Blame - README.rst - salt-formulas/keystone

blob: ff64b7b65fd3cbba5871d65c75a9f2e66f370820 [file] [log] [blame]

Filip Pytloun	943d688	2015-10-06 16:28:32 +0200	[diff] [blame]	1	==================
				2	OpenStack Keystone
				3	==================
				4
Jakub Pavlik	ffc280d	2016-05-20 11:19:14 +0200	[diff] [blame]	5	Keystone provides authentication, authorization and service discovery
				6	mechanisms via HTTP primarily for use by projects in the OpenStack family. It
				7	is most commonly deployed as an HTTP interface to existing identity systems,
				8	such as LDAP.
Filip Pytloun	943d688	2015-10-06 16:28:32 +0200	[diff] [blame]	9
				10	From Kilo release Keystone v3 endpoint has definition without version in url
				11
				12	.. code-block:: bash
				13
				14	+----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
				15	\| id \| region \| publicurl \| internalurl \| adminurl \| service_id \|
				16	+----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
				17	\| 91663a8db11c487c9253c8c456863494 \| RegionOne \| http://10.0.150.37:5000/ \| http://10.0.150.37:5000/ \| http://10.0.150.37:35357/ \| 0fd2dba3153d45a1ba7f709cfc2d69c9 \|
				18	+----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
				19
				20
				21	Sample pillars
				22	==============
				23
Alexander Noskov	78b81e0	2016-12-05 16:20:50 +0400	[diff] [blame]	24	.. caution::
Adam Tengler	7c66c88	2016-03-14 19:35:49 +0100	[diff] [blame]	25
Jakub Pavlik	ffc280d	2016-05-20 11:19:14 +0200	[diff] [blame]	26	When you use localhost as your database host (keystone:server:
				27	atabase:host), sqlalchemy will try to connect to /var/run/mysql/
				28	mysqld.sock, may cause issues if you located your mysql socket elsewhere
Adam Tengler	7c66c88	2016-03-14 19:35:49 +0100	[diff] [blame]	29
Filip Pytloun	943d688	2015-10-06 16:28:32 +0200	[diff] [blame]	30	Full stacked keystone
				31
				32	.. code-block:: yaml
				33
				34	keystone:
				35	server:
				36	enabled: true
				37	version: juno
				38	service_token: 'service_tokeen'
				39	service_tenant: service
				40	service_password: 'servicepwd'
				41	admin_tenant: admin
				42	admin_name: admin
				43	admin_password: 'adminpwd'
				44	admin_email: stackmaster@domain.com
				45	roles:
				46	- admin
				47	- Member
				48	- image_manager
				49	bind:
				50	address: 0.0.0.0
				51	private_address: 127.0.0.1
				52	private_port: 35357
				53	public_address: 127.0.0.1
				54	public_port: 5000
				55	api_version: 2.0
				56	region: RegionOne
				57	database:
				58	engine: mysql
				59	host: '127.0.0.1'
				60	name: 'keystone'
				61	password: 'LfTno5mYdZmRfoPV'
				62	user: 'keystone'
				63
				64	Keystone public HTTPS API
				65
				66	.. code-block:: yaml
				67
				68	keystone:
				69	server:
				70	enabled: true
				71	version: juno
				72	...
				73	services:
				74	- name: nova
				75	type: compute
				76	description: OpenStack Compute Service
				77	user:
				78	name: nova
				79	password: password
				80	bind:
				81	public_address: cloud.domain.com
				82	public_protocol: https
				83	public_port: 8774
				84	internal_address: 10.0.0.20
				85	internal_port: 8774
				86	admin_address: 10.0.0.20
				87	admin_port: 8774
				88
				89	Keystone memcached storage for tokens
				90
				91	.. code-block:: yaml
				92
				93	keystone:
				94	server:
				95	enabled: true
				96	version: juno
				97	...
				98	token_store: cache
				99	cache:
				100	engine: memcached
				101	host: 127.0.0.1
				102	port: 11211
				103	services:
				104	...
				105
				106	Keystone clustered memcached storage for tokens
				107
				108	.. code-block:: yaml
				109
				110	keystone:
				111	server:
				112	enabled: true
				113	version: juno
				114	...
				115	token_store: cache
				116	cache:
				117	engine: memcached
				118	members:
				119	- host: 192.160.0.1
				120	port: 11211
				121	- host: 192.160.0.2
				122	port: 11211
				123	services:
				124	...
