Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / keystone / c01e08b86abe0363645be36b1d3e18cf2adab733 / . / README.rst
blob: 2f82d110e873f55f0daf3b9705f545acebbc868f [file] [log] [blame]
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]1==================
2OpenStack Keystone
3==================
4
Jakub Pavlikffc280d2016-05-20 11:19:14 +0200[diff] [blame]5Keystone provides authentication, authorization and service discovery
6mechanisms via HTTP primarily for use by projects in the OpenStack family. It
7is most commonly deployed as an HTTP interface to existing identity systems,
8such as LDAP.
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]9
10From Kilo release Keystone v3 endpoint has definition without version in url
11
12.. code-block:: bash
13
14 +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
15 | id | region | publicurl | internalurl | adminurl | service_id |
16 +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
17 | 91663a8db11c487c9253c8c456863494 | RegionOne | http://10.0.150.37:5000/ | http://10.0.150.37:5000/ | http://10.0.150.37:35357/ | 0fd2dba3153d45a1ba7f709cfc2d69c9 |
18 +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
19
20
21Sample pillars
22==============
23
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]24.. caution::
Adam Tengler7c66c882016-03-14 19:35:49 +0100[diff] [blame]25
Jakub Pavlikffc280d2016-05-20 11:19:14 +0200[diff] [blame]26 When you use localhost as your database host (keystone:server:
27 atabase:host), sqlalchemy will try to connect to /var/run/mysql/
28 mysqld.sock, may cause issues if you located your mysql socket elsewhere
Adam Tengler7c66c882016-03-14 19:35:49 +0100[diff] [blame]29
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]30Full stacked keystone
31
32.. code-block:: yaml
33
34 keystone:
35 server:
36 enabled: true
37 version: juno
38 service_token: 'service_tokeen'
39 service_tenant: service
40 service_password: 'servicepwd'
41 admin_tenant: admin
42 admin_name: admin
43 admin_password: 'adminpwd'
44 admin_email: stackmaster@domain.com
45 roles:
46 - admin
47 - Member
48 - image_manager
49 bind:
50 address: 0.0.0.0
51 private_address: 127.0.0.1
52 private_port: 35357
53 public_address: 127.0.0.1
54 public_port: 5000
55 api_version: 2.0
56 region: RegionOne
57 database:
58 engine: mysql
59 host: '127.0.0.1'
60 name: 'keystone'
61 password: 'LfTno5mYdZmRfoPV'
62 user: 'keystone'
63
64Keystone public HTTPS API
65
66.. code-block:: yaml
67
68 keystone:
69 server:
70 enabled: true
71 version: juno
72 ...
73 services:
74 - name: nova
75 type: compute
76 description: OpenStack Compute Service
77 user:
78 name: nova
79 password: password
80 bind:
81 public_address: cloud.domain.com
82 public_protocol: https
83 public_port: 8774
84 internal_address: 10.0.0.20
85 internal_port: 8774
86 admin_address: 10.0.0.20
87 admin_port: 8774
88
Adam Tenglerb1ebaca2017-05-04 21:06:08 +0000[diff] [blame]89Keystone with custom policies. Keys with specified rules are created or set to this value if they already exists. Keys with no value (like our "existing_rule") are deleted from the policy file.
90
91.. code-block:: yaml
92
93 keystone:
94 server:
95 enabled: true
96 policy:
97 new_rule: "rule:admin_required"
98 existing_rule:
99
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]100Keystone memcached storage for tokens
101
102.. code-block:: yaml
103
104 keystone:
105 server:
106 enabled: true
107 version: juno
108 ...
109 token_store: cache
110 cache:
111 engine: memcached
112 host: 127.0.0.1
113 port: 11211
114 services:
115 ...
116
117Keystone clustered memcached storage for tokens
118
119.. code-block:: yaml
120
121 keystone:
122 server:
123 enabled: true
124 version: juno
125 ...
126 token_store: cache
127 cache:
128 engine: memcached
129 members:
130 - host: 192.160.0.1
131 port: 11211
132 - host: 192.160.0.2
133 port: 11211
134 services:
135 ...
