Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / keystone / af25d8da84c7579fe5360dbe1c1222f2128aa4ab / . / README.rst
blob: d1f060209495bc4cc08498cdb1edbfa26a32c67a [file] [log] [blame]
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]1==================
2OpenStack Keystone
3==================
4
5Keystone provides authentication, authorization and service discovery mechanisms via HTTP primarily for use by projects in the OpenStack family. It is most commonly deployed as an HTTP interface to existing identity systems, such as LDAP.
6
7From Kilo release Keystone v3 endpoint has definition without version in url
8
9.. code-block:: bash
10
11 +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
12 | id | region | publicurl | internalurl | adminurl | service_id |
13 +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
14 | 91663a8db11c487c9253c8c456863494 | RegionOne | http://10.0.150.37:5000/ | http://10.0.150.37:5000/ | http://10.0.150.37:35357/ | 0fd2dba3153d45a1ba7f709cfc2d69c9 |
15 +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
16
17
18Sample pillars
19==============
20
21Full stacked keystone
22
23.. code-block:: yaml
24
25 keystone:
26 server:
27 enabled: true
28 version: juno
29 service_token: 'service_tokeen'
30 service_tenant: service
31 service_password: 'servicepwd'
32 admin_tenant: admin
33 admin_name: admin
34 admin_password: 'adminpwd'
35 admin_email: stackmaster@domain.com
36 roles:
37 - admin
38 - Member
39 - image_manager
40 bind:
41 address: 0.0.0.0
42 private_address: 127.0.0.1
43 private_port: 35357
44 public_address: 127.0.0.1
45 public_port: 5000
46 api_version: 2.0
47 region: RegionOne
48 database:
49 engine: mysql
50 host: '127.0.0.1'
51 name: 'keystone'
52 password: 'LfTno5mYdZmRfoPV'
53 user: 'keystone'
54
55Keystone public HTTPS API
56
57.. code-block:: yaml
58
59 keystone:
60 server:
61 enabled: true
62 version: juno
63 ...
64 services:
65 - name: nova
66 type: compute
67 description: OpenStack Compute Service
68 user:
69 name: nova
70 password: password
71 bind:
72 public_address: cloud.domain.com
73 public_protocol: https
74 public_port: 8774
75 internal_address: 10.0.0.20
76 internal_port: 8774
77 admin_address: 10.0.0.20
78 admin_port: 8774
79
80Keystone memcached storage for tokens
81
82.. code-block:: yaml
83
84 keystone:
85 server:
86 enabled: true
87 version: juno
88 ...
89 token_store: cache
90 cache:
91 engine: memcached
92 host: 127.0.0.1
93 port: 11211
94 services:
95 ...
96
97Keystone clustered memcached storage for tokens
98
99.. code-block:: yaml
100
101 keystone:
102 server:
103 enabled: true
104 version: juno
105 ...
106 token_store: cache
107 cache:
108 engine: memcached
109 members:
110 - host: 192.160.0.1
111 port: 11211
112 - host: 192.160.0.2
113 port: 11211
114 services:
115 ...
116
117Keystone client
118
119.. code-block:: yaml
120
121 keystone:
122 client:
123 enabled: true
124 server:
125 host: 10.0.0.2
126 public_port: 5000
127 private_port: 35357
128 service_token: 'token'
129 admin_tenant: admin
130 admin_name: admin
131 admin_password: 'passwd'
132
133Keystone cluster
134
135.. code-block:: yaml
136
137 keystone:
138 control:
139 enabled: true
140 provider:
141 os15_token:
142 host: 10.0.0.2
143 port: 35357
144 token: token
145 os15_tcp_core_stg:
146 host: 10.0.0.5
147 port: 5000
148 tenant: admin
149 name: admin
150 password: password
151
152Keystone fernet tokens for OpenStack Kilo release
153
154.. code-block:: yaml
155
156 keystone:
157 server:
158 ...
159 tokens:
160 engine: fernet
161 ...
162
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]163Keystone domain with LDAP backend, using SQL for role/project assignment
164
165.. code-block:: yaml
166
167 keystone:
168 server:
169 domain:
Filip Pytlounaf25d8d2016-01-12 14:21:39 +0100[diff] [blame^]170 description: "Testing domain"
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]171 backend: ldap
172 assignment:
173 backend: sql
174 ldap:
175 url: "ldaps://idm01.workshop.cloudlab.cz"
176 suffix: "dc=workshop,dc=cloudlab,dc=cz"
177 # Will bind as uid=keystone,cn=users,cn=accounts,dc=workshop,dc=cloudlab,dc=cz
178 uid: keystone
179 password: cloudlab
180
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]181Read more
182=========
183
184* http://docs.openstack.org/developer/keystone/configuration.html
185* http://docs.openstack.org/developer/keystone/architecture.html
186* http://docs.saltstack.com/ref/states/all/salt.states.keystone.html
187* http://docs.saltstack.com/ref/modules/all/salt.modules.keystone.html
188* http://www.sebastien-han.fr/blog/2012/12/12/cleanup-keystone-tokens/
189* http://www-01.ibm.com/support/knowledgecenter/SS4KMC_2.2.0/com.ibm.sco.doc_2.2/t_memcached_keystone.html?lang=en
190* https://bugs.launchpad.net/tripleo/+bug/1203910
191
192Things to improve
193=================
194
195* Keystone as service provider (SP) - must be running under Apache (same as with PKI token)
196* Keystone with MongoDB backend - where is it?
197* IdP is owned by domain, domain corresponds to billable account - IdP administration
198* IdP Shiboleth alternatives - mod_auth_mellon
199
200Generally this SP/IdP stuff is a little unstable - how to let SP know identity has changed, no visibility in UI (IBM has some not in upstream yet)