Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / keystone / b1ebaca0af2b06ec81a4f84be2ec3765f9868f29 / . / README.rst
blob: 6f9326e929582df5b86c4a321c0d851b89a24140 [file] [log] [blame]
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]1==================
2OpenStack Keystone
3==================
4
Jakub Pavlikffc280d2016-05-20 11:19:14 +0200[diff] [blame]5Keystone provides authentication, authorization and service discovery
6mechanisms via HTTP primarily for use by projects in the OpenStack family. It
7is most commonly deployed as an HTTP interface to existing identity systems,
8such as LDAP.
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]9
10From Kilo release Keystone v3 endpoint has definition without version in url
11
12.. code-block:: bash
13
14 +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
15 | id | region | publicurl | internalurl | adminurl | service_id |
16 +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
17 | 91663a8db11c487c9253c8c456863494 | RegionOne | http://10.0.150.37:5000/ | http://10.0.150.37:5000/ | http://10.0.150.37:35357/ | 0fd2dba3153d45a1ba7f709cfc2d69c9 |
18 +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
19
20
21Sample pillars
22==============
23
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]24.. caution::
Adam Tengler7c66c882016-03-14 19:35:49 +0100[diff] [blame]25
Jakub Pavlikffc280d2016-05-20 11:19:14 +0200[diff] [blame]26 When you use localhost as your database host (keystone:server:
27 atabase:host), sqlalchemy will try to connect to /var/run/mysql/
28 mysqld.sock, may cause issues if you located your mysql socket elsewhere
Adam Tengler7c66c882016-03-14 19:35:49 +0100[diff] [blame]29
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]30Full stacked keystone
31
32.. code-block:: yaml
33
34 keystone:
35 server:
36 enabled: true
37 version: juno
38 service_token: 'service_tokeen'
39 service_tenant: service
40 service_password: 'servicepwd'
41 admin_tenant: admin
42 admin_name: admin
43 admin_password: 'adminpwd'
44 admin_email: stackmaster@domain.com
45 roles:
46 - admin
47 - Member
48 - image_manager
49 bind:
50 address: 0.0.0.0
51 private_address: 127.0.0.1
52 private_port: 35357
53 public_address: 127.0.0.1
54 public_port: 5000
55 api_version: 2.0
56 region: RegionOne
57 database:
58 engine: mysql
59 host: '127.0.0.1'
60 name: 'keystone'
61 password: 'LfTno5mYdZmRfoPV'
62 user: 'keystone'
63
64Keystone public HTTPS API
65
66.. code-block:: yaml
67
68 keystone:
69 server:
70 enabled: true
71 version: juno
72 ...
73 services:
74 - name: nova
75 type: compute
76 description: OpenStack Compute Service
77 user:
78 name: nova
79 password: password
80 bind:
81 public_address: cloud.domain.com
82 public_protocol: https
83 public_port: 8774
84 internal_address: 10.0.0.20
85 internal_port: 8774
86 admin_address: 10.0.0.20
87 admin_port: 8774
88
Adam Tenglerb1ebaca2017-05-04 21:06:08 +0000[diff] [blame^]89Keystone with custom policies. Keys with specified rules are created or set to this value if they already exists. Keys with no value (like our "existing_rule") are deleted from the policy file.
90
91.. code-block:: yaml
92
93 keystone:
94 server:
95 enabled: true
96 policy:
97 new_rule: "rule:admin_required"
98 existing_rule:
99
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]100Keystone memcached storage for tokens
101
102.. code-block:: yaml
103
104 keystone:
105 server:
106 enabled: true
107 version: juno
108 ...
109 token_store: cache
110 cache:
111 engine: memcached
112 host: 127.0.0.1
113 port: 11211
114 services:
115 ...
116
117Keystone clustered memcached storage for tokens
118
119.. code-block:: yaml
120
121 keystone:
122 server:
123 enabled: true
124 version: juno
125 ...
126 token_store: cache
127 cache:
128 engine: memcached
129 members:
130 - host: 192.160.0.1
131 port: 11211
132 - host: 192.160.0.2
133 port: 11211
134 services:
135 ...
