Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / keystone / aabbda6e26f5a1456ec4443e62a05e4ac658c12c / . / README.rst
blob: f3c06430732d0e7568106721c1b0d1eaf7d8c7c0 [file] [log] [blame]
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]1==================
2OpenStack Keystone
3==================
4
5Keystone provides authentication, authorization and service discovery mechanisms via HTTP primarily for use by projects in the OpenStack family. It is most commonly deployed as an HTTP interface to existing identity systems, such as LDAP.
6
7From Kilo release Keystone v3 endpoint has definition without version in url
8
9.. code-block:: bash
10
11 +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
12 | id | region | publicurl | internalurl | adminurl | service_id |
13 +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
14 | 91663a8db11c487c9253c8c456863494 | RegionOne | http://10.0.150.37:5000/ | http://10.0.150.37:5000/ | http://10.0.150.37:35357/ | 0fd2dba3153d45a1ba7f709cfc2d69c9 |
15 +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
16
17
18Sample pillars
19==============
20
21Full stacked keystone
22
23.. code-block:: yaml
24
25 keystone:
26 server:
27 enabled: true
28 version: juno
29 service_token: 'service_tokeen'
30 service_tenant: service
31 service_password: 'servicepwd'
32 admin_tenant: admin
33 admin_name: admin
34 admin_password: 'adminpwd'
35 admin_email: stackmaster@domain.com
36 roles:
37 - admin
38 - Member
39 - image_manager
40 bind:
41 address: 0.0.0.0
42 private_address: 127.0.0.1
43 private_port: 35357
44 public_address: 127.0.0.1
45 public_port: 5000
46 api_version: 2.0
47 region: RegionOne
48 database:
49 engine: mysql
50 host: '127.0.0.1'
51 name: 'keystone'
52 password: 'LfTno5mYdZmRfoPV'
53 user: 'keystone'
54
55Keystone public HTTPS API
56
57.. code-block:: yaml
58
59 keystone:
60 server:
61 enabled: true
62 version: juno
63 ...
64 services:
65 - name: nova
66 type: compute
67 description: OpenStack Compute Service
68 user:
69 name: nova
70 password: password
71 bind:
72 public_address: cloud.domain.com
73 public_protocol: https
74 public_port: 8774
75 internal_address: 10.0.0.20
76 internal_port: 8774
77 admin_address: 10.0.0.20
78 admin_port: 8774
79
80Keystone memcached storage for tokens
81
82.. code-block:: yaml
83
84 keystone:
85 server:
86 enabled: true
87 version: juno
88 ...
89 token_store: cache
90 cache:
91 engine: memcached
92 host: 127.0.0.1
93 port: 11211
94 services:
95 ...
96
97Keystone clustered memcached storage for tokens
98
99.. code-block:: yaml
100
101 keystone:
102 server:
103 enabled: true
104 version: juno
105 ...
106 token_store: cache
107 cache:
108 engine: memcached
109 members:
110 - host: 192.160.0.1
111 port: 11211
112 - host: 192.160.0.2
113 port: 11211
114 services:
115 ...
116
117Keystone client
118
119.. code-block:: yaml
120
121 keystone:
122 client:
123 enabled: true
124 server:
125 host: 10.0.0.2
126 public_port: 5000
127 private_port: 35357
128 service_token: 'token'
129 admin_tenant: admin
130 admin_name: admin
131 admin_password: 'passwd'
132
133Keystone cluster
134
135.. code-block:: yaml
136
137 keystone:
138 control:
139 enabled: true
140 provider:
141 os15_token:
142 host: 10.0.0.2
143 port: 35357
144 token: token
145 os15_tcp_core_stg:
146 host: 10.0.0.5
147 port: 5000
148 tenant: admin
149 name: admin
150 password: password
151
152Keystone fernet tokens for OpenStack Kilo release
153
154.. code-block:: yaml
155
156 keystone:
157 server:
158 ...
159 tokens:
160 engine: fernet
161 ...
162
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]163Keystone domain with LDAP backend, using SQL for role/project assignment
164
165.. code-block:: yaml
166
167 keystone:
168 server:
169 domain:
Filip Pytlounaf25d8d2016-01-12 14:21:39 +0100[diff] [blame]170 description: "Testing domain"
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]171 backend: ldap
172 assignment:
173 backend: sql
174 ldap:
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame^]175 url: "ldaps://idm.domain.com"
176 suffix: "dc=cloud,dc=domain,dc=com"
177 # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]178 uid: keystone
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame^]179 password: password
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]180
Filip Pytloun1abfdd72016-01-18 11:35:17 +0100[diff] [blame]181Using LDAP backend for default domain
182
183.. code-block:: yaml
184
185 keystone:
186 server:
187 backend: ldap
188 assignment:
189 backend: sql
190 ldap:
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame^]191 url: "ldaps://idm.domain.com"
192 suffix: "dc=cloud,dc=domain,dc=com"
193 # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
Filip Pytloun1abfdd72016-01-18 11:35:17 +0100[diff] [blame]194 uid: keystone
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame^]195 password: password
196
197Simple service endpoint definition (defaults to RegionOne)
198
199.. code-block:: yaml
200
201 keystone:
202 server:
203 service:
204 ceilometer:
205 type: metering
206 description: OpenStack Telemetry Service
207 user:
208 name: ceilometer
209 password: password
210 bind:
211 ...
212
213Region-aware service endpoints definition
214
215.. code-block:: yaml
216
217 keystone:
218 server:
219 service:
220 ceilometer_region01:
221 service: ceilometer
222 type: metering
223 region: region01
224 description: OpenStack Telemetry Service
225 user:
226 name: ceilometer
227 password: password
228 bind:
229 ...
230 ceilometer_region02:
231 service: ceilometer
232 type: metering
233 region: region02
234 description: OpenStack Telemetry Service
235 bind:
236 ...
237
Filip Pytloun1abfdd72016-01-18 11:35:17 +0100[diff] [blame]238
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]239Read more
240=========
241
242* http://docs.openstack.org/developer/keystone/configuration.html
243* http://docs.openstack.org/developer/keystone/architecture.html
244* http://docs.saltstack.com/ref/states/all/salt.states.keystone.html
245* http://docs.saltstack.com/ref/modules/all/salt.modules.keystone.html
246* http://www.sebastien-han.fr/blog/2012/12/12/cleanup-keystone-tokens/
247* http://www-01.ibm.com/support/knowledgecenter/SS4KMC_2.2.0/com.ibm.sco.doc_2.2/t_memcached_keystone.html?lang=en
248* https://bugs.launchpad.net/tripleo/+bug/1203910