136
137Keystone client
138
139.. code-block:: yaml
140
141 keystone:
142 client:
143 enabled: true
144 server:
145 host: 10.0.0.2
146 public_port: 5000
147 private_port: 35357
148 service_token: 'token'
149 admin_tenant: admin
150 admin_name: admin
151 admin_password: 'passwd'
152
153Keystone cluster
154
155.. code-block:: yaml
156
157 keystone:
158 control:
159 enabled: true
160 provider:
161 os15_token:
162 host: 10.0.0.2
163 port: 35357
164 token: token
165 os15_tcp_core_stg:
166 host: 10.0.0.5
167 port: 5000
168 tenant: admin
169 name: admin
170 password: password
171
172Keystone fernet tokens for OpenStack Kilo release
173
174.. code-block:: yaml
175
176 keystone:
177 server:
178 ...
179 tokens:
180 engine: fernet
Jakub Pavlik6b0b74a2016-09-01 10:49:14 +0200[diff] [blame]181 max_active_keys: 3
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]182 ...
183
Oleksii Chupryn6fd899f2017-04-21 10:20:51 +0300[diff] [blame]184Keystone auth methods
185
186.. code-block:: yaml
187
188 keystone:
189 server:
190 ...
191 auth_methods:
192 - external
193 - password
194 - token
195 - oauth1
196 ...
197
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]198Keystone domain with LDAP backend, using SQL for role/project assignment
199
200.. code-block:: yaml
201
202 keystone:
203 server:
204 domain:
Ramon Melero96ff9122017-08-15 11:02:50 -0500[diff] [blame]205 external:
206 description: "Testing domain"
207 backend: ldap
208 assignment:
209 backend: sql
210 ldap:
211 url: "ldaps://idm.domain.com"
212 suffix: "dc=cloud,dc=domain,dc=com"
213 # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
214 uid: keystone
215 password: password
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]216
Dzmitry Stremkouskia0db50f2018-03-26 20:41:36 +0200[diff] [blame]217Use driver aliases for drivers instead of class path's
218
219.. code-block:: yaml
220
221 keystone:
222 server:
223 domain:
224 test:
225 description: "Test domain"
226 backend: ldap
227 assignment:
228 backend: sql
229 driver: sql
230 identity:
231 backend: ldap
232 driver: keystone.identity.backends.ldap.Identity
233 ldap:
234 url: "ldaps://idm.domain.com"
235 ...
236
Filip Pytloun1abfdd72016-01-18 11:35:17 +0100[diff] [blame]237Using LDAP backend for default domain
238
239.. code-block:: yaml
240
241 keystone:
242 server:
243 backend: ldap
244 assignment:
245 backend: sql
246 ldap:
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]247 url: "ldaps://idm.domain.com"
248 suffix: "dc=cloud,dc=domain,dc=com"
249 # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
Filip Pytloun1abfdd72016-01-18 11:35:17 +0100[diff] [blame]250 uid: keystone
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]251 password: password
252
kovchynnykov74125082018-02-05 13:17:43 +0200[diff] [blame]253Using LDAP backend for default domain with "user_enabled" field emulation
254
255.. code-block:: yaml
256
257 keystone:
258 server:
259 backend: ldap
260 assignment:
261 backend: sql
262 ldap:
263 url: "ldap://idm.domain.com"
264 suffix: "ou=Openstack Service Users,o=domain.com"
265 bind_user: keystone
266 password: password
267 # Define LDAP "group" object class and "membership" attribute
268 group_objectclass: groupOfUniqueNames
269 group_member_attribute: uniqueMember
270 # User will receive "enabled" attribute basing on membership in "os-user-enabled" group
271 user_enabled_emulation: True
272 user_enabled_emulation_dn: "cn=os-user-enabled,ou=Openstack,o=domain.com"
273 user_enabled_emulation_use_group_config: True
274
Aleksieiev, Oleksii3f1d7a52018-06-06 15:14:29 -0700[diff] [blame]275If the members of the group objectclass are user IDs rather than DNs, set group_members_are_ids to true. This is the case when using posixGroup as the group objectclass and OpenDirectory.
276
277.. code-block:: yaml
278
279 keystone:
280 server:
281 backend: ldap
282 assignment:
283 backend: sql
284 ldap:
285 url: "ldaps://idm.domain.com"
286 suffix: "dc=cloud,dc=domain,dc=com"
287 # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
288 uid: keystone
289 password: password
290 group_members_are_ids: True
291
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]292Simple service endpoint definition (defaults to RegionOne)
293
294.. code-block:: yaml
295
296 keystone:
297 server:
298 service:
299 ceilometer:
300 type: metering
301 description: OpenStack Telemetry Service
302 user:
303 name: ceilometer
304 password: password
305 bind:
306 ...