136
137Keystone client
138
139.. code-block:: yaml
140
141 keystone:
142 client:
143 enabled: true
144 server:
145 host: 10.0.0.2
146 public_port: 5000
147 private_port: 35357
148 service_token: 'token'
149 admin_tenant: admin
150 admin_name: admin
151 admin_password: 'passwd'
152
153Keystone cluster
154
155.. code-block:: yaml
156
157 keystone:
158 control:
159 enabled: true
160 provider:
161 os15_token:
162 host: 10.0.0.2
163 port: 35357
164 token: token
165 os15_tcp_core_stg:
166 host: 10.0.0.5
167 port: 5000
168 tenant: admin
169 name: admin
170 password: password
171
172Keystone fernet tokens for OpenStack Kilo release
173
174.. code-block:: yaml
175
176 keystone:
177 server:
178 ...
179 tokens:
180 engine: fernet
Jakub Pavlik6b0b74a2016-09-01 10:49:14 +0200[diff] [blame]181 max_active_keys: 3
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]182 ...
183
Oleksii Chupryn6fd899f2017-04-21 10:20:51 +0300[diff] [blame]184Keystone auth methods
185
186.. code-block:: yaml
187
188 keystone:
189 server:
190 ...
191 auth_methods:
192 - external
193 - password
194 - token
195 - oauth1
196 ...
197
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]198Keystone domain with LDAP backend, using SQL for role/project assignment
199
200.. code-block:: yaml
201
202 keystone:
203 server:
204 domain:
Filip Pytlounaf25d8d2016-01-12 14:21:39 +0100[diff] [blame]205 description: "Testing domain"
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]206 backend: ldap
207 assignment:
208 backend: sql
209 ldap:
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]210 url: "ldaps://idm.domain.com"
211 suffix: "dc=cloud,dc=domain,dc=com"
212 # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]213 uid: keystone
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]214 password: password
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]215
Filip Pytloun1abfdd72016-01-18 11:35:17 +0100[diff] [blame]216Using LDAP backend for default domain
217
218.. code-block:: yaml
219
220 keystone:
221 server:
222 backend: ldap
223 assignment:
224 backend: sql
225 ldap:
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]226 url: "ldaps://idm.domain.com"
227 suffix: "dc=cloud,dc=domain,dc=com"
228 # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
Filip Pytloun1abfdd72016-01-18 11:35:17 +0100[diff] [blame]229 uid: keystone
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]230 password: password
231
232Simple service endpoint definition (defaults to RegionOne)
233
234.. code-block:: yaml
235
236 keystone:
237 server:
238 service:
239 ceilometer:
240 type: metering
241 description: OpenStack Telemetry Service
242 user:
243 name: ceilometer
244 password: password
245 bind:
246 ...
247
248Region-aware service endpoints definition
249
250.. code-block:: yaml
251
252 keystone:
253 server:
254 service:
255 ceilometer_region01:
256 service: ceilometer
257 type: metering
258 region: region01
259 description: OpenStack Telemetry Service
260 user:
261 name: ceilometer
262 password: password
263 bind:
264 ...
265 ceilometer_region02:
266 service: ceilometer
267 type: metering
268 region: region02
269 description: OpenStack Telemetry Service
270 bind:
271 ...
272
Jakub Pavlik72e31d62016-04-08 16:26:57 +0200[diff] [blame]273Enable ceilometer notifications
274
275.. code-block:: yaml
276
277 keystone:
278 server:
279 notification: true
280 message_queue:
281 engine: rabbitmq
282 host: 127.0.0.1
283 port: 5672
284 user: openstack
285 password: password
286 virtual_host: '/openstack'
287 ha_queues: true
Filip Pytloun1abfdd72016-01-18 11:35:17 +0100[diff] [blame]288
Jakub Pavlik205ef802016-12-14 12:48:42 +0100[diff] [blame]289Client-side RabbitMQ HA setup
290
291.. code-block:: yaml
292
293 keystone:
294 server:
295 ....
296 message_queue:
297 engine: rabbitmq
298 members:
299 - host: 10.0.16.1
300 - host: 10.0.16.2
301 - host: 10.0.16.3
302 user: openstack
303 password: pwd
304 virtual_host: '/openstack'
305 ....
