Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / keystone / fcecf19f1bd525a647214a4724eff5a06c1f6d5e / . / README.rst
blob: a7f7082b7bbf344fb33fa818551cbb25c2f43f3c [file] [log] [blame]
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]1==================
2OpenStack Keystone
3==================
4
Jakub Pavlikffc280d2016-05-20 11:19:14 +0200[diff] [blame]5Keystone provides authentication, authorization and service discovery
6mechanisms via HTTP primarily for use by projects in the OpenStack family. It
7is most commonly deployed as an HTTP interface to existing identity systems,
8such as LDAP.
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]9
10From Kilo release Keystone v3 endpoint has definition without version in url
11
12.. code-block:: bash
13
14 +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
15 | id | region | publicurl | internalurl | adminurl | service_id |
16 +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
17 | 91663a8db11c487c9253c8c456863494 | RegionOne | http://10.0.150.37:5000/ | http://10.0.150.37:5000/ | http://10.0.150.37:35357/ | 0fd2dba3153d45a1ba7f709cfc2d69c9 |
18 +----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
19
20
21Sample pillars
22==============
23
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]24.. caution::
Adam Tengler7c66c882016-03-14 19:35:49 +0100[diff] [blame]25
Jakub Pavlikffc280d2016-05-20 11:19:14 +0200[diff] [blame]26 When you use localhost as your database host (keystone:server:
27 atabase:host), sqlalchemy will try to connect to /var/run/mysql/
28 mysqld.sock, may cause issues if you located your mysql socket elsewhere
Adam Tengler7c66c882016-03-14 19:35:49 +0100[diff] [blame]29
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]30Full stacked keystone
31
32.. code-block:: yaml
33
34 keystone:
35 server:
36 enabled: true
37 version: juno
38 service_token: 'service_tokeen'
39 service_tenant: service
40 service_password: 'servicepwd'
41 admin_tenant: admin
42 admin_name: admin
43 admin_password: 'adminpwd'
44 admin_email: stackmaster@domain.com
45 roles:
46 - admin
47 - Member
48 - image_manager
49 bind:
50 address: 0.0.0.0
51 private_address: 127.0.0.1
52 private_port: 35357
53 public_address: 127.0.0.1
54 public_port: 5000
55 api_version: 2.0
56 region: RegionOne
57 database:
58 engine: mysql
59 host: '127.0.0.1'
60 name: 'keystone'
61 password: 'LfTno5mYdZmRfoPV'
62 user: 'keystone'
63
64Keystone public HTTPS API
65
66.. code-block:: yaml
67
68 keystone:
69 server:
70 enabled: true
71 version: juno
72 ...
73 services:
74 - name: nova
75 type: compute
76 description: OpenStack Compute Service
77 user:
78 name: nova
79 password: password
80 bind:
81 public_address: cloud.domain.com
82 public_protocol: https
83 public_port: 8774
84 internal_address: 10.0.0.20
85 internal_port: 8774
86 admin_address: 10.0.0.20
87 admin_port: 8774
88
89Keystone memcached storage for tokens
90
91.. code-block:: yaml
92
93 keystone:
94 server:
95 enabled: true
96 version: juno
97 ...
98 token_store: cache
99 cache:
100 engine: memcached
101 host: 127.0.0.1
102 port: 11211
103 services:
104 ...
105
106Keystone clustered memcached storage for tokens
107
108.. code-block:: yaml
109
110 keystone:
111 server:
112 enabled: true
113 version: juno
114 ...
115 token_store: cache
116 cache:
117 engine: memcached
118 members:
119 - host: 192.160.0.1
120 port: 11211
121 - host: 192.160.0.2
122 port: 11211
123 services:
124 ...
