openstack/salt-formula-keystone
Code Issues Proposed changes
RETIRED, Keystone salt formula
19 Commits 2 Branches 6 Tags 575 KiB
19620f7642
Go to file
Filip Pytloun 19620f7642 Fix non-ldap domain backend setup
2016-01-19 16:27:00 +01:00
debian Initial commit 2015-10-06 16:40:56 +02:00
keystone Fix non-ldap domain backend setup 2016-01-19 16:27:00 +01:00
metadata/service Documentation 2015-12-18 21:57:58 +01:00
CHANGELOG.rst Initial commit 2015-10-06 16:40:56 +02:00
LICENSE Initial commit 2015-10-06 16:40:56 +02:00
README.rst LDAP backend for default domain 2016-01-18 11:46:50 +01:00
VERSION Initial commit 2015-10-06 16:40:56 +02:00

README.rst

OpenStack Keystone

Keystone provides authentication, authorization and service discovery mechanisms via HTTP primarily for use by projects in the OpenStack family. It is most commonly deployed as an HTTP interface to existing identity systems, such as LDAP.

From Kilo release Keystone v3 endpoint has definition without version in url

+----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
|                id                |   region  |        publicurl         |       internalurl        |          adminurl         |            service_id            |
+----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+
| 91663a8db11c487c9253c8c456863494 | RegionOne | http://10.0.150.37:5000/ | http://10.0.150.37:5000/ | http://10.0.150.37:35357/ | 0fd2dba3153d45a1ba7f709cfc2d69c9 |
+----------------------------------+-----------+--------------------------+--------------------------+---------------------------+----------------------------------+

Sample pillars

Full stacked keystone

keystone:
  server:
    enabled: true
    version: juno
    service_token: 'service_tokeen'
    service_tenant: service
    service_password: 'servicepwd'
    admin_tenant: admin
    admin_name: admin
    admin_password: 'adminpwd'
    admin_email: stackmaster@domain.com
    roles:
      - admin
      - Member
      - image_manager
    bind:
      address: 0.0.0.0
      private_address: 127.0.0.1
      private_port: 35357
      public_address: 127.0.0.1
      public_port: 5000
    api_version: 2.0
    region: RegionOne
    database:
      engine: mysql
      host: '127.0.0.1'
      name: 'keystone'
      password: 'LfTno5mYdZmRfoPV'
      user: 'keystone'

Keystone public HTTPS API

keystone:
  server:
    enabled: true
    version: juno
    ...
    services:
    - name: nova
      type: compute
      description: OpenStack Compute Service
      user:
        name: nova
        password: password
      bind:
        public_address: cloud.domain.com
        public_protocol: https
        public_port: 8774
        internal_address: 10.0.0.20
        internal_port: 8774
        admin_address: 10.0.0.20
        admin_port: 8774

Keystone memcached storage for tokens

keystone:
  server:
    enabled: true
    version: juno
    ...
    token_store: cache
    cache:
      engine: memcached
      host: 127.0.0.1
      port: 11211
    services:
    ...

Keystone clustered memcached storage for tokens

keystone:
  server:
    enabled: true
    version: juno
    ...
    token_store: cache
    cache:
      engine: memcached
      members:
      - host: 192.160.0.1
        port: 11211
      - host: 192.160.0.2
        port: 11211
    services:
    ...

Keystone client

keystone:
  client:
    enabled: true
    server:
      host: 10.0.0.2
      public_port: 5000
      private_port: 35357
      service_token: 'token'
      admin_tenant: admin
      admin_name: admin
      admin_password: 'passwd'

Keystone cluster

keystone:
  control:
    enabled: true
    provider:
      os15_token:
        host: 10.0.0.2
        port: 35357
        token: token
      os15_tcp_core_stg:
        host: 10.0.0.5
        port: 5000
        tenant: admin
        name: admin
        password: password

Keystone fernet tokens for OpenStack Kilo release

keystone:
  server:
    ...
    tokens:
      engine: fernet
    ...

Keystone domain with LDAP backend, using SQL for role/project assignment

keystone:
  server:
    domain:
      description: "Testing domain"
      backend: ldap
      assignment:
        backend: sql
      ldap:
        url: "ldaps://idm01.workshop.cloudlab.cz"
        suffix: "dc=workshop,dc=cloudlab,dc=cz"
        # Will bind as uid=keystone,cn=users,cn=accounts,dc=workshop,dc=cloudlab,dc=cz
        uid: keystone
        password: cloudlab

Using LDAP backend for default domain

keystone:
  server:
    backend: ldap
    assignment:
      backend: sql
    ldap:
      url: "ldaps://idm01.workshop.cloudlab.cz"
      suffix: "dc=workshop,dc=cloudlab,dc=cz"
      # Will bind as uid=keystone,cn=users,cn=accounts,dc=workshop,dc=cloudlab,dc=cz
      uid: keystone
      password: cloudlab

Read more

Things to improve

  • Keystone as service provider (SP) - must be running under Apache (same as with PKI token)
  • Keystone with MongoDB backend - where is it?
  • IdP is owned by domain, domain corresponds to billable account - IdP administration
  • IdP Shiboleth alternatives - mod_auth_mellon

Generally this SP/IdP stuff is a little unstable - how to let SP know identity has changed, no visibility in UI (IBM has some not in upstream yet)