306
Petr Michalec98fc6d62016-12-03 11:30:35 +0100[diff] [blame]307Enable CADF audit notification
308
309.. code-block:: yaml
310
311 keystone:
312 server:
313 notification: true
314 notification_format: cadf
315
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]316Run keystone under Apache
317
318.. code-block:: yaml
319
320 keystone:
321 server:
322 service_name: apache2
323 apache:
324 server:
325 enabled: true
326 default_mpm: event
327 site:
328 keystone:
329 enabled: true
330 type: keystone
331 name: wsgi
332 host:
333 name: ${linux:network:fqdn}
334 modules:
335 - wsgi
336
337Enable Federated keystone
338
339.. code-block:: yaml
340
341 keystone:
342 server:
Oleksii Chupryn6fd899f2017-04-21 10:20:51 +0300[diff] [blame]343 auth_methods:
344 - password
345 - token
346 - saml2
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]347 websso:
348 protocol: saml2
349 remote_id_attribute: Shib-Identity-Provider
350 federation_driver: keystone.contrib.federation.backends.sql.Federation
Oleksii Chupryn5f110b02017-03-30 09:54:27 +0300[diff] [blame]351 federated_domain_name: Federated
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]352 trusted_dashboard:
353 - http://${_param:proxy_vip_address_public}/horizon/auth/websso/
Oleksii Chupryn45e4d602017-03-07 16:40:44 +0200[diff] [blame]354 shib_url_scheme: https
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]355 apache:
356 server:
357 pkgs:
358 - apache2
359 - libapache2-mod-shib2
360 modules:
361 - wsgi
362 - shib2
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]363
mnederlof5d9ccac2017-03-02 15:47:50 +0100[diff] [blame]364Use a custom identity driver with custom options
365
366.. code-block:: yaml
367
368 keystone:
369 server:
370 backend: k2k
371 k2k:
372 auth_url: 'https://keystone.example.com/v2.0'
373 read_user: 'example_user'
374 read_pass: 'password'
375 read_tenant_id: 'admin'
376 identity_driver: 'sql'
377 id_prefix: 'k2k:'
378 domain: 'default'
379 caching: true
380 cache_time: 600
381
Ondrej Smola16e1bb72017-04-18 23:37:49 +0200[diff] [blame]382Enable CORS parameters
383
384.. code-block:: yaml
385
386 keystone:
387 server:
388 cors:
389 allowed_origin: https:localhost.local,http:localhost.local
390 expose_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
391 allow_methods: GET,PUT,POST,DELETE,PATCH
392 allow_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
393 allow_credentials: True
394 max_age: 86400
395
396
mnederlof5d9ccac2017-03-02 15:47:50 +0100[diff] [blame]397
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]398Keystone client
399---------------
400
401Service endpoints enforcement with service token
402
403.. code-block:: yaml
404
405 keystone:
406 client:
407 enabled: true
408 server:
409 keystone01:
410 admin:
411 host: 10.0.0.2
412 port: 35357
413 token: 'service_token'
414 service:
415 nova:
416 type: compute
417 description: OpenStack Compute Service
418 endpoints:
419 - region: region01
420 public_address: 172.16.10.1
421 public_port: 8773
422 public_path: '/v2'
423 internal_address: 172.16.10.1
424 internal_port: 8773
425 internal_path: '/v2'
426 admin_address: 172.16.10.1
427 admin_port: 8773
428 admin_path: '/v2'
429
430Project, users, roles enforcement with admin user
431
432.. code-block:: yaml
433
434 keystone:
435 client:
436 enabled: true
437 server:
438 keystone01:
439 admin:
440 host: 10.0.0.2
441 port: 5000
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100[diff] [blame]442 project: admin
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]443 user: admin
444 password: 'passwd'
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100[diff] [blame]445 region_name: RegionOne
446 protocol: https
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]447 roles:
448 - admin
449 - member
450 project:
451 tenant01:
452 description: "test env"
Jiri Broulik59000e92017-02-06 18:14:06 +0100[diff] [blame]453 quota:
454 instances: 100
455 cores: 24
456 ram: 151200
457 floating_ips: 50
458 fixed_ips: -1
459 metadata_items: 128
460 injected_files: 5
461 injected_file_content_bytes: 10240
462 injected_file_path_bytes: 255
463 key_pairs: 100
464 security_groups: 20
465 security_group_rules: 40
466 server_groups: 20
467 server_group_members: 20
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]468 user:
469 user01:
470 email: jdoe@domain.com
471 is_admin: true
472 password: some
473 user02:
474 email: jdoe2@domain.com
475 password: some
476 roles:
477 - custom-roles
478
Richard Felkl5ff315e2017-02-01 23:26:23 +0100[diff] [blame]479Multiple servers example
480
481.. code-block:: yaml
482