125
126Keystone client
127
128.. code-block:: yaml
129
130 keystone:
131 client:
132 enabled: true
133 server:
134 host: 10.0.0.2
135 public_port: 5000
136 private_port: 35357
137 service_token: 'token'
138 admin_tenant: admin
139 admin_name: admin
140 admin_password: 'passwd'
141
142Keystone cluster
143
144.. code-block:: yaml
145
146 keystone:
147 control:
148 enabled: true
149 provider:
150 os15_token:
151 host: 10.0.0.2
152 port: 35357
153 token: token
154 os15_tcp_core_stg:
155 host: 10.0.0.5
156 port: 5000
157 tenant: admin
158 name: admin
159 password: password
160
161Keystone fernet tokens for OpenStack Kilo release
162
163.. code-block:: yaml
164
165 keystone:
166 server:
167 ...
168 tokens:
169 engine: fernet
Jakub Pavlik6b0b74a2016-09-01 10:49:14 +0200[diff] [blame]170 max_active_keys: 3
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]171 ...
172
Oleksii Chupryn6fd899f2017-04-21 10:20:51 +0300[diff] [blame]173Keystone auth methods
174
175.. code-block:: yaml
176
177 keystone:
178 server:
179 ...
180 auth_methods:
181 - external
182 - password
183 - token
184 - oauth1
185 ...
186
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]187Keystone domain with LDAP backend, using SQL for role/project assignment
188
189.. code-block:: yaml
190
191 keystone:
192 server:
193 domain:
Filip Pytlounaf25d8d2016-01-12 14:21:39 +0100[diff] [blame]194 description: "Testing domain"
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]195 backend: ldap
196 assignment:
197 backend: sql
198 ldap:
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]199 url: "ldaps://idm.domain.com"
200 suffix: "dc=cloud,dc=domain,dc=com"
201 # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]202 uid: keystone
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]203 password: password
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100[diff] [blame]204
Filip Pytloun1abfdd72016-01-18 11:35:17 +0100[diff] [blame]205Using LDAP backend for default domain
206
207.. code-block:: yaml
208
209 keystone:
210 server:
211 backend: ldap
212 assignment:
213 backend: sql
214 ldap:
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]215 url: "ldaps://idm.domain.com"
216 suffix: "dc=cloud,dc=domain,dc=com"
217 # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
Filip Pytloun1abfdd72016-01-18 11:35:17 +0100[diff] [blame]218 uid: keystone
Ales Komarekaabbda62016-03-15 08:38:35 +0100[diff] [blame]219 password: password
220
221Simple service endpoint definition (defaults to RegionOne)
222
223.. code-block:: yaml
224
225 keystone:
226 server:
227 service:
228 ceilometer:
229 type: metering
230 description: OpenStack Telemetry Service
231 user:
232 name: ceilometer
233 password: password
234 bind:
235 ...
236
237Region-aware service endpoints definition
238
239.. code-block:: yaml
240
241 keystone:
242 server:
243 service:
244 ceilometer_region01:
245 service: ceilometer
246 type: metering
247 region: region01
248 description: OpenStack Telemetry Service
249 user:
250 name: ceilometer
251 password: password
252 bind:
253 ...
254 ceilometer_region02:
255 service: ceilometer
256 type: metering
257 region: region02
258 description: OpenStack Telemetry Service
259 bind:
260 ...
261
Jakub Pavlik72e31d62016-04-08 16:26:57 +0200[diff] [blame]262Enable ceilometer notifications
263
264.. code-block:: yaml
265
266 keystone:
267 server:
268 notification: true
269 message_queue:
270 engine: rabbitmq
271 host: 127.0.0.1
272 port: 5672
273 user: openstack
274 password: password
275 virtual_host: '/openstack'
276 ha_queues: true
Filip Pytloun1abfdd72016-01-18 11:35:17 +0100[diff] [blame]277
Jakub Pavlik205ef802016-12-14 12:48:42 +0100[diff] [blame]278Client-side RabbitMQ HA setup
279
280.. code-block:: yaml
281
282 keystone:
283 server:
284 ....
285 message_queue:
286 engine: rabbitmq
287 members:
288 - host: 10.0.16.1
289 - host: 10.0.16.2
290 - host: 10.0.16.3
291 user: openstack
292 password: pwd
293 virtual_host: '/openstack'
294 ....
