Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / keystone / b98f02a95f538d58fcaadb4694b6883dd55cfc48 / . / README.rst
blob: 1e0e8224aa61acfde1063f1f86e2f55357f67da3 [file] [log] [blame]
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]1==================
2OpenStack Keystone
3==================
4
Jakub Pavlikffc280d2016-05-20 11:19:14 +0200[diff] [blame]5Keystone provides authentication, authorization and service discovery
6mechanisms via HTTP primarily for use by projects in the OpenStack family. It
7is most commonly deployed as an HTTP interface to existing identity systems,
8such as LDAP.
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]9
10From Kilo release Keystone v3 endpoint has definition without version in url
11
12.. code-block:: bash
13
14 +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
15 | id | region | publicurl | internalurl | adminurl | service_id |
16 +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
17 | 91663a8db11c487c9253c8c456863494 | RegionOne | http://10.0.150.37:5000/ | http://10.0.150.37:5000/ | http://10.0.150.37:35357/ | 0fd2dba3153d45a1ba7f709cfc2d69c9 |
18 +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
19
20
21Sample pillars
22==============
23
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]24.. caution::
Adam Tengler7c66c882016-03-14 19:35:49 +0100[diff] [blame]25
Jakub Pavlikffc280d2016-05-20 11:19:14 +0200[diff] [blame]26 When you use localhost as your database host (keystone:server:
27 atabase:host), sqlalchemy will try to connect to /var/run/mysql/
28 mysqld.sock, may cause issues if you located your mysql socket elsewhere
Adam Tengler7c66c882016-03-14 19:35:49 +0100[diff] [blame]29
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]30Full stacked keystone
31
32.. code-block:: yaml
33
34 keystone:
35 server:
36 enabled: true
37 version: juno
38 service_token: 'service_tokeen'
39 service_tenant: service
40 service_password: 'servicepwd'
41 admin_tenant: admin
42 admin_name: admin
43 admin_password: 'adminpwd'
44 admin_email: stackmaster@domain.com
45 roles:
46 - admin
47 - Member
48 - image_manager
49 bind:
50 address: 0.0.0.0
51 private_address: 127.0.0.1
52 private_port: 35357
53 public_address: 127.0.0.1
54 public_port: 5000
55 api_version: 2.0
56 region: RegionOne
57 database:
58 engine: mysql
59 host: '127.0.0.1'
60 name: 'keystone'
61 password: 'LfTno5mYdZmRfoPV'
62 user: 'keystone'
63
64Keystone public HTTPS API
65
66.. code-block:: yaml
67
68 keystone:
69 server:
70 enabled: true
71 version: juno
72 ...
73 services:
74 - name: nova
75 type: compute
76 description: OpenStack Compute Service
77 user:
78 name: nova
79 password: password
80 bind:
81 public_address: cloud.domain.com
82 public_protocol: https
83 public_port: 8774
84 internal_address: 10.0.0.20
85 internal_port: 8774
86 admin_address: 10.0.0.20
87 admin_port: 8774
88
Adam Tenglerb1ebaca2017-05-04 21:06:08 +0000[diff] [blame]89Keystone with custom policies. Keys with specified rules are created or set to this value if they already exists. Keys with no value (like our "existing_rule") are deleted from the policy file.
90
91.. code-block:: yaml
92
93 keystone:
94 server:
95 enabled: true
96 policy:
97 new_rule: "rule:admin_required"
98 existing_rule:
99
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]100Keystone memcached storage for tokens
101
102.. code-block:: yaml
103
104 keystone:
105 server:
106 enabled: true
107 version: juno
108 ...
109 token_store: cache
110 cache:
111 engine: memcached
112 host: 127.0.0.1
113 port: 11211
114 services:
115 ...
116
117Keystone clustered memcached storage for tokens
118
119.. code-block:: yaml
120
121 keystone:
122 server:
123 enabled: true
124 version: juno
125 ...
126 token_store: cache
127 cache:
128 engine: memcached
129 members:
130 - host: 192.160.0.1
131 port: 11211
132 - host: 192.160.0.2
133 port: 11211
134 services:
135 ...
