blob: d356390966429947a59b038296787b78c9c52164 [file] [log] [blame]
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +03001=====
2Usage
3=====
Filip Pytloun943d6882015-10-06 16:28:32 +02004
Jakub Pavlikffc280d2016-05-20 11:19:14 +02005Keystone provides authentication, authorization and service discovery
6mechanisms via HTTP primarily for use by projects in the OpenStack family. It
7is most commonly deployed as an HTTP interface to existing identity systems,
8such as LDAP.
Filip Pytloun943d6882015-10-06 16:28:32 +02009
10From Kilo release Keystone v3 endpoint has definition without version in url
11
12.. code-block:: bash
13
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +030014 +----------------+-----------+--------------------------+--------------------------+---------------------------+---------------+
15 | id | region | publicurl | internalurl | adminurl | service_id |
16 +----------------+-----------+--------------------------+--------------------------+---------------------------+---------------+
17 | 91663a8d...494 | RegionOne | http://10.0.150.37:5000/ | http://10.0.150.37:5000/ | http://10.0.150.37:35357/ | 0fd2dba...9c9 |
18 +----------------+-----------+--------------------------+--------------------------+---------------------------+---------------+
Filip Pytloun943d6882015-10-06 16:28:32 +020019
20Sample pillars
21==============
22
Alexander Noskov78b81e02016-12-05 16:20:50 +040023.. caution::
Adam Tengler7c66c882016-03-14 19:35:49 +010024
Jakub Pavlikffc280d2016-05-20 11:19:14 +020025 When you use localhost as your database host (keystone:server:
26 atabase:host), sqlalchemy will try to connect to /var/run/mysql/
27 mysqld.sock, may cause issues if you located your mysql socket elsewhere
Adam Tengler7c66c882016-03-14 19:35:49 +010028
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +030029Full stacked Keystone:
Filip Pytloun943d6882015-10-06 16:28:32 +020030
31.. code-block:: yaml
32
33 keystone:
34 server:
35 enabled: true
36 version: juno
37 service_token: 'service_tokeen'
38 service_tenant: service
39 service_password: 'servicepwd'
40 admin_tenant: admin
41 admin_name: admin
42 admin_password: 'adminpwd'
43 admin_email: stackmaster@domain.com
Dzmitry Stremkouskid9a2b652018-10-25 16:37:00 +020044 enable_proxy_headers_parsing: True
Filip Pytloun943d6882015-10-06 16:28:32 +020045 roles:
46 - admin
47 - Member
48 - image_manager
49 bind:
50 address: 0.0.0.0
51 private_address: 127.0.0.1
52 private_port: 35357
53 public_address: 127.0.0.1
54 public_port: 5000
55 api_version: 2.0
56 region: RegionOne
57 database:
58 engine: mysql
59 host: '127.0.0.1'
60 name: 'keystone'
61 password: 'LfTno5mYdZmRfoPV'
62 user: 'keystone'
63
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +030064Keystone public HTTPS API:
Filip Pytloun943d6882015-10-06 16:28:32 +020065
66.. code-block:: yaml
67
68 keystone:
69 server:
70 enabled: true
71 version: juno
72 ...
73 services:
74 - name: nova
75 type: compute
76 description: OpenStack Compute Service
77 user:
78 name: nova
79 password: password
80 bind:
81 public_address: cloud.domain.com
82 public_protocol: https
83 public_port: 8774
84 internal_address: 10.0.0.20
85 internal_port: 8774
86 admin_address: 10.0.0.20
87 admin_port: 8774
88
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +030089Keystone with custom policies. Keys with specified rules
90are created or set to this value if they already exists.
91Keys with no value (like our ``existing_rule``) are deleted
92from the policy file:
Adam Tenglerb1ebaca2017-05-04 21:06:08 +000093
94.. code-block:: yaml
95
96 keystone:
97 server:
98 enabled: true
99 policy:
100 new_rule: "rule:admin_required"
101 existing_rule:
102
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300103Keystone memcached storage for tokens:
Filip Pytloun943d6882015-10-06 16:28:32 +0200104
105.. code-block:: yaml
106
107 keystone:
108 server:
109 enabled: true
110 version: juno
111 ...
112 token_store: cache
113 cache:
114 engine: memcached
115 host: 127.0.0.1
116 port: 11211
117 services:
118 ...
119
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300120Keystone clustered memcached storage for tokens:
Filip Pytloun943d6882015-10-06 16:28:32 +0200121
122.. code-block:: yaml
123
124 keystone:
125 server:
126 enabled: true
127 version: juno
128 ...
129 token_store: cache
130 cache:
131 engine: memcached
132 members:
133 - host: 192.160.0.1
134 port: 11211
135 - host: 192.160.0.2
136 port: 11211
137 services:
138 ...