295
Petr Michalec98fc6d62016-12-03 11:30:35 +0100[diff] [blame]296Enable CADF audit notification
297
298.. code-block:: yaml
299
300 keystone:
301 server:
302 notification: true
303 notification_format: cadf
304
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]305Run keystone under Apache
306
307.. code-block:: yaml
308
309 keystone:
310 server:
311 service_name: apache2
312 apache:
313 server:
314 enabled: true
315 default_mpm: event
316 site:
317 keystone:
318 enabled: true
319 type: keystone
320 name: wsgi
321 host:
322 name: ${linux:network:fqdn}
323 modules:
324 - wsgi
325
Oleksii Chuprynfcecf192017-04-21 12:20:46 +0300[diff] [blame^]326Enable SAML2 Federated keystone
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]327
328.. code-block:: yaml
329
330 keystone:
331 server:
Oleksii Chupryn6fd899f2017-04-21 10:20:51 +0300[diff] [blame]332 auth_methods:
333 - password
334 - token
335 - saml2
Oleksii Chuprynebe09a52017-04-21 11:08:14 +0300[diff] [blame]336 federation:
Oleksii Chuprynfcecf192017-04-21 12:20:46 +0300[diff] [blame^]337 saml2:
338 protocol: saml2
339 remote_id_attribute: Shib-Identity-Provider
340 shib_url_scheme: https
341 shib_compat_valid_user: 'on'
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]342 federation_driver: keystone.contrib.federation.backends.sql.Federation
Oleksii Chupryn5f110b02017-03-30 09:54:27 +0300[diff] [blame]343 federated_domain_name: Federated
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]344 trusted_dashboard:
Oleksii Chuprynfcecf192017-04-21 12:20:46 +0300[diff] [blame^]345 - https://${_param:cluster_public_host}/horizon/auth/websso/
Alexander Noskov78b81e02016-12-05 16:20:50 +0400[diff] [blame]346 apache:
347 server:
348 pkgs:
349 - apache2
350 - libapache2-mod-shib2
351 modules:
352 - wsgi
353 - shib2
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]354
Oleksii Chuprynfcecf192017-04-21 12:20:46 +0300[diff] [blame^]355Enable OIDC Federated keystone
356
357.. code-block:: yaml
358
359 keystone:
360 server:
361 auth_methods:
362 - password
363 - token
364 - oidc
365 federation:
366 oidc:
367 protocol: oidc
368 remote_id_attribute: HTTP_OIDC_ISS
369 remote_id_attribute_value: https://accounts.google.com
370 oidc_claim_prefix: "OIDC-"
371 oidc_response_type: id_token
372 oidc_scope: "openid email profile"
373 oidc_provider_metadata_url: https://accounts.google.com/.well-known/openid-configuration
374 oidc_client_id: <openid_client_id>
375 oidc_client_secret: <openid_client_secret>
376 oidc_crypto_passphrase: openstack
377 oidc_redirect_uri: https://key.example.com:5000/v3/auth/OS-FEDERATION/websso/oidc/redirect
378 oidc_oauth_introspection_endpoint: https://www.googleapis.com/oauth2/v1/tokeninfo
379 oidc_oauth_introspection_token_param_name: access_token
380 oidc_oauth_remote_user_claim: user_id
381 oidc_ssl_validate_server: 'off'
382 federated_domain_name: Federated
383 federation_driver: keystone.contrib.federation.backends.sql.Federation
384 trusted_dashboard:
385 - https://${_param:cluster_public_host}/auth/websso/
386 apache:
387 server:
388 pkgs:
389 - apache2
390 - libapache2-mod-auth-openidc
391 modules:
392 - wsgi
393 - auth_openidc
394
395Notes: Ubuntu Trusty repository doesn't contain libapache2-mod-auth-openidc package. Additonal repository should be added to source list.
