deb-mistral/doc/source/guides/configuration_guide.rst
Renat Akhmerov f786da42b2 Add Keycloak authentication doc for server side
TODO:
* Add info into client side auth section

Partially implements: blueprint mistral-keycloak-auth-docs

Change-Id: I930d5773ca2607bbe99fb22a17c39eda94ca34d5
2017-02-14 16:31:42 +07:00

4.5 KiB

Mistral Configuration Guide

Mistral configuration is needed for getting it work correctly either with real OpenStack environment or without OpenStack environment.

NOTE: The most of the following operations should performed in mistral directory.

  1. Generate mistral.conf (if it does not already exist):

    $ oslo-config-generator --config-file tools/config/config-generator.mistral.conf --output-file /etc/mistral/mistral.conf
  2. Edit file /etc/mistral/mistral.conf.

  3. If you are not using OpenStack, skip this item. Provide valid keystone auth properties:

    [keystone_authtoken]
    auth_uri = http://<Keystone-host>:5000/v3
    identity_uri = http://<Keystone-host:35357/
    auth_version = v3
    admin_user = <user>
    admin_password = <password>
    admin_tenant_name = <tenant>
  4. Mistral can be also configured to authenticate with Keycloak server via OpenID Connect protocol. In order to enable Keycloak authentication the following section should be in the config file:

    auth_type = keycloak-oidc
    
    [keycloak_oidc]
    auth_url = https://<Keycloak-server-host>:<Keycloak-server-port>/auth

    Property 'auth_type' is assigned to 'keystone' by default. If SSL/TLS verification needs to be disabled then 'insecure = True' should also be added under [keycloak_oidc] group.

  5. If you want to configure SSL for Mistral API server, provide following options in config file:

    [api]
    enable_ssl_api = True
    
    [ssl]
    ca_file = <path-to-ca file>
    cert_file = <path-to-certificate file>
    key_file = <path-to-key file>
  6. If you don't use OpenStack or you want to disable authentication for the Mistral service, provide auth_enable = False in the config file:

    [pecan]
    auth_enable = False
  7. If you are not using OpenStack, skip this item. Register Mistral service and Mistral endpoints on Keystone:

    $ MISTRAL_URL="http://[host]:[port]/v2"
    $ openstack service create workflow --name mistral --description 'OpenStack Workflow service'
    $ openstack endpoint create workflow --publicurl $MISTRAL_URL --adminurl $MISTRAL_URL --internalurl $MISTRAL_URL
  8. Configure transport properties in the corresponding config section: for RabbitMQ it is oslo_messaging_rabbit:

    [oslo_messaging_rabbit]
    rabbit_userid = <user_id>
    rabbit_password = <password>
    rabbit_host = <host>

    NOTE: Make sure that backend transport configuration is correct. Example for RabbitMQ:

    [DEFAULT]
    rpc_backend = rabbit
  9. Configure database. SQLite can't be used in production. Use MySQL or PostgreSQL instead. Here are the steps how to connect MySQL DB to Mistral:

    Make sure you have installed mysql-server package on your database machine (it can be your Mistral machine as well).

    Install MySQL driver for python:

    $ pip install mysql-python

    Create the database and grant privileges:

    $ mysql -u root -p
    
    CREATE DATABASE mistral;
    USE mistral
    GRANT ALL ON mistral.* TO 'root':<password>@<database-host>;

    Configure connection in Mistral config:

    [database]
    connection = mysql://<user>:<password>@<database-host>:3306/mistral

    NOTE: If PostgreSQL is used, configure connection item as below:

    connection = postgresql://<user>:<password>@<database-host>:5432/mistral
  10. If you are not using OpenStack, skip this item. Update mistral/actions/openstack/mapping.json file which contains all allowed OpenStack actions, according to the specific client versions of OpenStack projects in your deployment. Please find more detailed information in tools/get_action_list.py script.

  11. Configure Task affinity feature if needed. It is needed for distinguishing either single task executor or one task executor from group of task executors:

    [executor]
    host = my_favorite_executor

    Then, this executor can be referred in Workflow Language by

    ...Workflow YAML...
    my_task:
      ...
      target: my_favorite_executor
    ...Workflow YAML...
  12. Configure role based access policies for Mistral endpoints (policy.json):

    [oslo_policy]
    policy_file = <path-of-policy.json file>
    
    Default policy.json file is in ``mistral/etc/``. For more deatils see `policy.json file <http://docs.openstack.org/mitaka/config-reference/policy-json-file.html>`_.
  13. After that try to run mistral engine and see it is running without any error:

    $ mistral-server --config-file <path-to-config> --server engine