openstack/salt-formula-keystone
Code Issues Proposed changes

Multi-region service endpoint support

Browse Source 
Change-Id: I2aa6bb39e81b6128ef162ffce16d539419bd9f6d
This commit is contained in:
Ales Komarek 2016-03-15 08:38:35 +01:00
parent a4081e8fdb
commit aabbda6e26
2 changed files with 57 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
README.rst
View File

@ -172,11 +172,11 @@ Keystone domain with LDAP backend, using SQL for role/project assignment
assignment: assignment:
backend: sql backend: sql
ldap: ldap:
url: "ldaps://idm01.workshop.cloudlab.cz" url: "ldaps://idm.domain.com"
suffix: "dc=workshop,dc=cloudlab,dc=cz" suffix: "dc=cloud,dc=domain,dc=com"
# Will bind as uid=keystone,cn=users,cn=accounts,dc=workshop,dc=cloudlab,dc=cz # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
uid: keystone uid: keystone
password: cloudlab password: password
Using LDAP backend for default domain Using LDAP backend for default domain
@ -188,11 +188,53 @@ Using LDAP backend for default domain
assignment: assignment:
backend: sql backend: sql
ldap: ldap:
url: "ldaps://idm01.workshop.cloudlab.cz" url: "ldaps://idm.domain.com"
suffix: "dc=workshop,dc=cloudlab,dc=cz" suffix: "dc=cloud,dc=domain,dc=com"
# Will bind as uid=keystone,cn=users,cn=accounts,dc=workshop,dc=cloudlab,dc=cz # Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
uid: keystone uid: keystone
password: cloudlab password: password
Simple service endpoint definition (defaults to RegionOne)
.. code-block:: yaml
keystone:
server:
service:
ceilometer:
type: metering
description: OpenStack Telemetry Service
user:
name: ceilometer
password: password
bind:
...
Region-aware service endpoints definition
.. code-block:: yaml
keystone:
server:
service:
ceilometer_region01:
service: ceilometer
type: metering
region: region01
description: OpenStack Telemetry Service
user:
name: ceilometer
password: password
bind:
...
ceilometer_region02:
service: ceilometer
type: metering
region: region02
description: OpenStack Telemetry Service
bind:
...
Read more Read more
========= =========
@ -204,13 +246,3 @@ Read more
* http://www.sebastien-han.fr/blog/2012/12/12/cleanup-keystone-tokens/ * http://www.sebastien-han.fr/blog/2012/12/12/cleanup-keystone-tokens/
* http://www-01.ibm.com/support/knowledgecenter/SS4KMC_2.2.0/com.ibm.sco.doc_2.2/t_memcached_keystone.html?lang=en * http://www-01.ibm.com/support/knowledgecenter/SS4KMC_2.2.0/com.ibm.sco.doc_2.2/t_memcached_keystone.html?lang=en
* https://bugs.launchpad.net/tripleo/+bug/1203910 * https://bugs.launchpad.net/tripleo/+bug/1203910
Things to improve
=================
* Keystone as service provider (SP) - must be running under Apache (same as with PKI token)
* Keystone with MongoDB backend - where is it?
* IdP is owned by domain, domain corresponds to billable account - IdP administration
* IdP Shiboleth alternatives - mod_auth_mellon
Generally this SP/IdP stuff is a little unstable - how to let SP know identity has changed, no visibility in UI (IBM has some not in upstream yet)

8
keystone/server.sls
View File

@ -63,6 +63,7 @@ keystone_group:
- pkg: keystone_packages - pkg: keystone_packages
{%- for domain_name, domain in server.domain.iteritems() %} {%- for domain_name, domain in server.domain.iteritems() %}
/etc/keystone/domains/keystone.{{ domain_name }}.conf: /etc/keystone/domains/keystone.{{ domain_name }}.conf:
file.managed: file.managed:
- source: salt://keystone/files/keystone.domain.conf - source: salt://keystone/files/keystone.domain.conf
@ -75,6 +76,7 @@ keystone_group:
domain_name: {{ domain_name }} domain_name: {{ domain_name }}
{%- if domain.get('ldap', {}).get('tls', {}).get('cacert', False) %} {%- if domain.get('ldap', {}).get('tls', {}).get('cacert', False) %}
keystone_domain_{{ domain_name }}_cacert: keystone_domain_{{ domain_name }}_cacert:
file.managed: file.managed:
- name: /etc/keystone/domains/{{ domain_name }}.pem - name: /etc/keystone/domains/{{ domain_name }}.pem
@ -83,6 +85,7 @@ keystone_domain_{{ domain_name }}_cacert:
- file: /etc/keystone/domains - file: /etc/keystone/domains
- watch_in: - watch_in:
- service: keystone_service - service: keystone_service
{%- endif %} {%- endif %}
keystone_domain_{{ domain_name }}: keystone_domain_{{ domain_name }}:
@ -92,11 +95,13 @@ keystone_domain_{{ domain_name }}:
- require: - require:
- file: /root/keystonercv3 - file: /root/keystonercv3
- service: keystone_service - service: keystone_service
{%- endfor %} {%- endfor %}
{%- endif %} {%- endif %}
{%- if server.get('ldap', {}).get('tls', {}).get('cacert', False) %} {%- if server.get('ldap', {}).get('tls', {}).get('cacert', False) %}
keystone_ldap_default_cacert: keystone_ldap_default_cacert:
file.managed: file.managed:
- name: {{ server.ldap.tls.cacertfile }} - name: {{ server.ldap.tls.cacertfile }}
@ -105,6 +110,7 @@ keystone_ldap_default_cacert:
- pkg: keystone_packages - pkg: keystone_packages
- watch_in: - watch_in:
- service: keystone_service - service: keystone_service
{%- endif %} {%- endif %}
keystone_service: keystone_service:
@ -199,7 +205,7 @@ keystone_{{ service_name }}_service:
keystone_{{ service_name }}_endpoint: keystone_{{ service_name }}_endpoint:
keystone.endpoint_present: keystone.endpoint_present:
- name: {{ service_name }} - name: {{ service.get('service', service_name) }}
- publicurl: '{{ service.bind.get('public_protocol', 'http') }}://{{ service.bind.public_address }}:{{ service.bind.public_port }}{{ service.bind.public_path }}' - publicurl: '{{ service.bind.get('public_protocol', 'http') }}://{{ service.bind.public_address }}:{{ service.bind.public_port }}{{ service.bind.public_path }}'
- internalurl: '{{ service.bind.get('internal_protocol', 'http') }}://{{ service.bind.internal_address }}:{{ service.bind.internal_port }}{{ service.bind.internal_path }}' - internalurl: '{{ service.bind.get('internal_protocol', 'http') }}://{{ service.bind.internal_address }}:{{ service.bind.internal_port }}{{ service.bind.internal_path }}'
- adminurl: '{{ service.bind.get('admin_protocol', 'http') }}://{{ service.bind.admin_address }}:{{ service.bind.admin_port }}{{ service.bind.admin_path }}' - adminurl: '{{ service.bind.get('admin_protocol', 'http') }}://{{ service.bind.admin_address }}:{{ service.bind.admin_port }}{{ service.bind.admin_path }}'