Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / keystone / 96ff912c822368cd00e1a77071f3cf6d54a54735 / . / README.rst
blob: 14403eb3bdbc37bcdc6ab4aea3100680eb9617f3 [file] [log] [blame]
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]1==================
2OpenStack Keystone
3==================
4
Jakub Pavlikffc280d2016-05-20 11:19:14 +0200[diff] [blame]5Keystone provides authentication, authorization and service discovery
6mechanisms via HTTP primarily for use by projects in the OpenStack family. It
7is most commonly deployed as an HTTP interface to existing identity systems,
8such as LDAP.
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]9
10From Kilo release Keystone v3 endpoint has definition without version in url
11
12.. code-block:: bash
13
14 +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
15 | id | region | publicurl | internalurl | adminurl | service_id |
16 +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
17 | 91663a8db11c487c9253c8c456863494 | RegionOne | http://10.0.150.37:5000/ | http://10.0.150.37:5000/ | http://10.0.150.37:35357/ | 0fd2dba3153d45a1ba7f709cfc2d69c9 |
18 +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
19
20
21Sample pillars
22==============
23
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]24.. caution::
Adam Tengler7c66c882016-03-14 19:35:49 +0100[diff] [blame]25
Jakub Pavlikffc280d2016-05-20 11:19:14 +0200[diff] [blame]26 When you use localhost as your database host (keystone:server:
27 atabase:host), sqlalchemy will try to connect to /var/run/mysql/
28 mysqld.sock, may cause issues if you located your mysql socket elsewhere
Adam Tengler7c66c882016-03-14 19:35:49 +0100[diff] [blame]29
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]30Full stacked keystone
31
32.. code-block:: yaml
33
34 keystone:
35 server:
36 enabled: true
37 version: juno
38 service_token: 'service_tokeen'
39 service_tenant: service
40 service_password: 'servicepwd'
41 admin_tenant: admin
42 admin_name: admin
43 admin_password: 'adminpwd'
44 admin_email: stackmaster@domain.com
45 roles:
46 - admin
47 - Member
48 - image_manager
49 bind:
50 address: 0.0.0.0
51 private_address: 127.0.0.1
52 private_port: 35357
53 public_address: 127.0.0.1
54 public_port: 5000
55 api_version: 2.0
56 region: RegionOne
57 database:
58 engine: mysql
59 host: '127.0.0.1'
60 name: 'keystone'
61 password: 'LfTno5mYdZmRfoPV'
62 user: 'keystone'
63
64Keystone public HTTPS API
65
66.. code-block:: yaml
67
68 keystone:
69 server:
70 enabled: true
71 version: juno
72 ...
73 services:
74 - name: nova
75 type: compute
76 description: OpenStack Compute Service
77 user:
78 name: nova
79 password: password
80 bind:
81 public_address: cloud.domain.com
82 public_protocol: https
83 public_port: 8774
84 internal_address: 10.0.0.20
85 internal_port: 8774
86 admin_address: 10.0.0.20
87 admin_port: 8774
88
Adam Tenglerb1ebaca2017-05-04 21:06:08 +0000[diff] [blame]89Keystone with custom policies. Keys with specified rules are created or set to this value if they already exists. Keys with no value (like our "existing_rule") are deleted from the policy file.
90
91.. code-block:: yaml
92
93 keystone:
94 server:
95 enabled: true
96 policy:
97 new_rule: "rule:admin_required"
98 existing_rule:
99
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]100Keystone memcached storage for tokens
101
102.. code-block:: yaml
103
104 keystone:
105 server:
106 enabled: true
107 version: juno
108 ...
109 token_store: cache
110 cache:
111 engine: memcached
112 host: 127.0.0.1
113 port: 11211
114 services:
115 ...
116
117Keystone clustered memcached storage for tokens
118
119.. code-block:: yaml
120
121 keystone:
122 server:
123 enabled: true
124 version: juno
125 ...
126 token_store: cache
127 cache:
128 engine: memcached
129 members:
130 - host: 192.160.0.1
131 port: 11211
132 - host: 192.160.0.2
133 port: 11211
134 services:
135 ...
