Add Keycloak authentication doc for server side
TODO: * Add info into client side auth section Partially implements: blueprint mistral-keycloak-auth-docs Change-Id: I930d5773ca2607bbe99fb22a17c39eda94ca34d5
This commit is contained in:
parent
c85ebd5c5d
commit
f786da42b2
@ -7,13 +7,13 @@ either with real OpenStack environment or without OpenStack environment.
|
||||
**NOTE:** The most of the following operations should performed in mistral
|
||||
directory.
|
||||
|
||||
1. Generate *mistral.conf* (if it does not already exist)::
|
||||
#. Generate *mistral.conf* (if it does not already exist)::
|
||||
|
||||
$ oslo-config-generator --config-file tools/config/config-generator.mistral.conf --output-file /etc/mistral/mistral.conf
|
||||
|
||||
2. Edit file **/etc/mistral/mistral.conf**.
|
||||
#. Edit file **/etc/mistral/mistral.conf**.
|
||||
|
||||
3. **If you are not using OpenStack, skip this item.** Provide valid keystone
|
||||
#. **If you are not using OpenStack, skip this item.** Provide valid keystone
|
||||
auth properties::
|
||||
|
||||
[keystone_authtoken]
|
||||
@ -24,7 +24,19 @@ directory.
|
||||
admin_password = <password>
|
||||
admin_tenant_name = <tenant>
|
||||
|
||||
4. If you want to configure SSL for Mistral API server, provide following options
|
||||
#. Mistral can be also configured to authenticate with Keycloak server via OpenID Connect protocol.
|
||||
In order to enable Keycloak authentication the following section should be in the config file::
|
||||
|
||||
auth_type = keycloak-oidc
|
||||
|
||||
[keycloak_oidc]
|
||||
auth_url = https://<Keycloak-server-host>:<Keycloak-server-port>/auth
|
||||
|
||||
Property 'auth_type' is assigned to 'keystone' by default.
|
||||
If SSL/TLS verification needs to be disabled then 'insecure = True' should also be added
|
||||
under [keycloak_oidc] group.
|
||||
|
||||
#. If you want to configure SSL for Mistral API server, provide following options
|
||||
in config file::
|
||||
|
||||
[api]
|
||||
@ -35,20 +47,20 @@ directory.
|
||||
cert_file = <path-to-certificate file>
|
||||
key_file = <path-to-key file>
|
||||
|
||||
5. **If you don't use OpenStack or you want to disable authentication for the
|
||||
#. **If you don't use OpenStack or you want to disable authentication for the
|
||||
Mistral service**, provide ``auth_enable = False`` in the config file::
|
||||
|
||||
[pecan]
|
||||
auth_enable = False
|
||||
|
||||
6. **If you are not using OpenStack, skip this item**. Register Mistral service
|
||||
#. **If you are not using OpenStack, skip this item**. Register Mistral service
|
||||
and Mistral endpoints on Keystone::
|
||||
|
||||
$ MISTRAL_URL="http://[host]:[port]/v2"
|
||||
$ openstack service create workflow --name mistral --description 'OpenStack Workflow service'
|
||||
$ openstack endpoint create workflow --publicurl $MISTRAL_URL --adminurl $MISTRAL_URL --internalurl $MISTRAL_URL
|
||||
|
||||
7. Configure transport properties in the corresponding config section: for
|
||||
#. Configure transport properties in the corresponding config section: for
|
||||
RabbitMQ it is **oslo_messaging_rabbit**::
|
||||
|
||||
[oslo_messaging_rabbit]
|
||||
@ -56,16 +68,15 @@ directory.
|
||||
rabbit_password = <password>
|
||||
rabbit_host = <host>
|
||||
|
||||
**NOTE**: Make sure that backend transport configuration is correct. Example for
|
||||
RabbitMQ::
|
||||
**NOTE**: Make sure that backend transport configuration is correct. Example for RabbitMQ::
|
||||
|
||||
[DEFAULT]
|
||||
rpc_backend = rabbit
|
||||
|
||||
8. Configure database. **SQLite can't be used in production**. Use *MySQL* or
|
||||
#. Configure database. **SQLite can't be used in production**. Use *MySQL* or
|
||||
*PostgreSQL* instead. Here are the steps how to connect *MySQL* DB to Mistral:
|
||||
|
||||
Make sure you have installed **mysql-server** package on your Database machine
|
||||
Make sure you have installed **mysql-server** package on your database machine
|
||||
(it can be your Mistral machine as well).
|
||||
|
||||
Install MySQL driver for python::
|
||||
@ -89,13 +100,13 @@ directory.
|
||||
|
||||
connection = postgresql://<user>:<password>@<database-host>:5432/mistral
|
||||
|
||||
9. **If you are not using OpenStack, skip this item.**
|
||||
#. **If you are not using OpenStack, skip this item.**
|
||||
Update mistral/actions/openstack/mapping.json file which contains all allowed
|
||||
OpenStack actions, according to the specific client versions of OpenStack
|
||||
projects in your deployment. Please find more detailed information in
|
||||
tools/get_action_list.py script.
|
||||
|
||||
10. Configure Task affinity feature if needed. It is needed for distinguishing
|
||||
#. Configure Task affinity feature if needed. It is needed for distinguishing
|
||||
either single task executor or one task executor from group of task executors::
|
||||
|
||||
[executor]
|
||||
@ -111,14 +122,14 @@ directory.
|
||||
target: my_favorite_executor
|
||||
...Workflow YAML...
|
||||
|
||||
11. Configure role based access policies for Mistral endpoints (policy.json)::
|
||||
#. Configure role based access policies for Mistral endpoints (policy.json)::
|
||||
|
||||
[oslo_policy]
|
||||
policy_file = <path-of-policy.json file>
|
||||
|
||||
Default policy.json file is in ``mistral/etc/``. For more deatils see `policy.json file <http://docs.openstack.org/mitaka/config-reference/policy-json-file.html>`_.
|
||||
|
||||
12. After that try to run mistral engine and see it is running without any error::
|
||||
#. After that try to run mistral engine and see it is running without any error::
|
||||
|
||||
$ mistral-server --config-file <path-to-config> --server engine
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user