Multi-region service endpoint support
Change-Id: I2aa6bb39e81b6128ef162ffce16d539419bd9f6d
This commit is contained in:
parent
a4081e8fdb
commit
aabbda6e26
68
README.rst
68
README.rst
@ -172,11 +172,11 @@ Keystone domain with LDAP backend, using SQL for role/project assignment
|
|||||||
assignment:
|
assignment:
|
||||||
backend: sql
|
backend: sql
|
||||||
ldap:
|
ldap:
|
||||||
url: "ldaps://idm01.workshop.cloudlab.cz"
|
url: "ldaps://idm.domain.com"
|
||||||
suffix: "dc=workshop,dc=cloudlab,dc=cz"
|
suffix: "dc=cloud,dc=domain,dc=com"
|
||||||
# Will bind as uid=keystone,cn=users,cn=accounts,dc=workshop,dc=cloudlab,dc=cz
|
# Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
|
||||||
uid: keystone
|
uid: keystone
|
||||||
password: cloudlab
|
password: password
|
||||||
|
|
||||||
Using LDAP backend for default domain
|
Using LDAP backend for default domain
|
||||||
|
|
||||||
@ -188,11 +188,53 @@ Using LDAP backend for default domain
|
|||||||
assignment:
|
assignment:
|
||||||
backend: sql
|
backend: sql
|
||||||
ldap:
|
ldap:
|
||||||
url: "ldaps://idm01.workshop.cloudlab.cz"
|
url: "ldaps://idm.domain.com"
|
||||||
suffix: "dc=workshop,dc=cloudlab,dc=cz"
|
suffix: "dc=cloud,dc=domain,dc=com"
|
||||||
# Will bind as uid=keystone,cn=users,cn=accounts,dc=workshop,dc=cloudlab,dc=cz
|
# Will bind as uid=keystone,cn=users,cn=accounts,dc=cloud,dc=domain,dc=com
|
||||||
uid: keystone
|
uid: keystone
|
||||||
password: cloudlab
|
password: password
|
||||||
|
|
||||||
|
Simple service endpoint definition (defaults to RegionOne)
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
keystone:
|
||||||
|
server:
|
||||||
|
service:
|
||||||
|
ceilometer:
|
||||||
|
type: metering
|
||||||
|
description: OpenStack Telemetry Service
|
||||||
|
user:
|
||||||
|
name: ceilometer
|
||||||
|
password: password
|
||||||
|
bind:
|
||||||
|
...
|
||||||
|
|
||||||
|
Region-aware service endpoints definition
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
keystone:
|
||||||
|
server:
|
||||||
|
service:
|
||||||
|
ceilometer_region01:
|
||||||
|
service: ceilometer
|
||||||
|
type: metering
|
||||||
|
region: region01
|
||||||
|
description: OpenStack Telemetry Service
|
||||||
|
user:
|
||||||
|
name: ceilometer
|
||||||
|
password: password
|
||||||
|
bind:
|
||||||
|
...
|
||||||
|
ceilometer_region02:
|
||||||
|
service: ceilometer
|
||||||
|
type: metering
|
||||||
|
region: region02
|
||||||
|
description: OpenStack Telemetry Service
|
||||||
|
bind:
|
||||||
|
...
|
||||||
|
|
||||||
|
|
||||||
Read more
|
Read more
|
||||||
=========
|
=========
|
||||||
@ -204,13 +246,3 @@ Read more
|
|||||||
* http://www.sebastien-han.fr/blog/2012/12/12/cleanup-keystone-tokens/
|
* http://www.sebastien-han.fr/blog/2012/12/12/cleanup-keystone-tokens/
|
||||||
* http://www-01.ibm.com/support/knowledgecenter/SS4KMC_2.2.0/com.ibm.sco.doc_2.2/t_memcached_keystone.html?lang=en
|
* http://www-01.ibm.com/support/knowledgecenter/SS4KMC_2.2.0/com.ibm.sco.doc_2.2/t_memcached_keystone.html?lang=en
|
||||||
* https://bugs.launchpad.net/tripleo/+bug/1203910
|
* https://bugs.launchpad.net/tripleo/+bug/1203910
|
||||||
|
|
||||||
Things to improve
|
|
||||||
=================
|
|
||||||
|
|
||||||
* Keystone as service provider (SP) - must be running under Apache (same as with PKI token)
|
|
||||||
* Keystone with MongoDB backend - where is it?