307
308Region-aware service endpoints definition
309
310.. code-block:: yaml
311
312 keystone:
313 server:
314 service:
315 ceilometer_region01:
316 service: ceilometer
317 type: metering
318 region: region01
319 description: OpenStack Telemetry Service
320 user:
321 name: ceilometer
322 password: password
323 bind:
324 ...
325 ceilometer_region02:
326 service: ceilometer
327 type: metering
328 region: region02
329 description: OpenStack Telemetry Service
330 bind:
331 ...
332
Jakub Pavlik72e31d62016-04-08 16:26:57 +0200[diff] [blame]333Enable ceilometer notifications
334
335.. code-block:: yaml
336
337 keystone:
338 server:
339 notification: true
340 message_queue:
341 engine: rabbitmq
342 host: 127.0.0.1
343 port: 5672
344 user: openstack
345 password: password
346 virtual_host: '/openstack'
347 ha_queues: true
Filip Pytloun1abfdd72016-01-18 11:35:17 +0100[diff] [blame]348
Jakub Pavlik205ef802016-12-14 12:48:42 +0100[diff] [blame]349Client-side RabbitMQ HA setup
350
351.. code-block:: yaml
352
353 keystone:
354 server:
355 ....
356 message_queue:
357 engine: rabbitmq
358 members:
359 - host: 10.0.16.1
360 - host: 10.0.16.2
361 - host: 10.0.16.3
362 user: openstack
363 password: pwd
364 virtual_host: '/openstack'
365 ....
366
Kirill Bespalov00984452017-08-01 17:44:11 +0300[diff] [blame]367Client-side RabbitMQ TLS configuration:
368
369|
370
371By default system-wide CA certs are used. Nothing should be specified except `ssl.enabled`.
372
373.. code-block:: yaml
374
375 keystone:
376 server:
377 ....
378 message_queue:
379 ssl:
380 enabled: True
381
382Use `cacert_file` option to specify the CA-cert file path explicitly:
383
384.. code-block:: yaml
385
386 keystone:
387 server:
388 ....
389 message_queue:
390 ssl:
391 enabled: True
392 cacert_file: /etc/ssl/rabbitmq-ca.pem
393
394To manage content of the `cacert_file` use the `cacert` option:
395
396.. code-block:: yaml
397
398 keystone:
399 server:
400 ....
401 message_queue:
402 ssl:
403 enabled: True
404 cacert: |
405
406 -----BEGIN CERTIFICATE-----
407 ...
408 -----END CERTIFICATE-------
409
410 cacert_file: /etc/openstack/rabbitmq-ca.pem
411
412
413Notice:
414 * The `message_queue.port` is set to **5671** (AMQPS) by default if `ssl.enabled=True`.
415 * Use `message_queue.ssl.version` if you need to specify protocol version. By default is TLSv1 for python < 2.7.9 and TLSv1_2 for version above.