136
137Keystone client
138
139.. code-block:: yaml
140
141 keystone:
142 client:
143 enabled: true
144 server:
145 host: 10.0.0.2
146 public_port: 5000
147 private_port: 35357
148 service_token: 'token'
149 admin_tenant: admin
150 admin_name: admin
151 admin_password: 'passwd'
152
153Keystone cluster
154
155.. code-block:: yaml
156
157 keystone:
158 control:
159 enabled: true
160 provider:
161 os15_token:
162 host: 10.0.0.2
163 port: 35357
164 token: token
165 os15_tcp_core_stg:
166 host: 10.0.0.5
167 port: 5000
168 tenant: admin
169 name: admin
170 password: password
171
172Keystone fernet tokens for OpenStack Kilo release
173
174.. code-block:: yaml
175
176 keystone:
177 server:
178 ...
179 tokens:
180 engine: fernet
Jakub Pavlik6b0b74a2016-09-01 10:49:14 +0200[diff] [blame]181 max_active_keys: 3
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]182 ...
183
Oleksii Chupryn6fd899f2017-04-21 10:20:51 +0300[diff] [blame]184Keystone auth methods
185
186.. code-block:: yaml
187
188 keystone:
189 server:
190 ...
191 auth_methods:
192 - external
193 - password
194 - token
195 - oauth1
196 ...
197
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]198Keystone domain with LDAP backend, using SQL for role/project assignment
199
200.. code-block:: yaml
201
202 keystone:
203 server:
204 domain:
Ramon Melero96ff9122017-08-15 11:02:50 -0500[diff] [blame^]205 external:
206 description: "Testing domain"
207 backend: ldap
208 assignment:
209 backend: sql
210 ldap:
211 url: "ldaps://idm.domain.com"
212 suffix: "dc=cloud,dc=domain,dc=com"
213 # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
214 uid: keystone
215 password: password
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]216
Filip Pytloun1abfdd72016-01-18 11:35:17 +0100[diff] [blame]217Using LDAP backend for default domain
218
219.. code-block:: yaml
220
221 keystone:
222 server:
223 backend: ldap
224 assignment:
225 backend: sql
226 ldap:
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]227 url: "ldaps://idm.domain.com"
228 suffix: "dc=cloud,dc=domain,dc=com"
229 # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
Filip Pytloun1abfdd72016-01-18 11:35:17 +0100[diff] [blame]230 uid: keystone
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]231 password: password
232
233Simple service endpoint definition (defaults to RegionOne)
234
235.. code-block:: yaml
236
237 keystone:
238 server:
239 service:
240 ceilometer:
241 type: metering
242 description: OpenStack Telemetry Service
243 user:
244 name: ceilometer
245 password: password
246 bind:
247 ...
248
249Region-aware service endpoints definition
250
251.. code-block:: yaml
252
253 keystone:
254 server:
255 service:
256 ceilometer_region01:
257 service: ceilometer
258 type: metering
259 region: region01
260 description: OpenStack Telemetry Service
261 user:
262 name: ceilometer
263 password: password
264 bind:
265 ...
266 ceilometer_region02:
267 service: ceilometer
268 type: metering
269 region: region02
270 description: OpenStack Telemetry Service
271 bind:
272 ...
273
Jakub Pavlik72e31d62016-04-08 16:26:57 +0200[diff] [blame]274Enable ceilometer notifications
275
276.. code-block:: yaml
277
278 keystone:
279 server:
280 notification: true
281 message_queue:
282 engine: rabbitmq
283 host: 127.0.0.1
284 port: 5672
285 user: openstack
286 password: password
287 virtual_host: '/openstack'
288 ha_queues: true
Filip Pytloun1abfdd72016-01-18 11:35:17 +0100[diff] [blame]289
Jakub Pavlik205ef802016-12-14 12:48:42 +0100[diff] [blame]290Client-side RabbitMQ HA setup
291
292.. code-block:: yaml
293
294 keystone:
295 server:
296 ....