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100[diff] [blame]483 keystone:
484 client:
485 enabled: true
486 server:
487 keystone01:
488 admin:
489 host: 10.0.0.2
490 port: 5000
491 project: 'admin'
492 user: admin
493 password: 'workshop'
494 region_name: RegionOne
495 protocol: https
496 keystone02:
497 admin:
498 host: 10.0.0.3
499 port: 5000
500 project: 'admin'
501 user: admin
502 password: 'workshop'
503 region_name: RegionOne
Richard Felkl5ff315e2017-02-01 23:26:23 +0100[diff] [blame]504
Jiri Broulik59000e92017-02-06 18:14:06 +0100[diff] [blame]505
506Tenant quotas
507
508.. code-block:: yaml
509
510 keystone:
511 client:
512 enabled: true
513 server:
514 keystone01:
515 admin:
516 host: 10.0.0.2
517 port: 5000
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100[diff] [blame]518 project: admin
Jiri Broulik59000e92017-02-06 18:14:06 +0100[diff] [blame]519 user: admin
520 password: 'passwd'
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100[diff] [blame]521 region_name: RegionOne
522 protocol: https
Jiri Broulik59000e92017-02-06 18:14:06 +0100[diff] [blame]523 roles:
524 - admin
525 - member
526 project:
527 tenant01:
528 description: "test env"
529 quota:
530 instances: 100
531 cores: 24
532 ram: 151200
533 floating_ips: 50
534 fixed_ips: -1
535 metadata_items: 128
536 injected_files: 5
537 injected_file_content_bytes: 10240
538 injected_file_path_bytes: 255
539 key_pairs: 100
540 security_groups: 20
541 security_group_rules: 40
542 server_groups: 20
543 server_group_members: 20
544
Oleksii Chupryn4fec2132017-04-03 17:35:28 +0300[diff] [blame]545Extra config params in keystone.conf (since Mitaka release)
546
547.. code-block:: yaml
548
549 keystone:
550 server:
551 ....
552 extra_config:
553 ini_section1:
554 param1: value
555 param2: value
556 ini_section2:
557 param1: value
558 param2: value
559 ....
560
Dmitry Ukovf58264b2017-04-20 23:08:42 +0200[diff] [blame]561Configuration of policy.json file
562
563.. code-block:: yaml
564
565
566 keystone:
567 server:
568 ....
569 policy:
570 admin_or_token_subject: 'rule:admin_required or rule:token_subject'
571
Jiri Broulik59000e92017-02-06 18:14:06 +0100[diff] [blame]572Usage
573=====
574
575Apply state `keystone.client.service` first and then `keystone.client` state.
576
577
Jakub Pavlikffc280d2016-05-20 11:19:14 +0200[diff] [blame]578Documentation and Bugs
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]579======================
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]580
Jakub Pavlikffc280d2016-05-20 11:19:14 +0200[diff] [blame]581To learn how to deploy OpenStack Salt, consult the documentation available
582online at:
583
584 https://wiki.openstack.org/wiki/OpenStackSalt
585
586In the unfortunate event that bugs are discovered, they should be reported to
587the appropriate bug tracker. If you obtained the software from a 3rd party
588operating system vendor, it is often wise to use their own bug tracker for
589reporting problems. In all other cases use the master OpenStack bug tracker,
590available at:
591
592 http://bugs.launchpad.net/openstack-salt
593
594Developers wishing to work on the OpenStack Salt project should always base
595their work on the latest formulas code, available from the master GIT
596repository at:
597
598 https://git.openstack.org/cgit/openstack/salt-formula-keystone
599
600Developers should also join the discussion on the IRC list, at:
601
602 https://wiki.openstack.org/wiki/Meetings/openstack-salt
Filip Pytloun4cc5c0f2017-02-02 13:02:03 +0100[diff] [blame]603
604Documentation and Bugs
605======================
606
607To learn how to install and update salt-formulas, consult the documentation
608available online at:
609
610 http://salt-formulas.readthedocs.io/
611
612In the unfortunate event that bugs are discovered, they should be reported to
613the appropriate issue tracker. Use Github issue tracker for specific salt
614formula:
615
616 https://github.com/salt-formulas/salt-formula-keystone/issues
617
618For feature requests, bug reports or blueprints affecting entire ecosystem,
619use Launchpad salt-formulas project:
620
621 https://launchpad.net/salt-formulas
622
623You can also join salt-formulas-users team and subscribe to mailing list:
624
625 https://launchpad.net/~salt-formulas-users
626
627Developers wishing to work on the salt-formulas projects should always base
628their work on master branch and submit pull request against specific formula.
629
630 https://github.com/salt-formulas/salt-formula-keystone
631
632Any questions or feedback is always welcome so feel free to join our IRC
633channel:
634
635 #salt-formulas @ irc.freenode.net