139
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300140Keystone client:
Filip Pytloun943d6882015-10-06 16:28:32 +0200141
142.. code-block:: yaml
143
144 keystone:
145 client:
146 enabled: true
147 server:
148 host: 10.0.0.2
149 public_port: 5000
150 private_port: 35357
151 service_token: 'token'
152 admin_tenant: admin
153 admin_name: admin
154 admin_password: 'passwd'
155
156Keystone cluster
157
158.. code-block:: yaml
159
160 keystone:
161 control:
162 enabled: true
163 provider:
164 os15_token:
165 host: 10.0.0.2
166 port: 35357
167 token: token
168 os15_tcp_core_stg:
169 host: 10.0.0.5
170 port: 5000
171 tenant: admin
172 name: admin
173 password: password
174
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300175Keystone fernet tokens for OpenStack Kilo release:
Filip Pytloun943d6882015-10-06 16:28:32 +0200176
177.. code-block:: yaml
178
179 keystone:
180 server:
181 ...
182 tokens:
183 engine: fernet
Jakub Pavlik6b0b74a2016-09-01 10:49:14 +0200184 max_active_keys: 3
Filip Pytloun943d6882015-10-06 16:28:32 +0200185 ...
186
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300187Keystone auth methods:
Oleksii Chupryn6fd899f2017-04-21 10:20:51 +0300188
189.. code-block:: yaml
190
191 keystone:
192 server:
193 ...
194 auth_methods:
195 - external
196 - password
197 - token
198 - oauth1
199 ...
200
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300201Keystone domain with LDAP backend, using SQL for
Dzmitry Stremkouski46705912019-07-30 16:16:29 +0200202role/project assignment and disabled group mapping block:
203
204.. code-block:: yaml
205
206 keystone:
207 server:
208 domain:
209 external:
210 description: "Testing domain"
211 backend: ldap
212 assignment:
213 backend: sql
214 ldap:
215 group_mapping: False
216
217Keystone domain with LDAP backend, using SQL for
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300218role/project assignment:
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100219
220.. code-block:: yaml
221
222 keystone:
223 server:
224 domain:
Ramon Melero96ff9122017-08-15 11:02:50 -0500225 external:
226 description: "Testing domain"
227 backend: ldap
228 assignment:
229 backend: sql
230 ldap:
Dzmitry Stremkouski46705912019-07-30 16:16:29 +0200231 group_mapping: False
Ramon Melero96ff9122017-08-15 11:02:50 -0500232 url: "ldaps://idm.domain.com"
233 suffix: "dc=cloud,dc=domain,dc=com"
234 # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
235 uid: keystone
236 password: password
Dzmitry Stremkouski46705912019-07-30 16:16:29 +0200237 query_scope: "sub"
238 bind_user: "CN=lab,CN=users,${keystone:server:domain:testing:ldap:suffix}"
239 filter:
240 user: "(memberOf=CN=Grp-atm-admins,CN=Users,${keystone:server:domain:testing:ldap:suffix})"
241 user_tree_dn: "CN=users,${keystone:server:domain:testing:ldap:suffix}"
242 user_id_attribute: "sAMAccountName"
243 user_name_attribute: "sAMAccountName"
244 user_pass_attribute: ""
245 user_enabled_default: 512
246 user_enabled_mask: 2
247 user_enabled_attribute: "userAccountControl"
248 user_attribute_ignore: "password,tenant_id,tenants"
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100249
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300250Use driver aliases for drivers instead of class path's:
Dzmitry Stremkouskia0db50f2018-03-26 20:41:36 +0200251
252.. code-block:: yaml
253
254 keystone:
255 server:
256 domain:
257 test:
258 description: "Test domain"
259 backend: ldap
260 assignment:
261 backend: sql
262 driver: sql
263 identity:
264 backend: ldap
265 driver: keystone.identity.backends.ldap.Identity
266 ldap:
267 url: "ldaps://idm.domain.com"
268 ...
269
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300270Using LDAP backend for default domain:
Filip Pytloun1abfdd72016-01-18 11:35:17 +0100271
272.. code-block:: yaml
273
274 keystone:
275 server:
276 backend: ldap
277 assignment:
278 backend: sql
279 ldap:
Ales Komarekaabbda62016-03-15 08:38:35 +0100280 url: "ldaps://idm.domain.com"
281 suffix: "dc=cloud,dc=domain,dc=com"
282 # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
Filip Pytloun1abfdd72016-01-18 11:35:17 +0100283 uid: keystone
Ales Komarekaabbda62016-03-15 08:38:35 +0100284 password: password
285
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300286Using LDAP backend for default domain with
287``user_enabled`` field emulation:
kovchynnykov74125082018-02-05 13:17:43 +0200288
289.. code-block:: yaml
290
291 keystone:
292 server:
293 backend: ldap
294 assignment:
295 backend: sql
296 ldap:
297 url: "ldap://idm.domain.com"
298 suffix: "ou=Openstack Service Users,o=domain.com"
299 bind_user: keystone
300 password: password
301 # Define LDAP "group" object class and "membership" attribute
302 group_objectclass: groupOfUniqueNames
303 group_member_attribute: uniqueMember
304 # User will receive "enabled" attribute basing on membership in "os-user-enabled" group
305 user_enabled_emulation: True
306 user_enabled_emulation_dn: "cn=os-user-enabled,ou=Openstack,o=domain.com"
307 user_enabled_emulation_use_group_config: True
308
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300309If the members of the group ``objectclass`` are user IDs
310rather than DNs, set ``group_members_are_ids`` to ``true``.