396
mnederlof5d9ccac2017-03-02 15:47:50 +0100[diff] [blame]397Use a custom identity driver with custom options
398
399.. code-block:: yaml
400
401 keystone:
402 server:
403 backend: k2k
404 k2k:
405 auth_url: 'https://keystone.example.com/v2.0'
406 read_user: 'example_user'
407 read_pass: 'password'
408 read_tenant_id: 'admin'
409 identity_driver: 'sql'
410 id_prefix: 'k2k:'
411 domain: 'default'
412 caching: true
413 cache_time: 600
414
Ondrej Smola16e1bb72017-04-18 23:37:49 +0200[diff] [blame]415Enable CORS parameters
416
417.. code-block:: yaml
418
419 keystone:
420 server:
421 cors:
422 allowed_origin: https:localhost.local,http:localhost.local
423 expose_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
424 allow_methods: GET,PUT,POST,DELETE,PATCH
425 allow_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
426 allow_credentials: True
427 max_age: 86400
428
429
mnederlof5d9ccac2017-03-02 15:47:50 +0100[diff] [blame]430
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]431Keystone client
432---------------
433
434Service endpoints enforcement with service token
435
436.. code-block:: yaml
437
438 keystone:
439 client:
440 enabled: true
441 server:
442 keystone01:
443 admin:
444 host: 10.0.0.2
445 port: 35357
446 token: 'service_token'
447 service:
448 nova:
449 type: compute
450 description: OpenStack Compute Service
451 endpoints:
452 - region: region01
453 public_address: 172.16.10.1
454 public_port: 8773
455 public_path: '/v2'
456 internal_address: 172.16.10.1
457 internal_port: 8773
458 internal_path: '/v2'
459 admin_address: 172.16.10.1
460 admin_port: 8773
461 admin_path: '/v2'
462
463Project, users, roles enforcement with admin user
464
465.. code-block:: yaml
466
467 keystone:
468 client:
469 enabled: true
470 server:
471 keystone01:
472 admin:
473 host: 10.0.0.2
474 port: 5000
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100[diff] [blame]475 project: admin
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]476 user: admin
477 password: 'passwd'
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100[diff] [blame]478 region_name: RegionOne
479 protocol: https
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]480 roles:
481 - admin
482 - member
483 project:
484 tenant01:
485 description: "test env"
Jiri Broulik59000e92017-02-06 18:14:06 +0100[diff] [blame]486 quota:
487 instances: 100
488 cores: 24
489 ram: 151200
490 floating_ips: 50
491 fixed_ips: -1
492 metadata_items: 128
493 injected_files: 5
494 injected_file_content_bytes: 10240
495 injected_file_path_bytes: 255
496 key_pairs: 100
497 security_groups: 20
498 security_group_rules: 40
499 server_groups: 20
500 server_group_members: 20
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]501 user:
502 user01:
503 email: jdoe@domain.com
504 is_admin: true
505 password: some
506 user02:
507 email: jdoe2@domain.com
508 password: some
509 roles:
510 - custom-roles
511
Richard Felkl5ff315e2017-02-01 23:26:23 +0100[diff] [blame]512Multiple servers example
513
514.. code-block:: yaml
515
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100[diff] [blame]516 keystone:
517 client:
518 enabled: true
519 server:
520 keystone01:
521 admin:
522 host: 10.0.0.2
523 port: 5000
524 project: 'admin'
525 user: admin
526 password: 'workshop'
527 region_name: RegionOne
528 protocol: https
529 keystone02:
530 admin:
531 host: 10.0.0.3
532 port: 5000
533 project: 'admin'
534 user: admin
535 password: 'workshop'
536 region_name: RegionOne
Richard Felkl5ff315e2017-02-01 23:26:23 +0100[diff] [blame]537
Jiri Broulik59000e92017-02-06 18:14:06 +0100[diff] [blame]538
539Tenant quotas
540
541.. code-block:: yaml
542
543 keystone:
544 client:
545 enabled: true
546 server:
547 keystone01:
548 admin:
549 host: 10.0.0.2
550 port: 5000
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100[diff] [blame]551 project: admin
Jiri Broulik59000e92017-02-06 18:14:06 +0100[diff] [blame]552 user: admin
553 password: 'passwd'
Jiri Broulik1703fcc2017-02-13 17:42:29 +0100[diff] [blame]554 region_name: RegionOne
555 protocol: https
Jiri Broulik59000e92017-02-06 18:14:06 +0100[diff] [blame]556 roles:
557 - admin
558 - member
559 project:
560 tenant01:
561 description: "test env"
562 quota:
563 instances: 100
564 cores: 24
565 ram: 151200
566 floating_ips: 50
567 fixed_ips: -1
568 metadata_items: 128
569 injected_files: 5
570 injected_file_content_bytes: 10240
571 injected_file_path_bytes: 255
572 key_pairs: 100
573 security_groups: 20
574 security_group_rules: 40
575 server_groups: 20
576 server_group_members: 20
577
Oleksii Chupryn4fec2132017-04-03 17:35:28 +0300[diff] [blame]578Extra config params in keystone.conf (since Mitaka release)
579
580.. code-block:: yaml
581
582 keystone:
583 server:
584 ....