297 message_queue:
298 engine: rabbitmq
299 members:
300 - host: 10.0.16.1
301 - host: 10.0.16.2
302 - host: 10.0.16.3
303 user: openstack
304 password: pwd
305 virtual_host: '/openstack'
306 ....
307
Petr Michalec98fc6d62016-12-03 11:30:35 +0100[diff] [blame]308Enable CADF audit notification
309
310.. code-block:: yaml
311
312 keystone:
313 server:
314 notification: true
315 notification_format: cadf
316
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]317Run keystone under Apache
318
319.. code-block:: yaml
320
321 keystone:
322 server:
323 service_name: apache2
324 apache:
325 server:
326 enabled: true
327 default_mpm: event
328 site:
329 keystone:
330 enabled: true
331 type: keystone
332 name: wsgi
333 host:
334 name: ${linux:network:fqdn}
335 modules:
336 - wsgi
337
Oleksii Chuprynfcecf192017-04-21 12:20:46 +0300[diff] [blame]338Enable SAML2 Federated keystone
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]339
340.. code-block:: yaml
341
342 keystone:
343 server:
Oleksii Chupryn6fd899f2017-04-21 10:20:51 +0300[diff] [blame]344 auth_methods:
345 - password
346 - token
347 - saml2
Oleksii Chuprynebe09a52017-04-21 11:08:14 +0300[diff] [blame]348 federation:
Oleksii Chuprynfcecf192017-04-21 12:20:46 +0300[diff] [blame]349 saml2:
350 protocol: saml2
351 remote_id_attribute: Shib-Identity-Provider
352 shib_url_scheme: https
353 shib_compat_valid_user: 'on'
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]354 federation_driver: keystone.contrib.federation.backends.sql.Federation
Oleksii Chupryn5f110b02017-03-30 09:54:27 +0300[diff] [blame]355 federated_domain_name: Federated
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]356 trusted_dashboard:
Oleksii Chuprynfcecf192017-04-21 12:20:46 +0300[diff] [blame]357 - https://${_param:cluster_public_host}/horizon/auth/websso/
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]358 apache:
359 server:
360 pkgs:
361 - apache2
362 - libapache2-mod-shib2
363 modules:
364 - wsgi
365 - shib2
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]366
Oleksii Chuprynfcecf192017-04-21 12:20:46 +0300[diff] [blame]367Enable OIDC Federated keystone
368
369.. code-block:: yaml
370
371 keystone:
372 server:
373 auth_methods:
374 - password
375 - token
376 - oidc
377 federation:
378 oidc:
379 protocol: oidc
380 remote_id_attribute: HTTP_OIDC_ISS
381 remote_id_attribute_value: https://accounts.google.com
382 oidc_claim_prefix: "OIDC-"
383 oidc_response_type: id_token
384 oidc_scope: "openid email profile"
385 oidc_provider_metadata_url: https://accounts.google.com/.well-known/openid-configuration
386 oidc_client_id: <openid_client_id>
387 oidc_client_secret: <openid_client_secret>
388 oidc_crypto_passphrase: openstack
389 oidc_redirect_uri: https://key.example.com:5000/v3/auth/OS-FEDERATION/websso/oidc/redirect
390 oidc_oauth_introspection_endpoint: https://www.googleapis.com/oauth2/v1/tokeninfo
391 oidc_oauth_introspection_token_param_name: access_token
392 oidc_oauth_remote_user_claim: user_id
393 oidc_ssl_validate_server: 'off'
394 federated_domain_name: Federated
395 federation_driver: keystone.contrib.federation.backends.sql.Federation
396 trusted_dashboard:
397 - https://${_param:cluster_public_host}/auth/websso/
398 apache:
399 server:
400 pkgs:
401 - apache2
402 - libapache2-mod-auth-openidc
403 modules:
404 - wsgi
405 - auth_openidc
406
407Notes: Ubuntu Trusty repository doesn't contain libapache2-mod-auth-openidc package. Additonal repository should be added to source list.