311This is the case when using ``posixGroup` as the group
312``objectclass`` and ``OpenDirectory``:
Aleksieiev, Oleksii3f1d7a52018-06-06 15:14:29 -0700313
314.. code-block:: yaml
315
316 keystone:
317 server:
318 backend: ldap
319 assignment:
320 backend: sql
321 ldap:
322 url: "ldaps://idm.domain.com"
323 suffix: "dc=cloud,dc=domain,dc=com"
324 # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
325 uid: keystone
326 password: password
327 group_members_are_ids: True
328
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300329Simple service endpoint definition (defaults to ``RegionOne``):
Ales Komarekaabbda62016-03-15 08:38:35 +0100330
331.. code-block:: yaml
332
333 keystone:
334 server:
335 service:
336 ceilometer:
337 type: metering
338 description: OpenStack Telemetry Service
339 user:
340 name: ceilometer
341 password: password
342 bind:
343 ...
344
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300345Region-aware service endpoints definition:
Ales Komarekaabbda62016-03-15 08:38:35 +0100346
347.. code-block:: yaml
348
349 keystone:
350 server:
351 service:
352 ceilometer_region01:
353 service: ceilometer
354 type: metering
355 region: region01
356 description: OpenStack Telemetry Service
357 user:
358 name: ceilometer
359 password: password
360 bind:
361 ...
362 ceilometer_region02:
363 service: ceilometer
364 type: metering
365 region: region02
366 description: OpenStack Telemetry Service
367 bind:
368 ...
369
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300370Enable Ceilometer notifications:
Jakub Pavlik72e31d62016-04-08 16:26:57 +0200371
372.. code-block:: yaml
373
374 keystone:
375 server:
376 notification: true
377 message_queue:
378 engine: rabbitmq
379 host: 127.0.0.1
380 port: 5672
381 user: openstack
382 password: password
383 virtual_host: '/openstack'
384 ha_queues: true
Filip Pytloun1abfdd72016-01-18 11:35:17 +0100385
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300386Client-side RabbitMQ HA setup:
Jakub Pavlik205ef802016-12-14 12:48:42 +0100387
388.. code-block:: yaml
389
390 keystone:
391 server:
392 ....
393 message_queue:
394 engine: rabbitmq
395 members:
396 - host: 10.0.16.1
397 - host: 10.0.16.2
398 - host: 10.0.16.3
399 user: openstack
400 password: pwd
401 virtual_host: '/openstack'
402 ....
403
Kirill Bespalov00984452017-08-01 17:44:11 +0300404Client-side RabbitMQ TLS configuration:
405
406|
407
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300408By default system-wide CA certs are used. Nothing should be
409specified except ``ssl.enabled``.
Kirill Bespalov00984452017-08-01 17:44:11 +0300410
411.. code-block:: yaml
412
413 keystone:
414 server:
415 ....
416 message_queue:
417 ssl:
418 enabled: True
419
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300420Use ``cacert_file`` option to specify the CA-cert
421file path explicitly:
Kirill Bespalov00984452017-08-01 17:44:11 +0300422
423.. code-block:: yaml
424
425 keystone:
426 server:
427 ....
428 message_queue:
429 ssl:
430 enabled: True
431 cacert_file: /etc/ssl/rabbitmq-ca.pem
432
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300433To manage content of the ``cacert_file`` use the ``cacert``
434option:
Kirill Bespalov00984452017-08-01 17:44:11 +0300435
436.. code-block:: yaml
437
438 keystone:
439 server:
440 ....
441 message_queue:
442 ssl:
443 enabled: True
444 cacert: |
445
446 -----BEGIN CERTIFICATE-----
447 ...
448 -----END CERTIFICATE-------
449
450 cacert_file: /etc/openstack/rabbitmq-ca.pem
451
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300452.. note::
Kirill Bespalov00984452017-08-01 17:44:11 +0300453
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300454 * The ``message_queue.port`` is set to ``5671`` (AMQPS) by
455 default if ``ssl.enabled=True``.
456 * Use ``message_queue.ssl.version`` if you need to specify
457 protocol version. By default, is ``TLSv1`` for python <
458 2.7.9 and ``TLSv1_2`` for version above.
