Merge "[install-guide] describe service clients auth"
This commit is contained in:
commit
ea55703d9b
@ -97,32 +97,79 @@ Configuring ironic-conductor service
|
|||||||
cleaning, see `CleaningNetworkSetup <http://docs.openstack.org/developer/ironic/deploy/cleaning.html>`_
|
cleaning, see `CleaningNetworkSetup <http://docs.openstack.org/developer/ironic/deploy/cleaning.html>`_
|
||||||
from the Ironic deploy guide.
|
from the Ironic deploy guide.
|
||||||
|
|
||||||
#. Configure the ironic-conductor service to use these credentials with the
|
#. Configure credentials for accessing other OpenStack services.
|
||||||
Identity service. Ironic-conductor should use the same configuration as
|
|
||||||
ironic-api. Replace ``IDENTITY_IP`` with the IP of the Identity server,
|
In order to communicate with other OpenStack services, the Bare Metal
|
||||||
|
service needs to use service users to authenticate to the OpenStack
|
||||||
|
Identity service when making requests to other services.
|
||||||
|
These users' credentials have to be configured in each
|
||||||
|
configuration file section related to the corresponding service:
|
||||||
|
|
||||||
|
* ``[neutron]`` - to access the OpenStack Networking service
|
||||||
|
* ``[glance]`` - to access the OpenStack Image service
|
||||||
|
* ``[swift]`` - to access the OpenStack Object Storage service
|
||||||
|
* ``[inspector]`` - to access the OpenStack Bare Metal Introspection
|
||||||
|
service
|
||||||
|
* ``[service_catalog]`` - a special section holding credentials
|
||||||
|
the Bare Metal service will use to discover its own API URL endpoint
|
||||||
|
as registered in the OpenStack Identity service catalog.
|
||||||
|
|
||||||
|
For simplicity, you can use the same service user for all services.
|
||||||
|
For backward compatibility, this should be the same user configured
|
||||||
|
in the ``[keystone_authtoken]`` section for the ironic-api service
|
||||||
|
(see "Configuring ironic-api service").
|
||||||
|
However, this is not necessary, and you can create and configure separate
|
||||||
|
service users for each service.
|
||||||
|
|
||||||
|
Under the hood, Bare Metal service uses ``keystoneauth`` library
|
||||||
|
together with ``Authentication plugin`` and ``Session`` concepts
|
||||||
|
provided by it to instantiate service clients.
|
||||||
|
Please refer to `Keystoneauth documentation`_ for supported plugins,
|
||||||
|
their available options as well as Session-related options
|
||||||
|
for authentication and connection respectively.
|
||||||
|
|
||||||
|
In the example below, authentication information for user to access the
|
||||||
|
OpenStack Networking service is configured to use:
|
||||||
|
|
||||||
|
* HTTPS connection with specific CA SSL certificate when making requests
|
||||||
|
* the same service user as configured for ironic-api service
|
||||||
|
* dynamic ``password`` authentication plugin that will discover
|
||||||
|
appropriate version of Identity service API based on other
|
||||||
|
provided options
|
||||||
|
|
||||||
|
- replace ``IDENTITY_IP`` with the IP of the Identity server,
|
||||||
and replace ``IRONIC_PASSWORD`` with the password you chose for the
|
and replace ``IRONIC_PASSWORD`` with the password you chose for the
|
||||||
``ironic`` user in the Identity service:
|
``ironic`` user in the Identity service
|
||||||
|
|
||||||
|
|
||||||
.. code-block:: ini
|
.. code-block:: ini
|
||||||
|
|
||||||
[keystone_authtoken]
|
[neutron]
|
||||||
|
|
||||||
# Complete public Identity API endpoint (string value)
|
# Authentication type to load (string value)
|
||||||
auth_uri=http://IDENTITY_IP:5000/
|
auth_type = password
|
||||||
|
|
||||||
# Complete admin Identity API endpoint. This should specify
|
# Authentication URL (string value)
|
||||||
# the unversioned root endpoint e.g. https://localhost:35357/
|
auth_url=https://IDENTITY_IP:5000/
|
||||||
# (string value)
|
|
||||||
identity_uri=http://IDENTITY_IP:35357/
|
|
||||||
|
|
||||||
# Service username. (string value)
|
# Username (string value)
|
||||||
admin_user=ironic
|
username=ironic
|
||||||
|
|
||||||
# Service account password. (string value)
|
# User's password (string value)
|
||||||
admin_password=IRONIC_PASSWORD
|
password=IRONIC_PASSWORD
|
||||||
|
|
||||||
# Service tenant name. (string value)
|
# Project name to scope to (string value)
|
||||||
admin_tenant_name=service
|
project_name=service
|
||||||
|
|
||||||
|
# Domain ID containing project (string value)
|
||||||
|
project_domain_id=default
|
||||||
|
|
||||||
|
# User's domain id (string value)
|
||||||
|
user_domain_id=default
|
||||||
|
|
||||||
|
# PEM encoded Certificate Authority to use when verifying
|
||||||
|
# HTTPs connections. (string value)
|
||||||
|
cafile=/opt/stack/data/ca-bundle.pem
|
||||||
|
|
||||||
#. Make sure that ``qemu-img`` and ``iscsiadm`` (in the case of using iscsi-deploy driver)
|
#. Make sure that ``qemu-img`` and ``iscsiadm`` (in the case of using iscsi-deploy driver)
|
||||||
binaries are installed and prepare the host system as described at
|
binaries are installed and prepare the host system as described at
|
||||||
@ -138,3 +185,6 @@ Configuring ironic-conductor service
|
|||||||
|
|
||||||
Ubuntu:
|
Ubuntu:
|
||||||
sudo service ironic-conductor restart
|
sudo service ironic-conductor restart
|
||||||
|
|
||||||
|
|
||||||
|
.. _Keystoneauth documentation: http://docs.openstack.org/developer/keystoneauth/
|
||||||
|
Loading…
Reference in New Issue
Block a user