416
Petr Michalec98fc6d62016-12-03 11:30:35 +0100[diff] [blame]417Enable CADF audit notification
418
419.. code-block:: yaml
420
421 keystone:
422 server:
423 notification: true
424 notification_format: cadf
425
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]426Run keystone under Apache
427
428.. code-block:: yaml
429
430 keystone:
431 server:
432 service_name: apache2
433 apache:
434 server:
435 enabled: true
436 default_mpm: event
437 site:
438 keystone:
439 enabled: true
440 type: keystone
441 name: wsgi
442 host:
443 name: ${linux:network:fqdn}
444 modules:
445 - wsgi
446
Oleksii Chuprynfcecf192017-04-21 12:20:46 +0300[diff] [blame]447Enable SAML2 Federated keystone
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]448
449.. code-block:: yaml
450
451 keystone:
452 server:
Oleksii Chupryn6fd899f2017-04-21 10:20:51 +0300[diff] [blame]453 auth_methods:
454 - password
455 - token
456 - saml2
Oleksii Chuprynebe09a52017-04-21 11:08:14 +0300[diff] [blame]457 federation:
Oleksii Chuprynfcecf192017-04-21 12:20:46 +0300[diff] [blame]458 saml2:
459 protocol: saml2
460 remote_id_attribute: Shib-Identity-Provider
461 shib_url_scheme: https
462 shib_compat_valid_user: 'on'
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]463 federation_driver: keystone.contrib.federation.backends.sql.Federation
Oleksii Chupryn5f110b02017-03-30 09:54:27 +0300[diff] [blame]464 federated_domain_name: Federated
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]465 trusted_dashboard:
Oleksii Chuprynfcecf192017-04-21 12:20:46 +0300[diff] [blame]466 - https://${_param:cluster_public_host}/horizon/auth/websso/
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]467 apache:
468 server:
469 pkgs:
470 - apache2
471 - libapache2-mod-shib2
472 modules:
473 - wsgi
474 - shib2
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]475
Oleksii Chuprynfcecf192017-04-21 12:20:46 +0300[diff] [blame]476Enable OIDC Federated keystone
477
478.. code-block:: yaml
479
480 keystone:
481 server:
482 auth_methods:
483 - password
484 - token
485 - oidc
486 federation:
487 oidc:
488 protocol: oidc
489 remote_id_attribute: HTTP_OIDC_ISS
490 remote_id_attribute_value: https://accounts.google.com
491 oidc_claim_prefix: "OIDC-"
492 oidc_response_type: id_token
493 oidc_scope: "openid email profile"
494 oidc_provider_metadata_url: https://accounts.google.com/.well-known/openid-configuration
495 oidc_client_id: <openid_client_id>
496 oidc_client_secret: <openid_client_secret>
497 oidc_crypto_passphrase: openstack
498 oidc_redirect_uri: https://key.example.com:5000/v3/auth/OS-FEDERATION/websso/oidc/redirect
499 oidc_oauth_introspection_endpoint: https://www.googleapis.com/oauth2/v1/tokeninfo
500 oidc_oauth_introspection_token_param_name: access_token
501 oidc_oauth_remote_user_claim: user_id
502 oidc_ssl_validate_server: 'off'
503 federated_domain_name: Federated
504 federation_driver: keystone.contrib.federation.backends.sql.Federation
505 trusted_dashboard:
506 - https://${_param:cluster_public_host}/auth/websso/
507 apache:
508 server:
509 pkgs:
510 - apache2
511 - libapache2-mod-auth-openidc
512 modules:
513 - wsgi
514 - auth_openidc
515
516Notes: Ubuntu Trusty repository doesn't contain libapache2-mod-auth-openidc package. Additonal repository should be added to source list.
517
mnederlof5d9ccac2017-03-02 15:47:50 +0100[diff] [blame]518Use a custom identity driver with custom options
519
520.. code-block:: yaml
521
522 keystone:
523 server:
524 backend: k2k
525 k2k:
526 auth_url: 'https://keystone.example.com/v2.0'
527 read_user: 'example_user'
528 read_pass: 'password'
529 read_tenant_id: 'admin'
530 identity_driver: 'sql'
531 id_prefix: 'k2k:'
532 domain: 'default'
533 caching: true
534 cache_time: 600
535
Ondrej Smola16e1bb72017-04-18 23:37:49 +0200[diff] [blame]536Enable CORS parameters
537
538.. code-block:: yaml
539
540 keystone:
541 server:
542 cors:
543 allowed_origin: https:localhost.local,http:localhost.local
544 expose_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
545 allow_methods: GET,PUT,POST,DELETE,PATCH
546 allow_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
547 allow_credentials: True
548 max_age: 86400
549
550
mnederlof5d9ccac2017-03-02 15:47:50 +0100[diff] [blame]551
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]552Keystone client
553---------------
554
555Service endpoints enforcement with service token
556
557.. code-block:: yaml
558
559 keystone:
560 client:
561 enabled: true
562 server:
563 keystone01:
564 admin:
565 host: 10.0.0.2
566 port: 35357
567 token: 'service_token'
