0dcafed8da
* Added policy oslo module * Added related config options to sample file * Enabled policy enforcement for all API calls * Changed error rendering for access violations Implements blueprint: auth-policy Change-Id: Idb27eb052b1f598c3cb688bae1debcaaebe13aa5
4.2 KiB
Sahara Configuration Guide
This guide covers steps for basic configuration of Sahara. It will help you to configure the service in the most simple manner.
Let's start by configuring Sahara server. The server is packaged with
two sample config files: sahara.conf.sample-basic and
sahara.conf.sample. The former contains all essential
parameters, while the later contains the full list. We recommend to
create your config based on the basic sample, as most probably changing
parameters listed here will be enough.
First, edit connection parameter in the
[database] section. The URL provided here should point to
an empty database. For instance, connection string for mysql database
will be:
connection=mysql://username:password@host:port/databaseSwitch to the [keystone_authtoken] section. The
auth_uri parameter should point to the public Identity API
endpoint. identity_uri should point to the admin Identity
API endpoint. For example:
auth_uri=http://127.0.0.1:5000/v2.0/
identity_uri=http://127.0.0.1:35357/Next specify admin_user, admin_password and
admin_tenant_name. These parameters must specify a keystone
user which has the admin role in the given tenant. These
credentials allow Sahara to authenticate and authorize its users.
Switch to the [DEFAULT] section. Proceed to the
networking parameters. If you are using Neutron for networking, then
set
use_neutron=trueOtherwise if you are using Nova-Network set the given parameter to false.
That should be enough for the first run. If you want to increase
logging level for troubleshooting, there are two parameters in the
config: verbose and debug. If the former is
set to true, Sahara will start to write logs of INFO level and above. If
debug is set to true, Sahara will write all the logs,
including the DEBUG ones.
Sahara notifications configuration
Sahara can send notifications to Ceilometer, if it's enabled. If you
want to enable notifications you should switch to [DEFAULT]
section and set:
enable_notifications = true
notification_driver = messagingThe current default for Sahara is to use the backend that utilizes RabbitMQ as the message broker. You should configure your backend. It's recommended to use Rabbit or Qpid.
If you are using Rabbit as a backend, then you should set:
rpc_backend = rabbitAnd after that you should specify following options:
rabbit_host, rabbit_port,
rabbit_userid, rabbit_password,
rabbit_virtual_host and rabbit_hosts.
As example you can see default values of these options:
rabbit_host=localhost
rabbit_port=5672
rabbit_hosts=$rabbit_host:$rabbit_port
rabbit_userid=guest
rabbit_password=guest
rabbit_virtual_host=/If you are using Qpid as backend, then you should set:
rpc_backend = qpidAnd after that you should specify following options:
qpid_hostname, qpid_port,
qpid_username, qpid_password and
qpid_hosts.
As example you can see default values of these options:
qpid_hostname=localhost
qpid_port=5672
qpid_hosts=$qpid_hostname:$qpid_port
qpid_username=
qpid_password=Sahara policy configuration
Sahara’s public API calls may be restricted to certain sets of users
using a policy configuration file. Location of policy file is controlled
by policy_file and policy_dirs parameters. By
default Sahara will search for policy.json file in the same
directory where Sahara configuration is located.
Examples
Example 1. Allow all method to all users (default policy).
{
"default": ""
}Example 2. Disallow image registry manipulations to non-admin users.
{
"default": "",
"images:register": "role:admin",
"images:unregister": "role:admin",
"images:add_tags": "role:admin",
"images:remove_tags": "role:admin"
}