openstack/deb-mistral
Code Issues Proposed changes

Add Keycloak authentication doc for server side

Browse Source 
TODO:
* Add info into client side auth section

Partially implements: blueprint mistral-keycloak-auth-docs

Change-Id: I930d5773ca2607bbe99fb22a17c39eda94ca34d5
This commit is contained in:
Renat Akhmerov 2017-02-14 13:57:10 +07:00
parent c85ebd5c5d
commit f786da42b2
1 changed files with 34 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
doc/source/guides/configuration_guide.rst
View File

@ -7,13 +7,13 @@ either with real OpenStack environment or without OpenStack environment.
**NOTE:** The most of the following operations should performed in mistral **NOTE:** The most of the following operations should performed in mistral
directory. directory.
1. Generate *mistral.conf* (if it does not already exist):: #. Generate *mistral.conf* (if it does not already exist)::
$ oslo-config-generator --config-file tools/config/config-generator.mistral.conf --output-file /etc/mistral/mistral.conf $ oslo-config-generator --config-file tools/config/config-generator.mistral.conf --output-file /etc/mistral/mistral.conf
2. Edit file **/etc/mistral/mistral.conf**. #. Edit file **/etc/mistral/mistral.conf**.
3. **If you are not using OpenStack, skip this item.** Provide valid keystone #. **If you are not using OpenStack, skip this item.** Provide valid keystone
auth properties:: auth properties::
[keystone_authtoken] [keystone_authtoken]
@ -24,7 +24,19 @@ directory.
admin_password = <password> admin_password = <password>
admin_tenant_name = <tenant> admin_tenant_name = <tenant>
4. If you want to configure SSL for Mistral API server, provide following options #. Mistral can be also configured to authenticate with Keycloak server via OpenID Connect protocol.
In order to enable Keycloak authentication the following section should be in the config file::
auth_type = keycloak-oidc
[keycloak_oidc]
auth_url = https://<Keycloak-server-host>:<Keycloak-server-port>/auth
Property 'auth_type' is assigned to 'keystone' by default.
If SSL/TLS verification needs to be disabled then 'insecure = True' should also be added
under [keycloak_oidc] group.
#. If you want to configure SSL for Mistral API server, provide following options
in config file:: in config file::
[api] [api]
@ -35,20 +47,20 @@ directory.
cert_file = <path-to-certificate file> cert_file = <path-to-certificate file>
key_file = <path-to-key file> key_file = <path-to-key file>
5. **If you don't use OpenStack or you want to disable authentication for the #. **If you don't use OpenStack or you want to disable authentication for the
Mistral service**, provide ``auth_enable = False`` in the config file:: Mistral service**, provide ``auth_enable = False`` in the config file::
[pecan] [pecan]
auth_enable = False auth_enable = False
6. **If you are not using OpenStack, skip this item**. Register Mistral service #. **If you are not using OpenStack, skip this item**. Register Mistral service
and Mistral endpoints on Keystone:: and Mistral endpoints on Keystone::
$ MISTRAL_URL="http://[host]:[port]/v2" $ MISTRAL_URL="http://[host]:[port]/v2"
$ openstack service create workflow --name mistral --description 'OpenStack Workflow service' $ openstack service create workflow --name mistral --description 'OpenStack Workflow service'
$ openstack endpoint create workflow --publicurl $MISTRAL_URL --adminurl $MISTRAL_URL --internalurl $MISTRAL_URL $ openstack endpoint create workflow --publicurl $MISTRAL_URL --adminurl $MISTRAL_URL --internalurl $MISTRAL_URL
7. Configure transport properties in the corresponding config section: for #. Configure transport properties in the corresponding config section: for
RabbitMQ it is **oslo_messaging_rabbit**:: RabbitMQ it is **oslo_messaging_rabbit**::
[oslo_messaging_rabbit] [oslo_messaging_rabbit]
@ -56,23 +68,22 @@ directory.
rabbit_password = <password> rabbit_password = <password>
rabbit_host = <host> rabbit_host = <host>