Kirill Bespalov00984452017-08-01 17:44:11 +0300459
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300460Enable CADF audit notification:
Petr Michalec98fc6d62016-12-03 11:30:35 +0100461
462.. code-block:: yaml
463
464 keystone:
465 server:
466 notification: true
467 notification_format: cadf
468
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300469Run Keystone under Apache:
Alexander Noskov78b81e02016-12-05 16:20:50 +0400470
471.. code-block:: yaml
472
473 keystone:
474 server:
475 service_name: apache2
476 apache:
477 server:
478 enabled: true
479 default_mpm: event
480 site:
481 keystone:
482 enabled: true
483 type: keystone
484 name: wsgi
485 host:
486 name: ${linux:network:fqdn}
487 modules:
488 - wsgi
489
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300490Enable SAML2 Federated keystone:
Alexander Noskov78b81e02016-12-05 16:20:50 +0400491
492.. code-block:: yaml
493
494 keystone:
495 server:
Oleksii Chupryn6fd899f2017-04-21 10:20:51 +0300496 auth_methods:
497 - password
498 - token
499 - saml2
Oleksii Chuprynebe09a52017-04-21 11:08:14 +0300500 federation:
Oleksii Chuprynfcecf192017-04-21 12:20:46 +0300501 saml2:
502 protocol: saml2
503 remote_id_attribute: Shib-Identity-Provider
504 shib_url_scheme: https
505 shib_compat_valid_user: 'on'
Alexander Noskov78b81e02016-12-05 16:20:50 +0400506 federation_driver: keystone.contrib.federation.backends.sql.Federation
Oleksii Chupryn5f110b02017-03-30 09:54:27 +0300507 federated_domain_name: Federated
Alexander Noskov78b81e02016-12-05 16:20:50 +0400508 trusted_dashboard:
Oleksii Chuprynfcecf192017-04-21 12:20:46 +0300509 - https://${_param:cluster_public_host}/horizon/auth/websso/
Alexander Noskov78b81e02016-12-05 16:20:50 +0400510 apache:
511 server:
512 pkgs:
513 - apache2
514 - libapache2-mod-shib2
515 modules:
516 - wsgi
517 - shib2
Ales Komarek74a3ba62016-10-05 12:16:52 +0200518
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300519Enable OIDC Federated Keystone:
Oleksii Chuprynfcecf192017-04-21 12:20:46 +0300520
521.. code-block:: yaml
522
523 keystone:
524 server:
525 auth_methods:
526 - password
527 - token
528 - oidc
529 federation:
530 oidc:
531 protocol: oidc
532 remote_id_attribute: HTTP_OIDC_ISS
533 remote_id_attribute_value: https://accounts.google.com
534 oidc_claim_prefix: "OIDC-"
535 oidc_response_type: id_token
536 oidc_scope: "openid email profile"
537 oidc_provider_metadata_url: https://accounts.google.com/.well-known/openid-configuration
538 oidc_client_id: <openid_client_id>
539 oidc_client_secret: <openid_client_secret>
540 oidc_crypto_passphrase: openstack
541 oidc_redirect_uri: https://key.example.com:5000/v3/auth/OS-FEDERATION/websso/oidc/redirect
542 oidc_oauth_introspection_endpoint: https://www.googleapis.com/oauth2/v1/tokeninfo
543 oidc_oauth_introspection_token_param_name: access_token
544 oidc_oauth_remote_user_claim: user_id
545 oidc_ssl_validate_server: 'off'
546 federated_domain_name: Federated
547 federation_driver: keystone.contrib.federation.backends.sql.Federation
548 trusted_dashboard:
549 - https://${_param:cluster_public_host}/auth/websso/
550 apache:
551 server:
552 pkgs:
553 - apache2
554 - libapache2-mod-auth-openidc
555 modules:
556 - wsgi
557 - auth_openidc
558
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300559.. note:: Ubuntu Trusty repository doesn't contain
560 ``libapache2-mod-auth-openidc`` package. Additonal
561 repository should be added to the source list.
Oleksii Chuprynfcecf192017-04-21 12:20:46 +0300562
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300563Use a custom identity driver with custom options:
mnederlof5d9ccac2017-03-02 15:47:50 +0100564
565.. code-block:: yaml
566
567 keystone:
568 server:
569 backend: k2k
570 k2k:
571 auth_url: 'https://keystone.example.com/v2.0'
572 read_user: 'example_user'
573 read_pass: 'password'
574 read_tenant_id: 'admin'
575 identity_driver: 'sql'
576 id_prefix: 'k2k:'
577 domain: 'default'
578 caching: true
579 cache_time: 600
580
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300581Enable CORS parameters:
Ondrej Smola16e1bb72017-04-18 23:37:49 +0200582
583.. code-block:: yaml
584
585 keystone:
586 server:
587 cors:
588 allowed_origin: https:localhost.local,http:localhost.local
589 expose_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
590 allow_methods: GET,PUT,POST,DELETE,PATCH
591 allow_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
592 allow_credentials: True
593 max_age: 86400
594
Ales Komarek74a3ba62016-10-05 12:16:52 +0200595Keystone client
596---------------
597
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300598Service endpoints enforcement with service token:
Ales Komarek74a3ba62016-10-05 12:16:52 +0200599
600.. code-block:: yaml
601
602 keystone:
603 client:
604 enabled: true
605 server:
606 keystone01:
607 admin:
608 host: 10.0.0.2
609 port: 35357
610 token: 'service_token'
611 service:
612 nova:
613 type: compute
614 description: OpenStack Compute Service
615 endpoints:
616 - region: region01