				125
				126	Keystone client
				127
				128	.. code-block:: yaml
				129
				130	keystone:
				131	client:
				132	enabled: true
				133	server:
				134	host: 10.0.0.2
				135	public_port: 5000
				136	private_port: 35357
				137	service_token: 'token'
				138	admin_tenant: admin
				139	admin_name: admin
				140	admin_password: 'passwd'
				141
				142	Keystone cluster
				143
				144	.. code-block:: yaml
				145
				146	keystone:
				147	control:
				148	enabled: true
				149	provider:
				150	os15_token:
				151	host: 10.0.0.2
				152	port: 35357
				153	token: token
				154	os15_tcp_core_stg:
				155	host: 10.0.0.5
				156	port: 5000
				157	tenant: admin
				158	name: admin
				159	password: password
				160
				161	Keystone fernet tokens for OpenStack Kilo release
				162
				163	.. code-block:: yaml
				164
				165	keystone:
				166	server:
				167	...
				168	tokens:
				169	engine: fernet
Jakub Pavlik	6b0b74a	2016-09-01 10:49:14 +0200	[diff] [blame]	170	max_active_keys: 3
Filip Pytloun	943d688	2015-10-06 16:28:32 +0200	[diff] [blame]	171	...
				172
Filip Pytloun	6b9ec2b	2016-01-12 13:52:01 +0100	[diff] [blame]	173	Keystone domain with LDAP backend, using SQL for role/project assignment
				174
				175	.. code-block:: yaml
				176
				177	keystone:
				178	server:
				179	domain:
Filip Pytloun	af25d8d	2016-01-12 14:21:39 +0100	[diff] [blame]	180	description: "Testing domain"
Filip Pytloun	6b9ec2b	2016-01-12 13:52:01 +0100	[diff] [blame]	181	backend: ldap
				182	assignment:
				183	backend: sql
				184	ldap:
Ales Komarek	aabbda6	2016-03-15 08:38:35 +0100	[diff] [blame]	185	url: "ldaps://idm.domain.com"
				186	suffix: "dc=cloud,dc=domain,dc=com"
				187	# Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
Filip Pytloun	6b9ec2b	2016-01-12 13:52:01 +0100	[diff] [blame]	188	uid: keystone
Ales Komarek	aabbda6	2016-03-15 08:38:35 +0100	[diff] [blame]	189	password: password
Filip Pytloun	6b9ec2b	2016-01-12 13:52:01 +0100	[diff] [blame]	190
Filip Pytloun	1abfdd7	2016-01-18 11:35:17 +0100	[diff] [blame]	191	Using LDAP backend for default domain
				192
				193	.. code-block:: yaml
				194
				195	keystone:
				196	server:
				197	backend: ldap
				198	assignment:
				199	backend: sql
				200	ldap:
Ales Komarek	aabbda6	2016-03-15 08:38:35 +0100	[diff] [blame]	201	url: "ldaps://idm.domain.com"
				202	suffix: "dc=cloud,dc=domain,dc=com"
				203	# Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
Filip Pytloun	1abfdd7	2016-01-18 11:35:17 +0100	[diff] [blame]	204	uid: keystone
Ales Komarek	aabbda6	2016-03-15 08:38:35 +0100	[diff] [blame]	205	password: password
				206
				207	Simple service endpoint definition (defaults to RegionOne)
				208
				209	.. code-block:: yaml
				210
				211	keystone:
				212	server:
				213	service:
				214	ceilometer:
				215	type: metering
				216	description: OpenStack Telemetry Service
				217	user:
				218	name: ceilometer
				219	password: password
				220	bind:
				221	...
				222
				223	Region-aware service endpoints definition
				224
				225	.. code-block:: yaml
				226
				227	keystone:
				228	server:
				229	service:
				230	ceilometer_region01:
				231	service: ceilometer
				232	type: metering
				233	region: region01
				234	description: OpenStack Telemetry Service
				235	user:
				236	name: ceilometer
				237	password: password
				238	bind:
				239	...
				240	ceilometer_region02:
				241	service: ceilometer
				242	type: metering
				243	region: region02
				244	description: OpenStack Telemetry Service
				245	bind:
				246	...