585 extra_config:
586 ini_section1:
587 param1: value
588 param2: value
589 ini_section2:
590 param1: value
591 param2: value
592 ....
593
Dmitry Ukovf58264b2017-04-20 23:08:42 +0200[diff] [blame]594Configuration of policy.json file
595
596.. code-block:: yaml
597
598
599 keystone:
600 server:
601 ....
602 policy:
603 admin_or_token_subject: 'rule:admin_required or rule:token_subject'
604
Jiri Broulik59000e92017-02-06 18:14:06 +0100[diff] [blame]605Usage
606=====
607
608Apply state `keystone.client.service` first and then `keystone.client` state.
609
610
Jakub Pavlikffc280d2016-05-20 11:19:14 +0200[diff] [blame]611Documentation and Bugs
Ales Komarek74a3ba62016-10-05 12:16:52 +0200[diff] [blame]612======================
Filip Pytloun943d6882015-10-06 16:28:32 +0200[diff] [blame]613
Jakub Pavlikffc280d2016-05-20 11:19:14 +0200[diff] [blame]614To learn how to deploy OpenStack Salt, consult the documentation available
615online at:
616
617 https://wiki.openstack.org/wiki/OpenStackSalt
618
619In the unfortunate event that bugs are discovered, they should be reported to
620the appropriate bug tracker. If you obtained the software from a 3rd party
621operating system vendor, it is often wise to use their own bug tracker for
622reporting problems. In all other cases use the master OpenStack bug tracker,
623available at:
624
625 http://bugs.launchpad.net/openstack-salt
626
627Developers wishing to work on the OpenStack Salt project should always base
628their work on the latest formulas code, available from the master GIT
629repository at:
630
631 https://git.openstack.org/cgit/openstack/salt-formula-keystone
632
633Developers should also join the discussion on the IRC list, at:
634
635 https://wiki.openstack.org/wiki/Meetings/openstack-salt
Filip Pytloun4cc5c0f2017-02-02 13:02:03 +0100[diff] [blame]636
637Documentation and Bugs
638======================
639
640To learn how to install and update salt-formulas, consult the documentation
641available online at:
642
643 http://salt-formulas.readthedocs.io/
644
645In the unfortunate event that bugs are discovered, they should be reported to
646the appropriate issue tracker. Use Github issue tracker for specific salt
647formula:
648
649 https://github.com/salt-formulas/salt-formula-keystone/issues
650
651For feature requests, bug reports or blueprints affecting entire ecosystem,
652use Launchpad salt-formulas project:
653
654 https://launchpad.net/salt-formulas
655
656You can also join salt-formulas-users team and subscribe to mailing list:
657
658 https://launchpad.net/~salt-formulas-users
659
660Developers wishing to work on the salt-formulas projects should always base
661their work on master branch and submit pull request against specific formula.
662
663 https://github.com/salt-formulas/salt-formula-keystone
664
665Any questions or feedback is always welcome so feel free to join our IRC
666channel:
667
668 #salt-formulas @ irc.freenode.net