617 public_address: 172.16.10.1
618 public_port: 8773
619 public_path: '/v2'
620 internal_address: 172.16.10.1
621 internal_port: 8773
622 internal_path: '/v2'
623 admin_address: 172.16.10.1
624 admin_port: 8773
625 admin_path: '/v2'
626
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300627Project, users, roles enforcement with admin user:
Ales Komarek74a3ba62016-10-05 12:16:52 +0200628
629.. code-block:: yaml
630
631 keystone:
632 client:
633 enabled: true
634 server:
635 keystone01:
636 admin:
637 host: 10.0.0.2
638 port: 5000
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100639 project: admin
Ales Komarek74a3ba62016-10-05 12:16:52 +0200640 user: admin
641 password: 'passwd'
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100642 region_name: RegionOne
643 protocol: https
Ales Komarek74a3ba62016-10-05 12:16:52 +0200644 roles:
645 - admin
646 - member
647 project:
648 tenant01:
649 description: "test env"
Jiri Broulik59000e92017-02-06 18:14:06 +0100650 quota:
651 instances: 100
652 cores: 24
653 ram: 151200
654 floating_ips: 50
655 fixed_ips: -1
656 metadata_items: 128
657 injected_files: 5
658 injected_file_content_bytes: 10240
659 injected_file_path_bytes: 255
660 key_pairs: 100
661 security_groups: 20
662 security_group_rules: 40
663 server_groups: 20
664 server_group_members: 20
Ales Komarek74a3ba62016-10-05 12:16:52 +0200665 user:
666 user01:
667 email: jdoe@domain.com
668 is_admin: true
669 password: some
670 user02:
671 email: jdoe2@domain.com
672 password: some
673 roles:
674 - custom-roles
675
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300676Multiple servers example:
Richard Felkl5ff315e2017-02-01 23:26:23 +0100677
678.. code-block:: yaml
679
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100680 keystone:
681 client:
682 enabled: true
683 server:
684 keystone01:
685 admin:
686 host: 10.0.0.2
687 port: 5000
688 project: 'admin'
689 user: admin
690 password: 'workshop'
691 region_name: RegionOne
692 protocol: https
693 keystone02:
694 admin:
695 host: 10.0.0.3
696 port: 5000
697 project: 'admin'
698 user: admin
699 password: 'workshop'
700 region_name: RegionOne
Richard Felkl5ff315e2017-02-01 23:26:23 +0100701
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300702Tenant quotas:
Jiri Broulik59000e92017-02-06 18:14:06 +0100703
704.. code-block:: yaml
705
706 keystone:
707 client:
708 enabled: true
709 server:
710 keystone01:
711 admin:
712 host: 10.0.0.2
713 port: 5000
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100714 project: admin
Jiri Broulik59000e92017-02-06 18:14:06 +0100715 user: admin
716 password: 'passwd'
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100717 region_name: RegionOne
718 protocol: https
Jiri Broulik59000e92017-02-06 18:14:06 +0100719 roles:
720 - admin
721 - member
722 project:
723 tenant01:
724 description: "test env"
725 quota:
726 instances: 100
727 cores: 24
728 ram: 151200
729 floating_ips: 50
730 fixed_ips: -1
731 metadata_items: 128
732 injected_files: 5
733 injected_file_content_bytes: 10240
734 injected_file_path_bytes: 255
735 key_pairs: 100
736 security_groups: 20
737 security_group_rules: 40
738 server_groups: 20
739 server_group_members: 20
740
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300741Extra config params in ``keystone.conf``
742(since Mitaka release):
Oleksii Chupryn4fec2132017-04-03 17:35:28 +0300743
744.. code-block:: yaml
745
746 keystone:
747 server:
748 ....
749 extra_config:
750 ini_section1:
751 param1: value
752 param2: value
753 ini_section2:
754 param1: value
755 param2: value
756 ....
757
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300758Configuration of ``policy.json`` file:
Dmitry Ukovf58264b2017-04-20 23:08:42 +0200759
760.. code-block:: yaml
761
Dmitry Ukovf58264b2017-04-20 23:08:42 +0200762 keystone:
763 server:
764 ....
765 policy:
766 admin_or_token_subject: 'rule:admin_required or rule:token_subject'
767
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300768Manage ``os-cloud-config`` yml with ``keystone.client``:
Vasyl Saienkod1902592018-03-30 12:51:54 +0300769
770.. code-block:: yaml
771
772 keystone:
773 client:
774 os_client_config:
775 enabled: true
776 cfgs:
777 root:
778 file: /root/.config/openstack/clouds.yml
779 content:
780 clouds:
781 admin_identity:
782 region_name: RegioneOne
783 auth:
784 username: admin
785 password: secretpassword
786 user_domain_name: Default
787 project_name: admin
788 project_domain_name: Default
789 auth_url: "http://1.2.3.4:5000"
790
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300791Setting up default admin project name and domain:
Andrey4b287f02017-10-03 18:40:25 -0500792
793.. code-block:: yaml
794
Andrey4b287f02017-10-03 18:40:25 -0500795 keystone:
796 server:
797 ....
798 admin_project:
799 name: "admin"
800 domain: "default"
801
Dmitry Kalashnik494a17d2017-12-06 16:55:55 +0400802Enhanced logging with logging.conf
803----------------------------------
804
805By default logging.conf is disabled.