|
|
||||||
* IdP is owned by domain, domain corresponds to billable account - IdP administration
|
|
||||||
* IdP Shiboleth alternatives - mod_auth_mellon
|
|
||||||
|
|
||||||
Generally this SP/IdP stuff is a little unstable - how to let SP know identity has changed, no visibility in UI (IBM has some not in upstream yet)
|
|
||||||
|
@ -63,6 +63,7 @@ keystone_group:
|
|||||||
- pkg: keystone_packages
|
- pkg: keystone_packages
|
||||||
|
|
||||||
{%- for domain_name, domain in server.domain.iteritems() %}
|
{%- for domain_name, domain in server.domain.iteritems() %}
|
||||||
|
|
||||||
/etc/keystone/domains/keystone.{{ domain_name }}.conf:
|
/etc/keystone/domains/keystone.{{ domain_name }}.conf:
|
||||||
file.managed:
|
file.managed:
|
||||||
- source: salt://keystone/files/keystone.domain.conf
|
- source: salt://keystone/files/keystone.domain.conf
|
||||||
@ -75,6 +76,7 @@ keystone_group:
|
|||||||
domain_name: {{ domain_name }}
|
domain_name: {{ domain_name }}
|
||||||
|
|
||||||
{%- if domain.get('ldap', {}).get('tls', {}).get('cacert', False) %}
|
{%- if domain.get('ldap', {}).get('tls', {}).get('cacert', False) %}
|
||||||
|
|
||||||
keystone_domain_{{ domain_name }}_cacert:
|
keystone_domain_{{ domain_name }}_cacert:
|
||||||
file.managed:
|
file.managed:
|
||||||
- name: /etc/keystone/domains/{{ domain_name }}.pem
|
- name: /etc/keystone/domains/{{ domain_name }}.pem
|
||||||
@ -83,6 +85,7 @@ keystone_domain_{{ domain_name }}_cacert:
|
|||||||
- file: /etc/keystone/domains
|
- file: /etc/keystone/domains
|
||||||
- watch_in:
|
- watch_in:
|
||||||
- service: keystone_service
|
- service: keystone_service
|
||||||
|
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
|
|
||||||
keystone_domain_{{ domain_name }}:
|
keystone_domain_{{ domain_name }}:
|
||||||
@ -92,11 +95,13 @@ keystone_domain_{{ domain_name }}:
|
|||||||
- require:
|
- require:
|
||||||
- file: /root/keystonercv3
|
- file: /root/keystonercv3
|
||||||
- service: keystone_service
|
- service: keystone_service
|
||||||
|
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
|
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
|
|
||||||
{%- if server.get('ldap', {}).get('tls', {}).get('cacert', False) %}
|
{%- if server.get('ldap', {}).get('tls', {}).get('cacert', False) %}
|
||||||
|
|
||||||
keystone_ldap_default_cacert:
|
keystone_ldap_default_cacert:
|
||||||
file.managed:
|
file.managed:
|
||||||
- name: {{ server.ldap.tls.cacertfile }}
|
- name: {{ server.ldap.tls.cacertfile }}
|
||||||
@ -105,6 +110,7 @@ keystone_ldap_default_cacert:
|
|||||||
- pkg: keystone_packages
|
- pkg: keystone_packages
|
||||||
- watch_in:
|
- watch_in:
|
||||||
- service: keystone_service
|
- service: keystone_service
|
||||||
|
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
|
|
||||||
keystone_service:
|
keystone_service:
|
||||||
@ -199,7 +205,7 @@ keystone_{{ service_name }}_service:
|
|||||||
|
|
||||||
keystone_{{ service_name }}_endpoint:
|
keystone_{{ service_name }}_endpoint:
|
||||||
keystone.endpoint_present:
|
keystone.endpoint_present:
|
||||||
- name: {{ service_name }}
|
- name: {{ service.get('service', service_name) }}
|
||||||
- publicurl: '{{ service.bind.get('public_protocol', 'http') }}://{{ service.bind.public_address }}:{{ service.bind.public_port }}{{ service.bind.public_path }}'
|
- publicurl: '{{ service.bind.get('public_protocol', 'http') }}://{{ service.bind.public_address }}:{{ service.bind.public_port }}{{ service.bind.public_path }}'
|
||||||
- internalurl: '{{ service.bind.get('internal_protocol', 'http') }}://{{ service.bind.internal_address }}:{{ service.bind.internal_port }}{{ service.bind.internal_path }}'
|
- internalurl: '{{ service.bind.get('internal_protocol', 'http') }}://{{ service.bind.internal_address }}:{{ service.bind.internal_port }}{{ service.bind.internal_path }}'
|
||||||
- adminurl: '{{ service.bind.get('admin_protocol', 'http') }}://{{ service.bind.admin_address }}:{{ service.bind.admin_port }}{{ service.bind.admin_path }}'
|
- adminurl: '{{ service.bind.get('admin_protocol', 'http') }}://{{ service.bind.admin_address }}:{{ service.bind.admin_port }}{{ service.bind.admin_path }}'
|
||||||
|
Loading…
Reference in New Issue
Block a user