				247
Jakub Pavlik	72e31d6	2016-04-08 16:26:57 +0200	[diff] [blame]	248	Enable ceilometer notifications
				249
				250	.. code-block:: yaml
				251
				252	keystone:
				253	server:
				254	notification: true
				255	message_queue:
				256	engine: rabbitmq
				257	host: 127.0.0.1
				258	port: 5672
				259	user: openstack
				260	password: password
				261	virtual_host: '/openstack'
				262	ha_queues: true
Filip Pytloun	1abfdd7	2016-01-18 11:35:17 +0100	[diff] [blame]	263
Petr Michalec	98fc6d6	2016-12-03 11:30:35 +0100	[diff] [blame]	264	Enable CADF audit notification
				265
				266	.. code-block:: yaml
				267
				268	keystone:
				269	server:
				270	notification: true
				271	notification_format: cadf
				272
Alexander Noskov	78b81e0	2016-12-05 16:20:50 +0400	[diff] [blame]	273	Run keystone under Apache
				274
				275	.. code-block:: yaml
				276
				277	keystone:
				278	server:
				279	service_name: apache2
				280	apache:
				281	server:
				282	enabled: true
				283	default_mpm: event
				284	site:
				285	keystone:
				286	enabled: true
				287	type: keystone
				288	name: wsgi
				289	host:
				290	name: ${linux:network:fqdn}
				291	modules:
				292	- wsgi
				293
				294	Enable Federated keystone
				295
				296	.. code-block:: yaml
				297
				298	keystone:
				299	server:
				300	websso:
				301	protocol: saml2
				302	remote_id_attribute: Shib-Identity-Provider
				303	federation_driver: keystone.contrib.federation.backends.sql.Federation
				304	trusted_dashboard:
				305	- http://${_param:proxy_vip_address_public}/horizon/auth/websso/
				306	apache:
				307	server:
				308	pkgs:
				309	- apache2
				310	- libapache2-mod-shib2
				311	modules:
				312	- wsgi
				313	- shib2
Ales Komarek	74a3ba6	2016-10-05 12:16:52 +0200	[diff] [blame]	314
				315	Keystone client
				316	---------------
				317
				318	Service endpoints enforcement with service token
				319
				320	.. code-block:: yaml
				321
				322	keystone:
				323	client:
				324	enabled: true
				325	server:
				326	keystone01:
				327	admin:
				328	host: 10.0.0.2
				329	port: 35357
				330	token: 'service_token'
				331	service:
				332	nova:
				333	type: compute
				334	description: OpenStack Compute Service
				335	endpoints:
				336	- region: region01
				337	public_address: 172.16.10.1
				338	public_port: 8773
				339	public_path: '/v2'
				340	internal_address: 172.16.10.1
				341	internal_port: 8773
				342	internal_path: '/v2'
				343	admin_address: 172.16.10.1
				344	admin_port: 8773
				345	admin_path: '/v2'
				346
				347	Project, users, roles enforcement with admin user
				348
				349	.. code-block:: yaml
				350
				351	keystone:
				352	client:
				353	enabled: true
				354	server:
				355	keystone01:
				356	admin:
				357	host: 10.0.0.2
				358	port: 5000
				359	project: 'token'
				360	user: admin
				361	password: 'passwd'
				362	roles:
				363	- admin
				364	- member
				365	project:
				366	tenant01:
				367	description: "test env"
				368	user:
				369	user01:
				370	email: jdoe@domain.com
				371	is_admin: true
				372	password: some
				373	user02:
				374	email: jdoe2@domain.com
				375	password: some
				376	roles:
				377	- custom-roles
				378
Jakub Pavlik	ffc280d	2016-05-20 11:19:14 +0200	[diff] [blame]	379	Documentation and Bugs
Ales Komarek	74a3ba6	2016-10-05 12:16:52 +0200	[diff] [blame]	380	======================
Filip Pytloun	943d688	2015-10-06 16:28:32 +0200	[diff] [blame]	381
Jakub Pavlik	ffc280d	2016-05-20 11:19:14 +0200	[diff] [blame]	382	To learn how to deploy OpenStack Salt, consult the documentation available
				383	online at:
				384
				385	https://wiki.openstack.org/wiki/OpenStackSalt
				386
				387	In the unfortunate event that bugs are discovered, they should be reported to
				388	the appropriate bug tracker. If you obtained the software from a 3rd party
				389	operating system vendor, it is often wise to use their own bug tracker for
				390	reporting problems. In all other cases use the master OpenStack bug tracker,
				391	available at:
				392
				393	http://bugs.launchpad.net/openstack-salt
				394
				395	Developers wishing to work on the OpenStack Salt project should always base
				396	their work on the latest formulas code, available from the master GIT
				397	repository at:
				398
				399	https://git.openstack.org/cgit/openstack/salt-formula-keystone
				400
				401	Developers should also join the discussion on the IRC list, at:
				402
				403	https://wiki.openstack.org/wiki/Meetings/openstack-salt