**NOTE**: Make sure that backend transport configuration is correct. Example for **NOTE**: Make sure that backend transport configuration is correct. Example for RabbitMQ::
RabbitMQ::
[DEFAULT] [DEFAULT]
rpc_backend = rabbit rpc_backend = rabbit
8. Configure database. **SQLite can't be used in production**. Use *MySQL* or #. Configure database. **SQLite can't be used in production**. Use *MySQL* or
*PostgreSQL* instead. Here are the steps how to connect *MySQL* DB to Mistral: *PostgreSQL* instead. Here are the steps how to connect *MySQL* DB to Mistral:
Make sure you have installed **mysql-server** package on your Database machine Make sure you have installed **mysql-server** package on your database machine
(it can be your Mistral machine as well). (it can be your Mistral machine as well).
Install MySQL driver for python:: Install MySQL driver for python::
$ pip install mysql-python $ pip install mysql-python
Create the database and grant privileges:: Create the database and grant privileges::
$ mysql -u root -p $ mysql -u root -p
@ -80,30 +91,30 @@ directory.
USE mistral USE mistral
GRANT ALL ON mistral.* TO 'root':<password>@<database-host>; GRANT ALL ON mistral.* TO 'root':<password>@<database-host>;
Configure connection in Mistral config:: Configure connection in Mistral config::
[database] [database]
connection = mysql://<user>:<password>@<database-host>:3306/mistral connection = mysql://<user>:<password>@<database-host>:3306/mistral
**NOTE**: If PostgreSQL is used, configure connection item as below:: **NOTE**: If PostgreSQL is used, configure connection item as below::
connection = postgresql://<user>:<password>@<database-host>:5432/mistral connection = postgresql://<user>:<password>@<database-host>:5432/mistral
9. **If you are not using OpenStack, skip this item.** #. **If you are not using OpenStack, skip this item.**
Update mistral/actions/openstack/mapping.json file which contains all allowed Update mistral/actions/openstack/mapping.json file which contains all allowed
OpenStack actions, according to the specific client versions of OpenStack OpenStack actions, according to the specific client versions of OpenStack
projects in your deployment. Please find more detailed information in projects in your deployment. Please find more detailed information in
tools/get_action_list.py script. tools/get_action_list.py script.
10. Configure Task affinity feature if needed. It is needed for distinguishing #. Configure Task affinity feature if needed. It is needed for distinguishing
either single task executor or one task executor from group of task executors:: either single task executor or one task executor from group of task executors::
[executor] [executor]
host = my_favorite_executor host = my_favorite_executor
Then, this executor can be referred in Workflow Language by Then, this executor can be referred in Workflow Language by
.. code-block:: yaml .. code-block:: yaml
...Workflow YAML... ...Workflow YAML...
my_task: my_task:
@ -111,14 +122,14 @@ directory.
target: my_favorite_executor target: my_favorite_executor
...Workflow YAML... ...Workflow YAML...
11. Configure role based access policies for Mistral endpoints (policy.json):: #. Configure role based access policies for Mistral endpoints (policy.json)::
[oslo_policy] [oslo_policy]
policy_file = <path-of-policy.json file> policy_file = <path-of-policy.json file>
Default policy.json file is in ``mistral/etc/``. For more deatils see `policy.json file <http://docs.openstack.org/mitaka/config-reference/policy-json-file.html>`_. Default policy.json file is in ``mistral/etc/``. For more deatils see `policy.json file <http://docs.openstack.org/mitaka/config-reference/policy-json-file.html>`_.
12. After that try to run mistral engine and see it is running without any error:: #. After that try to run mistral engine and see it is running without any error::
$ mistral-server --config-file <path-to-config> --server engine $ mistral-server --config-file <path-to-config> --server engine