136
137Keystone client
138
139.. code-block:: yaml
140
141 keystone:
142 client:
143 enabled: true
144 server:
145 host: 10.0.0.2
146 public_port: 5000
147 private_port: 35357
148 service_token: 'token'
149 admin_tenant: admin
150 admin_name: admin
151 admin_password: 'passwd'
152
153Keystone cluster
154
155.. code-block:: yaml
156
157 keystone:
158 control:
159 enabled: true
160 provider:
161 os15_token:
162 host: 10.0.0.2
163 port: 35357
164 token: token
165 os15_tcp_core_stg:
166 host: 10.0.0.5
167 port: 5000
168 tenant: admin
169 name: admin
170 password: password
171
172Keystone fernet tokens for OpenStack Kilo release
173
174.. code-block:: yaml
175
176 keystone:
177 server:
178 ...
179 tokens:
180 engine: fernet
Jakub Pavlik6b0b74a2016-09-01 10:49:14 +0200[diff] [blame]181 max_active_keys: 3
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]182 ...
183
Oleksii Chupryn6fd899f2017-04-21 10:20:51 +0300[diff] [blame]184Keystone auth methods
185
186.. code-block:: yaml
187
188 keystone:
189 server:
190 ...
191 auth_methods:
192 - external
193 - password
194 - token
195 - oauth1
196 ...
197
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]198Keystone domain with LDAP backend, using SQL for role/project assignment
199
200.. code-block:: yaml
201
202 keystone:
203 server:
204 domain:
Filip Pytlounaf25d8d2016-01-12 14:21:39 +0100[diff] [blame]205 description: "Testing domain"
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]206 backend: ldap
207 assignment:
208 backend: sql
209 ldap:
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]210 url: "ldaps://idm.domain.com"
211 suffix: "dc=cloud,dc=domain,dc=com"
212 # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]213 uid: keystone
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]214 password: password
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]215
Filip Pytloun1abfdd72016-01-18 11:35:17 +0100[diff] [blame]216Using LDAP backend for default domain
217
218.. code-block:: yaml
219
220 keystone:
221 server:
222 backend: ldap
223 assignment:
224 backend: sql
225 ldap:
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]226 url: "ldaps://idm.domain.com"
227 suffix: "dc=cloud,dc=domain,dc=com"
228 # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
Filip Pytloun1abfdd72016-01-18 11:35:17 +0100[diff] [blame]229 uid: keystone
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]230 password: password
231
232Simple service endpoint definition (defaults to RegionOne)
233
234.. code-block:: yaml
235
236 keystone:
237 server:
238 service:
239 ceilometer:
240 type: metering
241 description: OpenStack Telemetry Service
242 user:
243 name: ceilometer
244 password: password
245 bind:
246 ...
247
248Region-aware service endpoints definition
249
250.. code-block:: yaml
251
252 keystone:
253 server:
254 service:
255 ceilometer_region01:
256 service: ceilometer
257 type: metering
258 region: region01
259 description: OpenStack Telemetry Service
260 user:
261 name: ceilometer
262 password: password
263 bind:
264 ...
265 ceilometer_region02:
266 service: ceilometer
267 type: metering
268 region: region02
269 description: OpenStack Telemetry Service
270 bind:
271 ...
272
Jakub Pavlik72e31d62016-04-08 16:26:57 +0200[diff] [blame]273Enable ceilometer notifications
274
275.. code-block:: yaml
276
277 keystone:
278 server:
279 notification: true
280 message_queue:
281 engine: rabbitmq
282 host: 127.0.0.1
283 port: 5672
284 user: openstack
285 password: password
286 virtual_host: '/openstack'
287 ha_queues: true
Filip Pytloun1abfdd72016-01-18 11:35:17 +0100[diff] [blame]288
Jakub Pavlik205ef802016-12-14 12:48:42 +0100[diff] [blame]289Client-side RabbitMQ HA setup
290
291.. code-block:: yaml
292
293 keystone:
294 server:
295 ....