806
807That is possible to enable per-binary logging.conf with new variables:
Dmitry Kalashnik494a17d2017-12-06 16:55:55 +0400808
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300809* ``openstack_log_appender``
810 Set to true to enable ``log_config_append`` for all OpenStack services
Dmitry Kalashnik494a17d2017-12-06 16:55:55 +0400811
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300812* ``openstack_fluentd_handler_enabled``
813 Set to true to enable ``FluentHandler`` for all Openstack services
814
815* ``openstack_ossyslog_handler_enabled``
816 Set to true to enable ``OSSysLogHandler`` for all Openstack services
817
818Only ``WatchedFileHandler``, ``OSSysLogHandler``, and ``FluentHandler``
819are available.
820
821Also, it is possible to configure this with pillar:
Dmitry Kalashnik494a17d2017-12-06 16:55:55 +0400822
823.. code-block:: yaml
824
825 keystone:
826 server:
827 logging:
828 log_appender: true
829 log_handlers:
830 watchedfile:
831 enabled: true
832 fluentd:
833 enabled: true
Oleksii Chupryn6529bb32018-02-07 11:55:38 +0200834 ossyslog:
835 enabled: true
Dmitry Kalashnik494a17d2017-12-06 16:55:55 +0400836
Martin Polreich7b710302019-12-17 13:50:04 +0100837
838Change default service policy configuration:
839--------------------------------------------
840
841.. code-block:: yaml
842
843 keystone:
844 server:
845 policy:
846 admin_or_token_subject: 'rule:token_subject'
847 service_admin_or_token_subject": 'rule:service_or_admin'
848 # Add key without value to remove line from policy.json
849 identity:get_region:
850
Jiri Broulik59000e92017-02-06 18:14:06 +0100851Usage
852=====
853
OlgaGusarenkoa9fac4b2018-07-30 19:17:24 +0300854#. Apply the :command:`keystone.client.service` state.
855#. Apply the :command:`keystone.client` state.
Jiri Broulik59000e92017-02-06 18:14:06 +0100856
857
Oleksii Grudev5707e5c2018-06-18 17:31:22 +0300858Fernet-keys rotation without gluster
859------------------------------------
860
861In the future fernet keys supposed to be rotated with rsync+ssh instead of using glusterfs. By default it is assumed
862that the script will run on primary control node (ctl01) and will rotate and transfer fernet keys to secondary
863controller nodes (ctl02, ctl03). Following parameter should be set on cluster level:
864
865keystone_node_role
866
867and fernet_rotation_driver should be set to 'rsync'
868
869By default this parameter is set to "secondary" on system level along with other parameters:
870.. code-block:: yaml
871
872 keystone:
873 server:
874 role: ${_param:keystone_node_role}
875 tokens:
876 fernet_sync_nodes_list:
877 control02:
878 name: ctl02
879 enabled: True
880 control03:
881 name: ctl03
882 enabled: True
883 fernet_rotation_driver: rsync
884
885Prior to running keystone salt states ssh key should be generated and its public part should be placed on secondary controllers.
886It can be accomplished by running following orchestration state before keystone states:
887
888salt-run state.orchestrate keystone.orchestrate.deploy
889
890Currently the default fernet rotation driver is a shared filesystem
891
Oleksandr Shyshko9b152eb2018-08-31 10:23:34 +0300892Enable x509 and ssl communication between Keystone and Galera cluster.
893---------------------
894By default communication between Keystone and Galera is unsecure.
895
Oleksandr Shyshkob97f0542018-09-07 14:00:18 +0300896keystone:
897 server:
898 database:
899 x509:
900 enabled: True
901
Oleksandr Shyshko9b152eb2018-08-31 10:23:34 +0300902You able to set custom certificates in pillar:
Oleksandr Shyshko9b152eb2018-08-31 10:23:34 +0300903
904keystone:
905 server:
906 database:
907 x509:
Oleksandr Shyshkob97f0542018-09-07 14:00:18 +0300908 cacert: (certificate content)
909 cert: (certificate content)
910 key: (certificate content)
Oleksandr Shyshko9b152eb2018-08-31 10:23:34 +0300911
912You can read more about it here:
913 https://docs.openstack.org/security-guide/databases/database-access-control.html
914
Oleksandr Bryndzii49a50832019-02-26 15:38:54 +0200915Enhanced max_active_keys setup
916------------------------------
917
918Rotating keys too frequently, or with ``[fernet_tokens] max_active_keys`` set too low,
919will cause tokens to become invalid prior to their expiration. As tokens may be fetched
920beyond their initial expiration period, keys should not be fully rotated within the
921period of ``[token] expiration`` + ``[token] allow_expired_window`` seconds to prevent the
922tokens becoming unavailable. As an example, the max_active_keys default value can be
923adjusted according to the following specified values:
924``[token] allow_expired_window`` = 86400 (24 hours)
925``[token] expiration`` = 3600 (1 hour)
926rotation_frequency = 1 (1 hour)
927``[fernet_token]max_active_keys`` = (24 + 1)/1 + 2 = 27
928
929.. code-block:: yaml
930
931 keystone:
932 server:
933 ...
