Update docs for password auth configuration options

Watcher uses now auth_type 'password' plugin for authentication. Configuration related to credentials used to validate and apply for a token has been updated. Change-Id: If71bb908741130cb01d5d1525a12cf9a68b58a58 Closes-Bug: #1541296
2016-02-03 12:42:22 +01:00 · 2016-02-03 12:42:22 +01:00 · 376d669af6
parent 25d27f0288
commit 376d669af6
2 changed files with 75 additions and 53 deletions
--- a/doc/source/deploy/configuration.rst
+++ b/doc/source/deploy/configuration.rst
@ -243,46 +243,63 @@ so that the watcher service is configured for your needs.
    #rabbit_port = 5672


-#. Configure the Watcher Service to use these credentials with the Identity
-   Service. Replace IDENTITY_IP with the IP of the Identity server, and
-   replace WATCHER_PASSWORD with the password you chose for the ``watcher``
-   user in the Identity Service::
+#. Watcher API shall validate the token provided by every incoming request,
+   via keystonemiddleware, which requires the Watcher service to be configured
+   with the right credentials for the Identity service.
+
+   In the configuration section here below:
+
+   * replace IDENTITY_IP with the IP of the Identity server
+   * replace WATCHER_PASSWORD with the password you chose for the ``watcher``
+     user
+   * replace KEYSTONE_SERVICE_PROJECT_NAME with the name of project created
+     for OpenStack services (e.g. ``service``) ::

        [keystone_authtoken]

-    # Complete public Identity API endpoint (string value)
-    #auth_uri=<None>
-    auth_uri=http://IDENTITY_IP:5000/
+        # Authentication type to load (unknown value)
+        # Deprecated group/name - [DEFAULT]/auth_plugin
+        #auth_type = <None>
+        auth_type = password

-    # API version of the admin Identity API endpoint. (string value)
-    #auth_version=<None>
-    auth_version=v3
+        # Authentication URL (unknown value)
+        #auth_url = <None>
+        auth_url = http://IDENTITY_IP:35357

-    # Complete admin Identity API endpoint. This should specify the
-    # unversioned root endpoint e.g. https://localhost:35357/ (string
-    # value)
-    #identity_uri = <None>
-    identity_uri = http://IDENTITY_IP:5000
+        # Username (unknown value)
+        # Deprecated group/name - [DEFAULT]/username
+        #username = <None>
+        username=watcher

-    # Keystone account username (string value)
-    #admin_user=<None>
-    admin_user=watcher
+        # User's password (unknown value)
+        #password = <None>
+        password = WATCHER_PASSWORD

-    # Keystone account password (string value)
-    #admin_password=<None>
-    admin_password=WATCHER_DBPASSWORD
+        # Domain ID containing project (unknown value)
+        #project_domain_id = <None>
+        project_domain_id = default

-    # Keystone service account tenant name to validate user tokens
-    # (string value)
-    #admin_tenant_name=admin
-    admin_tenant_name=KEYSTONE_SERVICE_PROJECT_NAME
+        # User's domain id (unknown value)
+        #user_domain_id = <None>
+        user_domain_id = default

-    # Directory used to cache files related to PKI tokens (string
-    # value)
-    #signing_dir=<None>
+        # Project name to scope to (unknown value)
+        # Deprecated group/name - [DEFAULT]/tenant-name
+        #project_name = <None>
+        project_name = KEYSTONE_SERVICE_PROJECT_NAME

-#. Configure the credentials to use to authenticate with the Identity Service
-   for the different project clients::
+#. Watcher's decision engine and applier interact with other OpenStack
+   projects through those projects' clients. In order to instantiate these
+   clients, Watcher needs to request a new session from the Identity service
+   using the right credentials.
+
+   In the configuration section here below:
+
+   * replace IDENTITY_IP with the IP of the Identity server
+   * replace WATCHER_PASSWORD with the password you chose for the ``watcher``
+     user
+   * replace KEYSTONE_SERVICE_PROJECT_NAME with the name of project created
+     for OpenStack services (e.g. ``service``) ::

        [watcher_clients_auth]

@ -312,6 +329,11 @@ so that the watcher service is configured for your needs.
        #user_domain_id = <None>
        user_domain_id = default

+        # Project name to scope to (unknown value)
+        # Deprecated group/name - [DEFAULT]/tenant-name
+        #project_name = <None>
+        project_name = KEYSTONE_SERVICE_PROJECT_NAME
+
 #. Configure the clients to use a specific version if desired. For example, to
   configure Watcher to use a Nova client with version 2.1, use::

--- a/tox.ini
+++ b/tox.ini
@ -67,4 +67,4 @@ import_exceptions = watcher._i18n
 [doc8]
 extension=.rst
 # todo: stop ignoring doc/source/man when https://bugs.launchpad.net/doc8/+bug/1502391 is fixed
-ignore-path=doc/source/image_src,doc/source/man
+ignore-path=doc/source/image_src,doc/source/man,doc/source/api