408
mnederlof5d9ccac2017-03-02 15:47:50 +0100[diff] [blame]409Use a custom identity driver with custom options
410
411.. code-block:: yaml
412
413 keystone:
414 server:
415 backend: k2k
416 k2k:
417 auth_url: 'https://keystone.example.com/v2.0'
418 read_user: 'example_user'
419 read_pass: 'password'
420 read_tenant_id: 'admin'
421 identity_driver: 'sql'
422 id_prefix: 'k2k:'
423 domain: 'default'
424 caching: true
425 cache_time: 600
426
Ondrej Smola16e1bb72017-04-18 23:37:49 +0200[diff] [blame]427Enable CORS parameters
428
429.. code-block:: yaml
430
431 keystone:
432 server:
433 cors:
434 allowed_origin: https:localhost.local,http:localhost.local
435 expose_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
436 allow_methods: GET,PUT,POST,DELETE,PATCH
437 allow_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
438 allow_credentials: True
439 max_age: 86400
440
441
mnederlof5d9ccac2017-03-02 15:47:50 +0100[diff] [blame]442
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]443Keystone client
444---------------
445
446Service endpoints enforcement with service token
447
448.. code-block:: yaml
449
450 keystone:
451 client:
452 enabled: true
453 server:
454 keystone01:
455 admin:
456 host: 10.0.0.2
457 port: 35357
458 token: 'service_token'
459 service:
460 nova:
461 type: compute
462 description: OpenStack Compute Service
463 endpoints:
464 - region: region01
465 public_address: 172.16.10.1
466 public_port: 8773
467 public_path: '/v2'
468 internal_address: 172.16.10.1
469 internal_port: 8773
470 internal_path: '/v2'
471 admin_address: 172.16.10.1
472 admin_port: 8773
473 admin_path: '/v2'
474
475Project, users, roles enforcement with admin user
476
477.. code-block:: yaml
478
479 keystone:
480 client:
481 enabled: true
482 server:
483 keystone01:
484 admin:
485 host: 10.0.0.2
486 port: 5000
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100[diff] [blame]487 project: admin
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]488 user: admin
489 password: 'passwd'
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100[diff] [blame]490 region_name: RegionOne
491 protocol: https
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]492 roles:
493 - admin
494 - member
495 project:
496 tenant01:
497 description: "test env"
Jiri Broulik59000e92017-02-06 18:14:06 +0100[diff] [blame]498 quota:
499 instances: 100
500 cores: 24
501 ram: 151200
502 floating_ips: 50
503 fixed_ips: -1
504 metadata_items: 128
505 injected_files: 5
506 injected_file_content_bytes: 10240
507 injected_file_path_bytes: 255
508 key_pairs: 100
509 security_groups: 20
510 security_group_rules: 40
511 server_groups: 20
512 server_group_members: 20
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]513 user:
514 user01:
515 email: jdoe@domain.com
516 is_admin: true
517 password: some
518 user02:
519 email: jdoe2@domain.com
520 password: some
521 roles:
522 - custom-roles
523
Richard Felkl5ff315e2017-02-01 23:26:23 +0100[diff] [blame]524Multiple servers example
525
526.. code-block:: yaml
527
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100[diff] [blame]528 keystone:
529 client:
530 enabled: true
531 server:
532 keystone01:
533 admin:
534 host: 10.0.0.2
535 port: 5000
536 project: 'admin'
537 user: admin
538 password: 'workshop'
539 region_name: RegionOne
540 protocol: https
541 keystone02:
542 admin:
543 host: 10.0.0.3
544 port: 5000
545 project: 'admin'
546 user: admin
547 password: 'workshop'
548 region_name: RegionOne
Richard Felkl5ff315e2017-02-01 23:26:23 +0100[diff] [blame]549
Jiri Broulik59000e92017-02-06 18:14:06 +0100[diff] [blame]550
551Tenant quotas
552
553.. code-block:: yaml
554
555 keystone:
556 client:
557 enabled: true
558 server:
559 keystone01:
560 admin:
561 host: 10.0.0.2
562 port: 5000
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100[diff] [blame]563 project: admin
Jiri Broulik59000e92017-02-06 18:14:06 +0100[diff] [blame]564 user: admin
565 password: 'passwd'
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100[diff] [blame]566 region_name: RegionOne
567 protocol: https
Jiri Broulik59000e92017-02-06 18:14:06 +0100[diff] [blame]568 roles:
569 - admin
570 - member
571 project:
572 tenant01:
573 description: "test env"
574 quota:
575 instances: 100
576 cores: 24
577 ram: 151200
578 floating_ips: 50
579 fixed_ips: -1
580 metadata_items: 128
581 injected_files: 5
582 injected_file_content_bytes: 10240
583 injected_file_path_bytes: 255
584 key_pairs: 100
585 security_groups: 20
586 security_group_rules: 40
587 server_groups: 20
588 server_group_members: 20
589
Oleksii Chupryn4fec2132017-04-03 17:35:28 +0300[diff] [blame]590Extra config params in keystone.conf (since Mitaka release)
591
592.. code-block:: yaml
593
594 keystone:
595 server:
596 ....
