openstack/bifrost
Code Issues Proposed changes
04a6973e88
bifrost/doc/source/user/keystone.rst
Dmitry Tantsur 4b2913ab61 Documentation: minor fixes in the user guide 
Change-Id: If60bef72c87fc15fc12b209a09d10b91a530ae20
2020-06-04 10:47:58 +02:00

64 lines
2.4 KiB
ReStructuredText
Raw Blame History

.. _keystone:
.. _`IRC`: https://wiki.openstack.org/wiki/Ironic#IRC
Bifrost execution with Keystone
===============================
Ultimately, as bifrost was designed for relatively short-lived
installations to facilitate rapid hardware deployment, the default
operating mode is referred to as ``noauth`` mode. With that,
in order to leverage keystone authentication for the roles,
one of the following steps need to take place.
#. Update the role defaults for each role you plan to make use.
This may not make much sense for most users, unless they are
carrying such changes as downstream debt.
#. Invoke ansible-playbook with variables being set to override
the default behavior. Example::
-e noauth_mode=false -e cloud_name=bifrost
#. Set the global defaults for tagret
(``master/playbooks/inventory/group_vars/target``).
OpenStack Client use with bifrost installed Keystone
----------------------------------------------------
A user wishing to invoke OSC commands against the bifrost
installation, should set the ``OS_CLOUD`` environment variable.
An example of setting the environment variable and then executing
the OSC command to list all baremetal nodes::
export OS_CLOUD=bifrost
openstack baremetal node list
Keystone roles
--------------
Ironic, which is the underlying OpenStack component bifrost
helps a user leverage, supports two different roles in keystone
that helps govern the rights a user has in keystone.
These roles are ``baremetal_admin`` and ``baremetal_observer``
and a user can learn more about the roles from the ironic `install
guide`_.
.. _`install guide`: https://docs.openstack.org/project-install-guide/baremetal/draft/configure-integration.html#configure-the-identity-service-for-the-bare-metal-service
Individual playbook use with os-client-config
=============================================
The OpenStack Ansible modules utilize os-client-config to obtain
authentication details to connect to determine details.
If ``noauth_mode`` is explicitly disabled, the bifrost roles that
speak with Ironic for actions such as enrollment of nodes and
deployment, automatically attempt to collect authentication
data from os-client-config. Largely these details are governed
as environment variables.
That being said, os-client-config supports the concept of clouds
and an a user can explicitly select the cloud they wish to deploy
to via the ``cloud_name`` parameter.
View Git Blame Copy Permalink