568 service:
569 nova:
570 type: compute
571 description: OpenStack Compute Service
572 endpoints:
573 - region: region01
574 public_address: 172.16.10.1
575 public_port: 8773
576 public_path: '/v2'
577 internal_address: 172.16.10.1
578 internal_port: 8773
579 internal_path: '/v2'
580 admin_address: 172.16.10.1
581 admin_port: 8773
582 admin_path: '/v2'
583
584Project, users, roles enforcement with admin user
585
586.. code-block:: yaml
587
588 keystone:
589 client:
590 enabled: true
591 server:
592 keystone01:
593 admin:
594 host: 10.0.0.2
595 port: 5000
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100[diff] [blame]596 project: admin
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]597 user: admin
598 password: 'passwd'
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100[diff] [blame]599 region_name: RegionOne
600 protocol: https
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]601 roles:
602 - admin
603 - member
604 project:
605 tenant01:
606 description: "test env"
Jiri Broulik59000e92017-02-06 18:14:06 +0100[diff] [blame]607 quota:
608 instances: 100
609 cores: 24
610 ram: 151200
611 floating_ips: 50
612 fixed_ips: -1
613 metadata_items: 128
614 injected_files: 5
615 injected_file_content_bytes: 10240
616 injected_file_path_bytes: 255
617 key_pairs: 100
618 security_groups: 20
619 security_group_rules: 40
620 server_groups: 20
621 server_group_members: 20
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]622 user:
623 user01:
624 email: jdoe@domain.com
625 is_admin: true
626 password: some
627 user02:
628 email: jdoe2@domain.com
629 password: some
630 roles:
631 - custom-roles
632
Richard Felkl5ff315e2017-02-01 23:26:23 +0100[diff] [blame]633Multiple servers example
634
635.. code-block:: yaml
636
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100[diff] [blame]637 keystone:
638 client:
639 enabled: true
640 server:
641 keystone01:
642 admin:
643 host: 10.0.0.2
644 port: 5000
645 project: 'admin'
646 user: admin
647 password: 'workshop'
648 region_name: RegionOne
649 protocol: https
650 keystone02:
651 admin:
652 host: 10.0.0.3
653 port: 5000
654 project: 'admin'
655 user: admin
656 password: 'workshop'
657 region_name: RegionOne
Richard Felkl5ff315e2017-02-01 23:26:23 +0100[diff] [blame]658
Jiri Broulik59000e92017-02-06 18:14:06 +0100[diff] [blame]659
660Tenant quotas
661
662.. code-block:: yaml
663
664 keystone:
665 client:
666 enabled: true
667 server:
668 keystone01:
669 admin:
670 host: 10.0.0.2
671 port: 5000
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100[diff] [blame]672 project: admin
Jiri Broulik59000e92017-02-06 18:14:06 +0100[diff] [blame]673 user: admin
674 password: 'passwd'
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100[diff] [blame]675 region_name: RegionOne
676 protocol: https
Jiri Broulik59000e92017-02-06 18:14:06 +0100[diff] [blame]677 roles:
678 - admin
679 - member
680 project:
681 tenant01:
682 description: "test env"
683 quota:
684 instances: 100
685 cores: 24
686 ram: 151200
687 floating_ips: 50
688 fixed_ips: -1
689 metadata_items: 128
690 injected_files: 5
691 injected_file_content_bytes: 10240
692 injected_file_path_bytes: 255
693 key_pairs: 100
694 security_groups: 20
695 security_group_rules: 40
696 server_groups: 20
697 server_group_members: 20
698
Oleksii Chupryn4fec2132017-04-03 17:35:28 +0300[diff] [blame]699Extra config params in keystone.conf (since Mitaka release)
700
701.. code-block:: yaml
702
703 keystone:
704 server:
705 ....
706 extra_config:
707 ini_section1:
708 param1: value
709 param2: value
710 ini_section2:
711 param1: value
712 param2: value
713 ....
714
Dmitry Ukovf58264b2017-04-20 23:08:42 +0200[diff] [blame]715Configuration of policy.json file
716
717.. code-block:: yaml
718
719
720 keystone:
721 server:
722 ....
723 policy:
724 admin_or_token_subject: 'rule:admin_required or rule:token_subject'
725
Vasyl Saienkod1902592018-03-30 12:51:54 +0300[diff] [blame]726Manage os-cloud-config yml with keystone.client
727
728.. code-block:: yaml
729
730 keystone:
731 client:
732 os_client_config:
733 enabled: true
734 cfgs:
735 root:
736 file: /root/.config/openstack/clouds.yml
737 content:
738 clouds:
739 admin_identity:
740 region_name: RegioneOne
741 auth:
742 username: admin
743 password: secretpassword
744 user_domain_name: Default
745 project_name: admin
746 project_domain_name: Default
747 auth_url: "http://1.2.3.4:5000"
748
Andrey4b287f02017-10-03 18:40:25 -0500[diff] [blame]749Setting up default admin project name and domain
750
751.. code-block:: yaml
752
753
754 keystone:
755 server:
756 ....