296 message_queue:
297 engine: rabbitmq
298 members:
299 - host: 10.0.16.1
300 - host: 10.0.16.2
301 - host: 10.0.16.3
302 user: openstack
303 password: pwd
304 virtual_host: '/openstack'
305 ....
306
Petr Michalec98fc6d62016-12-03 11:30:35 +0100[diff] [blame]307Enable CADF audit notification
308
309.. code-block:: yaml
310
311 keystone:
312 server:
313 notification: true
314 notification_format: cadf
315
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]316Run keystone under Apache
317
318.. code-block:: yaml
319
320 keystone:
321 server:
322 service_name: apache2
323 apache:
324 server:
325 enabled: true
326 default_mpm: event
327 site:
328 keystone:
329 enabled: true
330 type: keystone
331 name: wsgi
332 host:
333 name: ${linux:network:fqdn}
334 modules:
335 - wsgi
336
Oleksii Chuprynfcecf192017-04-21 12:20:46 +0300[diff] [blame]337Enable SAML2 Federated keystone
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]338
339.. code-block:: yaml
340
341 keystone:
342 server:
Oleksii Chupryn6fd899f2017-04-21 10:20:51 +0300[diff] [blame]343 auth_methods:
344 - password
345 - token
346 - saml2
Oleksii Chuprynebe09a52017-04-21 11:08:14 +0300[diff] [blame]347 federation:
Oleksii Chuprynfcecf192017-04-21 12:20:46 +0300[diff] [blame]348 saml2:
349 protocol: saml2
350 remote_id_attribute: Shib-Identity-Provider
351 shib_url_scheme: https
352 shib_compat_valid_user: 'on'
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]353 federation_driver: keystone.contrib.federation.backends.sql.Federation
Oleksii Chupryn5f110b02017-03-30 09:54:27 +0300[diff] [blame]354 federated_domain_name: Federated
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]355 trusted_dashboard:
Oleksii Chuprynfcecf192017-04-21 12:20:46 +0300[diff] [blame]356 - https://${_param:cluster_public_host}/horizon/auth/websso/
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]357 apache:
358 server:
359 pkgs:
360 - apache2
361 - libapache2-mod-shib2
362 modules:
363 - wsgi
364 - shib2
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]365
Oleksii Chuprynfcecf192017-04-21 12:20:46 +0300[diff] [blame]366Enable OIDC Federated keystone
367
368.. code-block:: yaml
369
370 keystone:
371 server:
372 auth_methods:
373 - password
374 - token
375 - oidc
376 federation:
377 oidc:
378 protocol: oidc
379 remote_id_attribute: HTTP_OIDC_ISS
380 remote_id_attribute_value: https://accounts.google.com
381 oidc_claim_prefix: "OIDC-"
382 oidc_response_type: id_token
383 oidc_scope: "openid email profile"
384 oidc_provider_metadata_url: https://accounts.google.com/.well-known/openid-configuration
385 oidc_client_id: <openid_client_id>
386 oidc_client_secret: <openid_client_secret>
387 oidc_crypto_passphrase: openstack
388 oidc_redirect_uri: https://key.example.com:5000/v3/auth/OS-FEDERATION/websso/oidc/redirect
389 oidc_oauth_introspection_endpoint: https://www.googleapis.com/oauth2/v1/tokeninfo
390 oidc_oauth_introspection_token_param_name: access_token
391 oidc_oauth_remote_user_claim: user_id
392 oidc_ssl_validate_server: 'off'
393 federated_domain_name: Federated
394 federation_driver: keystone.contrib.federation.backends.sql.Federation
395 trusted_dashboard:
396 - https://${_param:cluster_public_host}/auth/websso/
397 apache:
398 server:
399 pkgs:
400 - apache2
401 - libapache2-mod-auth-openidc
402 modules:
403 - wsgi
404 - auth_openidc
405
406Notes: Ubuntu Trusty repository doesn't contain libapache2-mod-auth-openidc package. Additonal repository should be added to source list.
