Adding documentation for proxy domain usage
Changes * creating an advanced configuration guide * adding a link for the advanced config guide to index * changing the notification config heading to subsection * adding labels to diskimagebuilder and hadoop-swift documents Partial-Implements: blueprint edp-swift-trust-authentication Change-Id: Ie3a3cf0b470ac67670251a5ccd2c3689e338ed1c
This commit is contained in:
parent
f1facb74ae
commit
4b108fa087
@ -26,6 +26,7 @@ User guide
|
|||||||
|
|
||||||
userdoc/installation.guide
|
userdoc/installation.guide
|
||||||
userdoc/configuration.guide
|
userdoc/configuration.guide
|
||||||
|
userdoc/advanced.configuration.guide
|
||||||
horizon/installation.guide
|
horizon/installation.guide
|
||||||
userdoc/upgrade.guide
|
userdoc/upgrade.guide
|
||||||
|
|
||||||
|
69
doc/source/userdoc/advanced.configuration.guide.rst
Normal file
69
doc/source/userdoc/advanced.configuration.guide.rst
Normal file
@ -0,0 +1,69 @@
|
|||||||
|
Sahara Advanced Configuration Guide
|
||||||
|
===================================
|
||||||
|
|
||||||
|
This guide addresses specific aspects of Sahara configuration that pertain to
|
||||||
|
advanced usage. It is divided into sections about various features that can be
|
||||||
|
utilized, and their related configurations.
|
||||||
|
|
||||||
|
Domain usage for Swift proxy users
|
||||||
|
----------------------------------
|
||||||
|
|
||||||
|
To improve security for Sahara clusters accessing Swift objects, Sahara can be
|
||||||
|
configured to use proxy users and delegated trusts for access. This behavior
|
||||||
|
has been implemented to reduce the need for storing and distributing user
|
||||||
|
credentials.
|
||||||
|
|
||||||
|
The use of proxy users involves creating a domain in Keystone that will be
|
||||||
|
designated as the home for any proxy users created. These created users will
|
||||||
|
only exist for as long as a job execution runs. The domain created for the
|
||||||
|
proxy users must have an identity backend that allows Sahara's admin user to
|
||||||
|
create new user accounts. This new domain should contain no roles, to limit
|
||||||
|
the potential access of a proxy user.
|
||||||
|
|
||||||
|
Once the domain has been created Sahara must be configured to use it by adding
|
||||||
|
the domain name and any potential roles that must be used for Swift access in
|
||||||
|
the sahara.conf file. With the domain enabled in Sahara, users will no longer
|
||||||
|
be required to enter credentials with their Swift-backed Data Sources and Job
|
||||||
|
Binaries.
|
||||||
|
|
||||||
|
Detailed instructions
|
||||||
|
^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
First a domain must be created in Keystone to hold proxy users created by
|
||||||
|
Sahara. This domain must have an identity backend that allows for Sahara to
|
||||||
|
create new users. The default SQL engine is sufficient but if your Keystone
|
||||||
|
identity is backed by LDAP or similar then domain specific configurations
|
||||||
|
should be used to ensure Sahara's access. See the `Keystone documentation`_
|
||||||
|
for more information.
|
||||||
|
|
||||||
|
.. _Keystone documentation: http://docs.openstack.org/developer/keystone/configuration.html#domain-specific-drivers
|
||||||
|
|
||||||
|
With the domain created Sahara's configuration file should be updated to
|
||||||
|
include the new domain name and any potential roles that will be needed. For
|
||||||
|
this example let's assume that the name of the proxy domain is
|
||||||
|
``sahara_proxy`` and the roles needed by proxy users will be ``Member`` and
|
||||||
|
``SwiftUser``.
|
||||||
|
|
||||||
|
.. sourcecode:: cfg
|
||||||
|
|
||||||
|
[DEFAULT]
|
||||||
|
use_domain_for_proxy_users=True
|
||||||
|
proxy_user_domain_name=sahara_proxy
|
||||||
|
proxy_user_role_names=Member,SwiftUser
|
||||||
|
|
||||||
|
..
|
||||||
|
|
||||||
|
A note on the use of roles. In the context of the proxy user, any roles
|
||||||
|
specified here are roles intended to be delegated to the proxy user from the
|
||||||
|
user with access to the Swift object store. More specifically, any roles that
|
||||||
|
are required for Swift access by the project owning the object store must be
|
||||||
|
delegated to the proxy user for Swift authentication to be successful.
|
||||||
|
|
||||||
|
Finally, the stack administrator must ensure that images registered with
|
||||||
|
Sahara have the latest version of the Hadoop Swift filesystem plugin
|
||||||
|
installed. The sources for this plugin can be found in the
|
||||||
|
`Sahara extra repository`_. For more information on images or Swift
|
||||||
|
integration see the Sahara documentation sections
|
||||||
|
:ref:`diskimage-builder-label` and :ref:`swift-integration-label`.
|
||||||
|
|
||||||
|
.. _Sahara extra repository: http://github.com/openstack/sahara-extra
|
@ -52,7 +52,7 @@ to write logs of INFO level and above. If ``debug`` is set to true,
|
|||||||
Sahara will write all the logs, including the DEBUG ones.
|
Sahara will write all the logs, including the DEBUG ones.
|
||||||
|
|
||||||
Sahara notifications configuration
|
Sahara notifications configuration
|
||||||
==================================
|
----------------------------------
|
||||||
|
|
||||||
Sahara can send notifications to Ceilometer, if it's enabled.
|
Sahara can send notifications to Ceilometer, if it's enabled.
|
||||||
If you want to enable notifications you should switch to ``[DEFAULT]``
|
If you want to enable notifications you should switch to ``[DEFAULT]``
|
||||||
|
@ -1,3 +1,5 @@
|
|||||||
|
.. _diskimage-builder-label:
|
||||||
|
|
||||||
Building Images for Vanilla Plugin
|
Building Images for Vanilla Plugin
|
||||||
==================================
|
==================================
|
||||||
|
|
||||||
|
@ -1,3 +1,5 @@
|
|||||||
|
.. _swift-integration-label:
|
||||||
|
|
||||||
Swift Integration
|
Swift Integration
|
||||||
=================
|
=================
|
||||||
Hadoop and Swift integration is the essential continuation of Hadoop&OpenStack
|
Hadoop and Swift integration is the essential continuation of Hadoop&OpenStack
|
||||||
|
Loading…
Reference in New Issue
Block a user