934 tokens:
935 engine: fernet
936 expiration: 3600
937 allow_expired_window: 86400
938 max_active_keys: 27
939 ...
940
Oleksandr Shyshko004f17b2019-02-21 12:51:25 +0000941Enable security compliance policies.
942-----------------------------------
943By default security compliance policies disabled. You are able to define follow params independency each other.
944
945Notice: To ignore `change_password_upon_first_use` requirement for specific users, such as service users,
946set the `options` attribute `ignore_change_password_upon_first_use`
947to `True` for the desired user via the update user API
948
949Notice: Symbol "$" should have escape character and looks like "$$".
950
951.. code-block:: yaml
952
953keystone:
954 server:
955 security_compliance:
Oleksandr Shyshko3d95b712019-04-19 11:50:49 +0300956 disable_user_account_days_inactive: 365
957 lockout_failure_attempts: 60
Oleksandr Shyshko004f17b2019-02-21 12:51:25 +0000958 lockout_duration: 600
Oleksandr Shyshko3d95b712019-04-19 11:50:49 +0300959 password_expires_days: 730
960 unique_last_password_count: 5
Oleksandr Shyshko004f17b2019-02-21 12:51:25 +0000961 minimum_password_age: 0
Oleksandr Shyshko3d95b712019-04-19 11:50:49 +0300962 password_regex: '^[a-zA-Z0-9~!@#%^&\*_=+]{32,}$$'
963 password_regex_description: |
964 'Your password could contains capital letters, lowercase letters, digits, symbols "~ ! @ # % ^ & * _ = +" and have a minimum length of 32 characters'
965 change_password_upon_first_use: False
Oleksandr Shyshkoa0b79e22019-02-27 15:02:30 +0000966
967Define extra user options.
968-------------------------
969
970 To ignore `change_password_upon_first_use` requirement for specific users,
971such as service users, set the `options` attribute `ignore_change_password_upon_first_use`
972to `True` for the desired user via the update user API.
973
974 To ignore `password_expires_days` requirement for specific users,
975such as service users, set the `options` attribute `ignore_password_expiry`
976to `True` for the desired user via the update user API.
977
978 To ignore `lockout_failure_attempts` requirement for specific users,
979such as service users, set the `options` attribute `ignore_lockout_failure_attempts`
980to `True` for the desired user via the update user API.
981
982 Also If there exists a user who should not be able to change her own password via
983the keystone password change API, keystone supports setting that user’s option `lock_password`
984to True via the user update API.
985
986#For release since Q
987.. code-block:: yaml
988
989keystone:
990 client:
991 resources:
992 v3:
993 users:
994 cinder:
995 options:
996 ignore_change_password_upon_first_use: True
997 ignore_password_expiry: False
998 ignore_lockout_failure_attempts: False
999 lock_password: True
1000.. code-block::
1001
1002#For all early releases
1003.. code-block:: yaml
1004
1005keystone:
1006 client:
1007 server:
1008 identity:
1009 project:
1010 service:
1011 user:
1012 cinder:
1013 options:
1014 ignore_change_password_upon_first_use: True
1015 ignore_password_expiry: False
1016 ignore_lockout_failure_attempts: False
1017 lock_password: True
1018.. code-block::
1019
Oleksandr Bryndziiad0ffc52019-05-02 15:40:31 +03001020Keystone configmap setup:
1021---------------
1022# Default type:
1023.. code-block:: yaml
1024
1025 keystone:
1026 server:
1027 configmap:
1028 DEFAULT:
1029 debug: true
1030 rate_limit_except_level: debug
1031 auth:
1032 methods: 'external,password,token'
1033 tokenless_auth:
1034 trusted_issuer: 'O=Mirantis,L=Prague,CN=Salt Master CA,C=cz'
1035
1036.. code-block::
1037
1038
1039# type: 'MultiOpt' for multiline values:
1040.. code-block:: yaml
1041
1042 keystone:
1043 server:
1044 configmap:
1045 tokenless_auth:
1046 trusted_issuer:
1047 type: 'MultiOpt'
1048 values:
1049 value1: 'O=Mirantis,L=Prague,CN=Salt Master CA,C=cz'
1050 value2: 'O=Mirantis,L=Kharkiv,CN=Salt Master CA2,C=ua'
1051
1052.. code-block::
1053
rootf06439a2019-05-27 14:58:46 +00001054Setup auth urls for oidc:
1055---------------
1056.. code-block:: yaml
1057
1058 keystone:
1059 server:
1060 federation:
1061 oidc:
1062 idp_protocols_auth_url: '/v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/auth_url'
1063 idp_protocols_websso_url: '/v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/websso_url'
1064 websso_url: '/v3/OS-FEDERATION/websso/oidc_url'
1065
1066
1067.. code-block::
1068
Taras Khlivnyak0a64f7e2021-08-19 10:57:43 +03001069Change files permissions for keystone service:
1070=======================================
1071In order to change file permissions a few data need to be set:.
1072'files' - block to set permissions to files.
1073It could be set the following data:
1074- full path to file
1075- user ( default value is 'root' ) this parameter is optional.
