Multi-region service endpoint support
Change-Id: I2aa6bb39e81b6128ef162ffce16d539419bd9f6d
This commit is contained in:
parent
a4081e8fdb
commit
aabbda6e26
68
README.rst
68
README.rst
@ -172,11 +172,11 @@ Keystone domain with LDAP backend, using SQL for role/project assignment
|
||||
assignment:
|
||||
backend: sql
|
||||
ldap:
|
||||
url: "ldaps://idm01.workshop.cloudlab.cz"
|
||||
suffix: "dc=workshop,dc=cloudlab,dc=cz"
|
||||
# Will bind as uid=keystone,cn=users,cn=accounts,dc=workshop,dc=cloudlab,dc=cz
|
||||
url: "ldaps://idm.domain.com"
|
||||
suffix: "dc=cloud,dc=domain,dc=com"
|
||||
# Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
|
||||
uid: keystone
|
||||
password: cloudlab
|
||||
password: password
|
||||
|
||||
Using LDAP backend for default domain
|
||||
|
||||
@ -188,11 +188,53 @@ Using LDAP backend for default domain
|
||||
assignment:
|
||||
backend: sql
|
||||
ldap:
|
||||
url: "ldaps://idm01.workshop.cloudlab.cz"
|
||||
suffix: "dc=workshop,dc=cloudlab,dc=cz"
|
||||
# Will bind as uid=keystone,cn=users,cn=accounts,dc=workshop,dc=cloudlab,dc=cz
|
||||
url: "ldaps://idm.domain.com"
|
||||
suffix: "dc=cloud,dc=domain,dc=com"
|
||||
# Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
|
||||
uid: keystone
|
||||
password: cloudlab
|
||||
password: password
|
||||
|
||||
Simple service endpoint definition (defaults to RegionOne)
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
keystone:
|
||||
server:
|
||||
service:
|
||||
ceilometer:
|
||||
type: metering
|
||||
description: OpenStack Telemetry Service
|
||||
user:
|
||||
name: ceilometer
|
||||
password: password
|
||||
bind:
|
||||
...
|
||||
|
||||
Region-aware service endpoints definition
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
keystone:
|
||||
server:
|
||||
service:
|
||||
ceilometer_region01:
|
||||
service: ceilometer
|
||||
type: metering
|
||||
region: region01
|
||||
description: OpenStack Telemetry Service
|
||||
user:
|
||||
name: ceilometer
|
||||
password: password
|
||||
bind:
|
||||
...
|
||||
ceilometer_region02:
|
||||
service: ceilometer
|
||||
type: metering
|
||||
region: region02
|
||||
description: OpenStack Telemetry Service
|
||||
bind:
|
||||
...
|
||||
|
||||
|
||||
Read more
|
||||
=========
|
||||
@ -204,13 +246,3 @@ Read more
|
||||
* http://www.sebastien-han.fr/blog/2012/12/12/cleanup-keystone-tokens/
|
||||
* http://www-01.ibm.com/support/knowledgecenter/SS4KMC_2.2.0/com.ibm.sco.doc_2.2/t_memcached_keystone.html?lang=en
|
||||
* https://bugs.launchpad.net/tripleo/+bug/1203910
|
||||
|
||||
Things to improve
|
||||
=================
|
||||
|
||||
* Keystone as service provider (SP) - must be running under Apache (same as with PKI token)
|
||||
* Keystone with MongoDB backend - where is it?
|
||||
* IdP is owned by domain, domain corresponds to billable account - IdP administration
|
||||
* IdP Shiboleth alternatives - mod_auth_mellon
|
||||
|
||||
Generally this SP/IdP stuff is a little unstable - how to let SP know identity has changed, no visibility in UI (IBM has some not in upstream yet)
|
||||
|
@ -63,6 +63,7 @@ keystone_group:
|
||||
- pkg: keystone_packages
|
||||
|
||||
{%- for domain_name, domain in server.domain.iteritems() %}
|
||||
|
||||
/etc/keystone/domains/keystone.{{ domain_name }}.conf:
|
||||
file.managed:
|
||||
- source: salt://keystone/files/keystone.domain.conf
|
||||
@ -75,6 +76,7 @@ keystone_group:
|
||||
domain_name: {{ domain_name }}
|
||||
|
||||
{%- if domain.get('ldap', {}).get('tls', {}).get('cacert', False) %}
|
||||
|
||||
keystone_domain_{{ domain_name }}_cacert:
|
||||
file.managed:
|
||||
- name: /etc/keystone/domains/{{ domain_name }}.pem
|
||||
@ -83,6 +85,7 @@ keystone_domain_{{ domain_name }}_cacert:
|
||||
- file: /etc/keystone/domains
|
||||
- watch_in:
|
||||
- service: keystone_service
|
||||
|
||||
{%- endif %}
|
||||
|
||||
keystone_domain_{{ domain_name }}:
|
||||
@ -92,11 +95,13 @@ keystone_domain_{{ domain_name }}:
|
||||
- require:
|
||||
- file: /root/keystonercv3
|
||||
- service: keystone_service
|
||||
|
||||
{%- endfor %}
|
||||
|
||||
{%- endif %}
|
||||
|
||||
{%- if server.get('ldap', {}).get('tls', {}).get('cacert', False) %}
|
||||
|
||||
keystone_ldap_default_cacert:
|
||||
file.managed:
|
||||
- name: {{ server.ldap.tls.cacertfile }}
|
||||
@ -105,6 +110,7 @@ keystone_ldap_default_cacert:
|
||||
- pkg: keystone_packages
|
||||
- watch_in:
|
||||
- service: keystone_service
|
||||
|
||||
{%- endif %}
|
||||
|
||||
keystone_service:
|
||||
@ -199,7 +205,7 @@ keystone_{{ service_name }}_service:
|
||||
|
||||
keystone_{{ service_name }}_endpoint:
|
||||
keystone.endpoint_present:
|
||||
- name: {{ service_name }}
|
||||
- name: {{ service.get('service', service_name) }}
|
||||
- publicurl: '{{ service.bind.get('public_protocol', 'http') }}://{{ service.bind.public_address }}:{{ service.bind.public_port }}{{ service.bind.public_path }}'
|
||||
- internalurl: '{{ service.bind.get('internal_protocol', 'http') }}://{{ service.bind.internal_address }}:{{ service.bind.internal_port }}{{ service.bind.internal_path }}'
|
||||
- adminurl: '{{ service.bind.get('admin_protocol', 'http') }}://{{ service.bind.admin_address }}:{{ service.bind.admin_port }}{{ service.bind.admin_path }}'
|
||||
|
Loading…
Reference in New Issue
Block a user