407
mnederlof5d9ccac2017-03-02 15:47:50 +0100[diff] [blame]408Use a custom identity driver with custom options
409
410.. code-block:: yaml
411
412 keystone:
413 server:
414 backend: k2k
415 k2k:
416 auth_url: 'https://keystone.example.com/v2.0'
417 read_user: 'example_user'
418 read_pass: 'password'
419 read_tenant_id: 'admin'
420 identity_driver: 'sql'
421 id_prefix: 'k2k:'
422 domain: 'default'
423 caching: true
424 cache_time: 600
425
Ondrej Smola16e1bb72017-04-18 23:37:49 +0200[diff] [blame]426Enable CORS parameters
427
428.. code-block:: yaml
429
430 keystone:
431 server:
432 cors:
433 allowed_origin: https:localhost.local,http:localhost.local
434 expose_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
435 allow_methods: GET,PUT,POST,DELETE,PATCH
436 allow_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
437 allow_credentials: True
438 max_age: 86400
439
440
mnederlof5d9ccac2017-03-02 15:47:50 +0100[diff] [blame]441
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]442Keystone client
443---------------
444
445Service endpoints enforcement with service token
446
447.. code-block:: yaml
448
449 keystone:
450 client:
451 enabled: true
452 server:
453 keystone01:
454 admin:
455 host: 10.0.0.2
456 port: 35357
457 token: 'service_token'
458 service:
459 nova:
460 type: compute
461 description: OpenStack Compute Service
462 endpoints:
463 - region: region01
464 public_address: 172.16.10.1
465 public_port: 8773
466 public_path: '/v2'
467 internal_address: 172.16.10.1
468 internal_port: 8773
469 internal_path: '/v2'
470 admin_address: 172.16.10.1
471 admin_port: 8773
472 admin_path: '/v2'
473
474Project, users, roles enforcement with admin user
475
476.. code-block:: yaml
477
478 keystone:
479 client:
480 enabled: true
481 server:
482 keystone01:
483 admin:
484 host: 10.0.0.2
485 port: 5000
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100[diff] [blame]486 project: admin
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]487 user: admin
488 password: 'passwd'
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100[diff] [blame]489 region_name: RegionOne
490 protocol: https
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]491 roles:
492 - admin
493 - member
494 project:
495 tenant01:
496 description: "test env"
Jiri Broulik59000e92017-02-06 18:14:06 +0100[diff] [blame]497 quota:
498 instances: 100
499 cores: 24
500 ram: 151200
501 floating_ips: 50
502 fixed_ips: -1
503 metadata_items: 128
504 injected_files: 5
505 injected_file_content_bytes: 10240
506 injected_file_path_bytes: 255
507 key_pairs: 100
508 security_groups: 20
509 security_group_rules: 40
510 server_groups: 20
511 server_group_members: 20
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]512 user:
513 user01:
514 email: jdoe@domain.com
515 is_admin: true
516 password: some
517 user02:
518 email: jdoe2@domain.com
519 password: some
520 roles:
521 - custom-roles
522
Richard Felkl5ff315e2017-02-01 23:26:23 +0100[diff] [blame]523Multiple servers example
524
525.. code-block:: yaml
526
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100[diff] [blame]527 keystone:
528 client:
529 enabled: true
530 server:
531 keystone01:
532 admin:
533 host: 10.0.0.2
534 port: 5000
535 project: 'admin'
536 user: admin
537 password: 'workshop'
538 region_name: RegionOne
539 protocol: https
540 keystone02:
541 admin:
542 host: 10.0.0.3
543 port: 5000
544 project: 'admin'
545 user: admin
546 password: 'workshop'
547 region_name: RegionOne
Richard Felkl5ff315e2017-02-01 23:26:23 +0100[diff] [blame]548
Jiri Broulik59000e92017-02-06 18:14:06 +0100[diff] [blame]549
550Tenant quotas
551
552.. code-block:: yaml
553
554 keystone:
555 client:
556 enabled: true
557 server:
558 keystone01:
559 admin:
560 host: 10.0.0.2
561 port: 5000
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100[diff] [blame]562 project: admin
Jiri Broulik59000e92017-02-06 18:14:06 +0100[diff] [blame]563 user: admin
564 password: 'passwd'
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100[diff] [blame]565 region_name: RegionOne
566 protocol: https
Jiri Broulik59000e92017-02-06 18:14:06 +0100[diff] [blame]567 roles:
568 - admin
569 - member
570 project:
571 tenant01:
572 description: "test env"
573 quota:
574 instances: 100
575 cores: 24
576 ram: 151200
577 floating_ips: 50
578 fixed_ips: -1
579 metadata_items: 128
580 injected_files: 5
581 injected_file_content_bytes: 10240
582 injected_file_path_bytes: 255
583 key_pairs: 100
584 security_groups: 20
585 security_group_rules: 40
586 server_groups: 20
587 server_group_members: 20
588
Oleksii Chupryn4fec2132017-04-03 17:35:28 +0300[diff] [blame]589Extra config params in keystone.conf (since Mitaka release)
590
591.. code-block:: yaml
592
593 keystone:
594 server:
595 ....
