be running under Apache (same as with PKI token) |
| 178 | * Keystone with MongoDB backend - where is it? |
| 179 | * IdP is owned by domain, domain corresponds to billable account - IdP administration |
| 180 | * IdP Shiboleth alternatives - mod_auth_mellon |
| 181 | |
| 182 | Generally this SP/IdP stuff is a little unstable - how to let SP know identity has changed, no visibility in UI (IBM has some not in upstream yet) |