openstack/deb-mistral
Code Issues Proposed changes
4e3e19bfb3
deb-mistral/doc/source/guides/configuration_guide.rst
Renat Akhmerov f786da42b2 Add Keycloak authentication doc for server side 
TODO:
* Add info into client side auth section

Partially implements: blueprint mistral-keycloak-auth-docs

Change-Id: I930d5773ca2607bbe99fb22a17c39eda94ca34d5
2017-02-14 16:31:42 +07:00

136 lines
4.5 KiB
ReStructuredText
Raw Blame History

Mistral Configuration Guide
===========================
Mistral configuration is needed for getting it work correctly
either with real OpenStack environment or without OpenStack environment.
**NOTE:** The most of the following operations should performed in mistral
directory.
#. Generate *mistral.conf* (if it does not already exist)::
$ oslo-config-generator --config-file tools/config/config-generator.mistral.conf --output-file /etc/mistral/mistral.conf
#. Edit file **/etc/mistral/mistral.conf**.
#. **If you are not using OpenStack, skip this item.** Provide valid keystone
auth properties::
[keystone_authtoken]
auth_uri = http://<Keystone-host>:5000/v3
identity_uri = http://<Keystone-host:35357/
auth_version = v3
admin_user = <user>
admin_password = <password>
admin_tenant_name = <tenant>
#. Mistral can be also configured to authenticate with Keycloak server via OpenID Connect protocol.
In order to enable Keycloak authentication the following section should be in the config file::
auth_type = keycloak-oidc
[keycloak_oidc]
auth_url = https://<Keycloak-server-host>:<Keycloak-server-port>/auth
Property 'auth_type' is assigned to 'keystone' by default.
If SSL/TLS verification needs to be disabled then 'insecure = True' should also be added
under [keycloak_oidc] group.
#. If you want to configure SSL for Mistral API server, provide following options
in config file::
[api]
enable_ssl_api = True
[ssl]
ca_file = <path-to-ca file>
cert_file = <path-to-certificate file>
key_file = <path-to-key file>
#. **If you don't use OpenStack or you want to disable authentication for the
Mistral service**, provide ``auth_enable = False`` in the config file::
[pecan]
auth_enable = False
#. **If you are not using OpenStack, skip this item**. Register Mistral service
and Mistral endpoints on Keystone::
$ MISTRAL_URL="http://[host]:[port]/v2"
$ openstack service create workflow --name mistral --description 'OpenStack Workflow service'
$ openstack endpoint create workflow --publicurl $MISTRAL_URL --adminurl $MISTRAL_URL --internalurl $MISTRAL_URL
#. Configure transport properties in the corresponding config section: for
RabbitMQ it is **oslo_messaging_rabbit**::
[oslo_messaging_rabbit]
rabbit_userid = <user_id>
rabbit_password = <password>
rabbit_host = <host>
**NOTE**: Make sure that backend transport configuration is correct. Example for RabbitMQ::
[DEFAULT]
rpc_backend = rabbit
#. Configure database. **SQLite can't be used in production**. Use *MySQL* or
*PostgreSQL* instead. Here are the steps how to connect *MySQL* DB to Mistral:
Make sure you have installed **mysql-server** package on your database machine
(it can be your Mistral machine as well).
Install MySQL driver for python::
$ pip install mysql-python
Create the database and grant privileges::
$ mysql -u root -p
CREATE DATABASE mistral;
USE mistral
GRANT ALL ON mistral.* TO 'root':<password>@<database-host>;
Configure connection in Mistral config::
[database]
connection = mysql://<user>:<password>@<database-host>:3306/mistral
**NOTE**: If PostgreSQL is used, configure connection item as below::
connection = postgresql://<user>:<password>@<database-host>:5432/mistral
#. **If you are not using OpenStack, skip this item.**
Update mistral/actions/openstack/mapping.json file which contains all allowed
OpenStack actions, according to the specific client versions of OpenStack
projects in your deployment. Please find more detailed information in
tools/get_action_list.py script.
#. Configure Task affinity feature if needed. It is needed for distinguishing
either single task executor or one task executor from group of task executors::
[executor]
host = my_favorite_executor
Then, this executor can be referred in Workflow Language by
.. code-block:: yaml
...Workflow YAML...
my_task:
...
target: my_favorite_executor
...Workflow YAML...
#. Configure role based access policies for Mistral endpoints (policy.json)::
[oslo_policy]
policy_file = <path-of-policy.json file>
Default policy.json file is in ``mistral/etc/``. For more deatils see `policy.json file <http://docs.openstack.org/mitaka/config-reference/policy-json-file.html>`_.
#. After that try to run mistral engine and see it is running without any error::
$ mistral-server --config-file <path-to-config> --server engine
View Git Blame Copy Permalink