596 extra_config:
597 ini_section1:
598 param1: value
599 param2: value
600 ini_section2:
601 param1: value
602 param2: value
603 ....
604
Dmitry Ukovf58264b2017-04-20 23:08:42 +0200[diff] [blame]605Configuration of policy.json file
606
607.. code-block:: yaml
608
609
610 keystone:
611 server:
612 ....
613 policy:
614 admin_or_token_subject: 'rule:admin_required or rule:token_subject'
615
Jiri Broulik59000e92017-02-06 18:14:06 +0100[diff] [blame]616Usage
617=====
618
619Apply state `keystone.client.service` first and then `keystone.client` state.
620
621
Jakub Pavlikffc280d2016-05-20 11:19:14 +0200[diff] [blame]622Documentation and Bugs
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]623======================
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]624
Jakub Pavlikffc280d2016-05-20 11:19:14 +0200[diff] [blame]625To learn how to deploy OpenStack Salt, consult the documentation available
626online at:
627
628 https://wiki.openstack.org/wiki/OpenStackSalt
629
630In the unfortunate event that bugs are discovered, they should be reported to
631the appropriate bug tracker. If you obtained the software from a 3rd party
632operating system vendor, it is often wise to use their own bug tracker for
633reporting problems. In all other cases use the master OpenStack bug tracker,
634available at:
635
636 http://bugs.launchpad.net/openstack-salt
637
638Developers wishing to work on the OpenStack Salt project should always base
639their work on the latest formulas code, available from the master GIT
640repository at:
641
642 https://git.openstack.org/cgit/openstack/salt-formula-keystone
643
644Developers should also join the discussion on the IRC list, at:
645
646 https://wiki.openstack.org/wiki/Meetings/openstack-salt
Filip Pytloun4cc5c0f2017-02-02 13:02:03 +0100[diff] [blame]647
648Documentation and Bugs
649======================
650
651To learn how to install and update salt-formulas, consult the documentation
652available online at:
653
654 http://salt-formulas.readthedocs.io/
655
656In the unfortunate event that bugs are discovered, they should be reported to
657the appropriate issue tracker. Use Github issue tracker for specific salt
658formula:
659
660 https://github.com/salt-formulas/salt-formula-keystone/issues
661
662For feature requests, bug reports or blueprints affecting entire ecosystem,
663use Launchpad salt-formulas project:
664
665 https://launchpad.net/salt-formulas
666
667You can also join salt-formulas-users team and subscribe to mailing list:
668
669 https://launchpad.net/~salt-formulas-users
670
671Developers wishing to work on the salt-formulas projects should always base
672their work on master branch and submit pull request against specific formula.
673
674 https://github.com/salt-formulas/salt-formula-keystone
675
676Any questions or feedback is always welcome so feel free to join our IRC
677channel:
678
679 #salt-formulas @ irc.freenode.net