Do not enable Keystone by default
Closes-Bug: #1520272 Change-Id: I4abf404e987a305368575d64bca93869ce344fcb
This commit is contained in:
parent
d32800246d
commit
fab927305a
@ -274,6 +274,8 @@ function configure_gnocchi {
|
||||
iniset $GNOCCHI_CONF cors allowed_origin ${GRAFANA_URL}
|
||||
iniset $GNOCCHI_CONF cors allow_methods GET,POST,PUT,DELETE,OPTIONS,HEAD,PATCH
|
||||
iniset $GNOCCHI_CONF cors allow_headers Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token,X-Subject-Token
|
||||
else
|
||||
iniset $GNOCCHI_PASTE_CONF pipeline:main pipeline "keystone_authtoken gnocchi"
|
||||
fi
|
||||
else
|
||||
iniset $GNOCCHI_PASTE_CONF pipeline:main pipeline gnocchi
|
||||
@ -360,8 +362,10 @@ function install_gnocchi {
|
||||
|
||||
install_gnocchiclient
|
||||
|
||||
is_service_enabled key && EXTRA_FLAVOR=,keystonmiddleware
|
||||
|
||||
# We don't use setup_package because we don't follow openstack/requirements
|
||||
sudo -H pip install -e "$GNOCCHI_DIR"[test,$GNOCCHI_STORAGE_BACKEND,$DATABASE_TYPE]
|
||||
sudo -H pip install -e "$GNOCCHI_DIR"[test,$GNOCCHI_STORAGE_BACKEND,${DATABASE_TYPE}${EXTRA_FLAVOR}]
|
||||
|
||||
if [ "$GNOCCHI_USE_MOD_WSGI" == "True" ]; then
|
||||
install_apache_wsgi
|
||||
|
@ -55,6 +55,34 @@ Gnocchi provides these indexer drivers:
|
||||
.. _`MySQL`: http://mysql.com
|
||||
.. _`InfluxDB`: http://influxdb.com
|
||||
|
||||
Configuring the WSGI pipeline
|
||||
-----------------------------
|
||||
|
||||
The API server leverages `Paste Deployment`_ to manage its configuration. You
|
||||
can edit the `/etc/gnocchi/api-paste.ini` to tweak the WSGI pipeline of the
|
||||
Gnocchi REST HTTP server. By default, no authentication middleware is enabled,
|
||||
meaning your request will have to provides the authentication headers.
|
||||
|
||||
Gnocchi is easily connectable with `OpenStack Keystone`_. If you successfully
|
||||
installed the `keystone` flavor using `pip` (see :ref:`installation`), you can
|
||||
edit the `api-paste.ini` file to add the Keystone authentication middleware::
|
||||
|
||||
[pipeline:main]
|
||||
pipeline = keystone_authtoken gnocchi
|
||||
|
||||
Also, if you're planning on using `CORS`_ (e.g. to use `Grafana`_), you an also
|
||||
add the CORS middleware in the server pipeline::
|
||||
|
||||
[pipeline:main]
|
||||
pipeline = keystone_authtoken cors gnocchi
|
||||
|
||||
With or without Keystone support.
|
||||
|
||||
.. _`Paste Deployment`: http://pythonpaste.org/deploy/
|
||||
.. _`OpenStack Keystone`: http://launchpad.net/keystone
|
||||
.. _`CORS`: https://en.wikipedia.org/wiki/Cross-origin_resource_sharing
|
||||
.. _`Grafana`: http://grafana.org/
|
||||
|
||||
|
||||
Driver notes
|
||||
============
|
||||
|
@ -22,6 +22,9 @@ Then, you can start devstack:
|
||||
|
||||
./stack.sh
|
||||
|
||||
|
||||
.. _installation:
|
||||
|
||||
Installation
|
||||
============
|
||||
|
||||
@ -29,18 +32,33 @@ To install Gnocchi using `pip`, just type::
|
||||
|
||||
pip install gnocchi
|
||||
|
||||
Depending on the drivers you want to use, you need to install extra variants
|
||||
using, for example::
|
||||
Depending on the drivers and features you want to use, you need to install
|
||||
extra variants using, for example::
|
||||
|
||||
pip install gnocchi[postgresql,ceph]
|
||||
pip install gnocchi[postgresql,ceph,keystone]
|
||||
|
||||
This would install PostgreSQL support for the indexer, Ceph support for
|
||||
storage, and Keystone support for authentication and authorization.
|
||||
|
||||
The list of variants available is:
|
||||
|
||||
* keystone – provides Keystone authentication support
|
||||
* mysql - provides MySQL indexer support
|
||||
* postgresql – provides PostgreSQL indexer support
|
||||
* influxdb – provides InfluxDB storage support
|
||||
* swift – provides OpenStack Swift storage support
|
||||
* ceph – provides Ceph storage support
|
||||
* file – provides file driver support
|
||||
* doc – documentation building support
|
||||
* test – unit and functional tests support
|
||||
|
||||
To install Gnocchi from source, run the standard Python installation
|
||||
procedure::
|
||||
|
||||
pip install -e .
|
||||
|
||||
Again, depending on the drivers you want to use, you need to install extra
|
||||
variants using, for example::
|
||||
Again, depending on the drivers and features you want to use, you need to
|
||||
install extra variants using, for example::
|
||||
|
||||
pip install -e .[postgresql,ceph]
|
||||
|
||||
|
@ -5,10 +5,19 @@
|
||||
Authentication
|
||||
==============
|
||||
|
||||
By default, the `api.middleware` configuration option is set to use the
|
||||
Keystone middleware. Therefore, you must authenticate using Keystone to use the
|
||||
API and provide an `X-Auth-Token` header with a valid token for each request
|
||||
sent to Gnocchi.
|
||||
By default, no authentication is configured in Gnocchi. You need to provides
|
||||
these headers in your HTTP requests:
|
||||
|
||||
* X-User-Id
|
||||
* X-Project-Id
|
||||
|
||||
The `X-Roles` header can also be provided in order to match role based ACL
|
||||
specified in `policy.json`.
|
||||
|
||||
If you enable the OpenStack Keystone middleware, you only need to authenticate
|
||||
against Keystone and provide `X-Auth-Token` header with a valid token for each
|
||||
request sent to Gnocchi. The headers mentionned above will be filled
|
||||
automatically based on your Keystone authorizations.
|
||||
|
||||
Metrics
|
||||
=======
|
||||
|
@ -1,6 +1,6 @@
|
||||
# Remove keystone_authtoken from the pipeline if you don't want to use keystone authentication
|
||||
# Add keystone_authtoken in the pipeline if you want to use keystone authentication
|
||||
[pipeline:main]
|
||||
pipeline = keystone_authtoken gnocchi
|
||||
pipeline = gnocchi
|
||||
|
||||
[app:gnocchi]
|
||||
paste.app_factory = gnocchi.rest.app:app_factory
|
||||
|
@ -17,6 +17,5 @@ werkzeug
|
||||
trollius
|
||||
retrying
|
||||
WebOb>=1.4.1
|
||||
keystonemiddleware>=4.0.0
|
||||
PasteDeploy
|
||||
prettytable
|
||||
|
Loading…
Reference in New Issue
Block a user