597 extra_config:
598 ini_section1:
599 param1: value
600 param2: value
601 ini_section2:
602 param1: value
603 param2: value
604 ....
605
Dmitry Ukovf58264b2017-04-20 23:08:42 +0200[diff] [blame]606Configuration of policy.json file
607
608.. code-block:: yaml
609
610
611 keystone:
612 server:
613 ....
614 policy:
615 admin_or_token_subject: 'rule:admin_required or rule:token_subject'
616
Jiri Broulik59000e92017-02-06 18:14:06 +0100[diff] [blame]617Usage
618=====
619
620Apply state `keystone.client.service` first and then `keystone.client` state.
621
622
Jakub Pavlikffc280d2016-05-20 11:19:14 +0200[diff] [blame]623Documentation and Bugs
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]624======================
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]625
Jakub Pavlikffc280d2016-05-20 11:19:14 +0200[diff] [blame]626To learn how to deploy OpenStack Salt, consult the documentation available
627online at:
628
629 https://wiki.openstack.org/wiki/OpenStackSalt
630
631In the unfortunate event that bugs are discovered, they should be reported to
632the appropriate bug tracker. If you obtained the software from a 3rd party
633operating system vendor, it is often wise to use their own bug tracker for
634reporting problems. In all other cases use the master OpenStack bug tracker,
635available at:
636
637 http://bugs.launchpad.net/openstack-salt
638
639Developers wishing to work on the OpenStack Salt project should always base
640their work on the latest formulas code, available from the master GIT
641repository at:
642
643 https://git.openstack.org/cgit/openstack/salt-formula-keystone
644
645Developers should also join the discussion on the IRC list, at:
646
647 https://wiki.openstack.org/wiki/Meetings/openstack-salt
Filip Pytloun4cc5c0f2017-02-02 13:02:03 +0100[diff] [blame]648
649Documentation and Bugs
650======================
651
652To learn how to install and update salt-formulas, consult the documentation
653available online at:
654
655 http://salt-formulas.readthedocs.io/
656
657In the unfortunate event that bugs are discovered, they should be reported to
658the appropriate issue tracker. Use Github issue tracker for specific salt
659formula:
660
661 https://github.com/salt-formulas/salt-formula-keystone/issues
662
663For feature requests, bug reports or blueprints affecting entire ecosystem,
664use Launchpad salt-formulas project:
665
666 https://launchpad.net/salt-formulas
667
668You can also join salt-formulas-users team and subscribe to mailing list:
669
670 https://launchpad.net/~salt-formulas-users
671
672Developers wishing to work on the salt-formulas projects should always base
673their work on master branch and submit pull request against specific formula.
674
675 https://github.com/salt-formulas/salt-formula-keystone
676
677Any questions or feedback is always welcome so feel free to join our IRC
678channel:
679
680 #salt-formulas @ irc.freenode.net