757 admin_project:
758 name: "admin"
759 domain: "default"
760
Dmitry Kalashnik494a17d2017-12-06 16:55:55 +0400[diff] [blame]761Enhanced logging with logging.conf
762----------------------------------
763
764By default logging.conf is disabled.
765
766That is possible to enable per-binary logging.conf with new variables:
767 * openstack_log_appender - set it to true to enable log_config_append for all OpenStack services;
768 * openstack_fluentd_handler_enabled - set to true to enable FluentHandler for all Openstack services.
Oleksii Chupryn6529bb32018-02-07 11:55:38 +0200[diff] [blame]769 * openstack_ossyslog_handler_enabled - set to true to enable OSSysLogHandler for all Openstack services.
Dmitry Kalashnik494a17d2017-12-06 16:55:55 +0400[diff] [blame]770
Oleksii Chupryn6529bb32018-02-07 11:55:38 +0200[diff] [blame]771Only WatchedFileHandler, OSSysLogHandler and FluentHandler are available.
Dmitry Kalashnik494a17d2017-12-06 16:55:55 +0400[diff] [blame]772
773Also it is possible to configure this with pillar:
774
775.. code-block:: yaml
776
777 keystone:
778 server:
779 logging:
780 log_appender: true
781 log_handlers:
782 watchedfile:
783 enabled: true
784 fluentd:
785 enabled: true
Oleksii Chupryn6529bb32018-02-07 11:55:38 +0200[diff] [blame]786 ossyslog:
787 enabled: true
Dmitry Kalashnik494a17d2017-12-06 16:55:55 +0400[diff] [blame]788
Jiri Broulik59000e92017-02-06 18:14:06 +0100[diff] [blame]789Usage
790=====
791
792Apply state `keystone.client.service` first and then `keystone.client` state.
793
794
Jakub Pavlikffc280d2016-05-20 11:19:14 +0200[diff] [blame]795Documentation and Bugs
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]796======================
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]797
Jakub Pavlikffc280d2016-05-20 11:19:14 +0200[diff] [blame]798To learn how to deploy OpenStack Salt, consult the documentation available
799online at:
800
801 https://wiki.openstack.org/wiki/OpenStackSalt
802
803In the unfortunate event that bugs are discovered, they should be reported to
804the appropriate bug tracker. If you obtained the software from a 3rd party
805operating system vendor, it is often wise to use their own bug tracker for
806reporting problems. In all other cases use the master OpenStack bug tracker,
807available at:
808
809 http://bugs.launchpad.net/openstack-salt
810
811Developers wishing to work on the OpenStack Salt project should always base
812their work on the latest formulas code, available from the master GIT
813repository at:
814
815 https://git.openstack.org/cgit/openstack/salt-formula-keystone
816
817Developers should also join the discussion on the IRC list, at:
818
819 https://wiki.openstack.org/wiki/Meetings/openstack-salt
Filip Pytloun4cc5c0f2017-02-02 13:02:03 +0100[diff] [blame]820
821Documentation and Bugs
822======================
823
824To learn how to install and update salt-formulas, consult the documentation
825available online at:
826
827 http://salt-formulas.readthedocs.io/
828
829In the unfortunate event that bugs are discovered, they should be reported to
830the appropriate issue tracker. Use Github issue tracker for specific salt
831formula:
832
833 https://github.com/salt-formulas/salt-formula-keystone/issues
834
835For feature requests, bug reports or blueprints affecting entire ecosystem,
836use Launchpad salt-formulas project:
837
838 https://launchpad.net/salt-formulas
839
840You can also join salt-formulas-users team and subscribe to mailing list:
841
842 https://launchpad.net/~salt-formulas-users
843
844Developers wishing to work on the salt-formulas projects should always base
845their work on master branch and submit pull request against specific formula.
846
847 https://github.com/salt-formulas/salt-formula-keystone
848
849Any questions or feedback is always welcome so feel free to join our IRC
850channel:
851
852 #salt-formulas @ irc.freenode.net