1076- group ( default value is 'keystone' ) this parameter is optional
1077- mode ( default value is '0640' ) this parameter is optional
1078'directories' - block to set permissions to directories.
1079- full path to directory
1080- user ( default value is 'root' ) this parameter is optional
1081- group ( default value is 'keystone' ) this parameter is optional
1082- mode ( default value is '0750' ) this parameter is optional
1083
1084.. code-block:: yaml
1085
1086 keystone:
1087 files:
1088 /etc/keystone/keystone.conf:
1089 user: 'root'
1090 group: 'keystone'
1091 mode: '0750'
1092 directories:
1093 /etc/keystone:
1094 user: 'root'
1095 group: 'keystone'
1096 mode: '0750'
1097
1098
1099
Vasyl Saienko52bed882018-09-10 10:52:39 +00001100Upgrades
1101========
1102
1103Each openstack formula provide set of phases (logical bloks) that will help to
1104build flexible upgrade orchestration logic for particular components. The list
1105of phases and theirs descriptions are listed in table below:
1106
1107+-------------------------------+------------------------------------------------------+
1108| State | Description |
1109+===============================+======================================================+
1110| <app>.upgrade.service_running | Ensure that all services for particular application |
1111| | are enabled for autostart and running |
1112+-------------------------------+------------------------------------------------------+
1113| <app>.upgrade.service_stopped | Ensure that all services for particular application |
1114| | disabled for autostart and dead |
1115+-------------------------------+------------------------------------------------------+
1116| <app>.upgrade.pkgs_latest | Ensure that packages used by particular application |
1117| | are installed to latest available version. |
1118| | This will not upgrade data plane packages like qemu |
1119| | and openvswitch as usually minimal required version |
1120| | in openstack services is really old. The data plane |
1121| | packages should be upgraded separately by `apt-get |
1122| | upgrade` or `apt-get dist-upgrade` |
1123| | Applying this state will not autostart service. |
1124+-------------------------------+------------------------------------------------------+
1125| <app>.upgrade.render_config | Ensure configuration is rendered actual version. +
1126+-------------------------------+------------------------------------------------------+
1127| <app>.upgrade.pre | We assume this state is applied on all nodes in the |
1128| | cloud before running upgrade. |
1129| | Only non destructive actions will be applied during |
1130| | this phase. Perform service built in service check |
1131| | like (keystone-manage doctor and nova-status upgrade)|
1132+-------------------------------+------------------------------------------------------+
1133| <app>.upgrade.upgrade.pre | Mostly applicable for data plane nodes. During this |
1134| | phase resources will be gracefully removed from |
1135| | current node if it is allowed. Services for upgraded |
1136| | application will be set to admin disabled state to |
1137| | make sure node will not participate in resources |
1138| | scheduling. For example on gtw nodes this will set |
1139| | all agents to admin disable state and will move all |
1140| | routers to other agents. |
1141+-------------------------------+------------------------------------------------------+
1142| <app>.upgrade.upgrade | This state will basically upgrade application on |
1143| | particular target. Stop services, render |
1144| | configuration, install new packages, run offline |
1145| | dbsync (for ctl), start services. Data plane should |
1146| | not be affected, only OpenStack python services. |
1147+-------------------------------+------------------------------------------------------+
1148| <app>.upgrade.upgrade.post | Add services back to scheduling. |
1149+-------------------------------+------------------------------------------------------+
1150| <app>.upgrade.post | This phase should be launched only when upgrade of |
1151| | the cloud is completed. Cleanup temporary files, |
1152| | perform other post upgrade tasks. |
1153+-------------------------------+------------------------------------------------------+
1154| <app>.upgrade.verify | Here we will do basic health checks (API CRUD |
1155| | operations, verify do not have dead network |
1156| | agents/compute services) |
1157+-------------------------------+------------------------------------------------------+
1158
1159
Jakub Pavlikffc280d2016-05-20 11:19:14 +02001160Documentation and Bugs
Ales Komarek74a3ba62016-10-05 12:16:52 +02001161======================
Filip Pytloun943d6882015-10-06 16:28:32 +02001162
Jakub Pavlikffc280d2016-05-20 11:19:14 +02001163To learn how to deploy OpenStack Salt, consult the documentation available
1164online at:
1165
1166 https://wiki.openstack.org/wiki/OpenStackSalt
1167
1168In the unfortunate event that bugs are discovered, they should be reported to
1169the appropriate bug tracker. If you obtained the software from a 3rd party
1170operating system vendor, it is often wise to use their own bug tracker for
1171reporting problems. In all other cases use the master OpenStack bug tracker,
1172available at:
1173
1174 http://bugs.launchpad.net/openstack-salt
1175
1176Developers wishing to work on the OpenStack Salt project should always base
1177their work on the latest formulas code, available from the master GIT
1178repository at:
1179
1180 https://git.openstack.org/cgit/openstack/salt-formula-keystone
1181
1182Developers should also join the discussion on the IRC list, at:
1183
1184 https://wiki.openstack.org/wiki/Meetings/openstack-salt