Merge "Update docs for password auth configuration options"

2016-02-05 15:58:31 +00:00 · 2016-02-05 15:58:31 +00:00 · ad40c61ea9
parent 1d74f7e3bc 376d669af6
commit ad40c61ea9
2 changed files with 75 additions and 53 deletions
--- a/doc/source/deploy/configuration.rst
+++ b/doc/source/deploy/configuration.rst
@ -243,74 +243,96 @@ so that the watcher service is configured for your needs.
    #rabbit_port = 5672
-#. Configure the Watcher Service to use these credentials with the Identity
+#. Watcher API shall validate the token provided by every incoming request,
-   Service. Replace IDENTITY_IP with the IP of the Identity server, and
+   via keystonemiddleware, which requires the Watcher service to be configured
-   replace WATCHER_PASSWORD with the password you chose for the ``watcher``
+   with the right credentials for the Identity service.
   user in the Identity Service::
-    [keystone_authtoken]
+   In the configuration section here below:
-    # Complete public Identity API endpoint (string value)
+   * replace IDENTITY_IP with the IP of the Identity server
-    #auth_uri=<None>
+   * replace WATCHER_PASSWORD with the password you chose for the ``watcher``
-    auth_uri=http://IDENTITY_IP:5000/
+     user
   * replace KEYSTONE_SERVICE_PROJECT_NAME with the name of project created
     for OpenStack services (e.g. ``service``) ::
-    # API version of the admin Identity API endpoint. (string value)
+        [keystone_authtoken]
    #auth_version=<None>
    auth_version=v3
-    # Complete admin Identity API endpoint. This should specify the
+        # Authentication type to load (unknown value)
-    # unversioned root endpoint e.g. https://localhost:35357/ (string
+        # Deprecated group/name - [DEFAULT]/auth_plugin
-    # value)
+        #auth_type = <None>
-    #identity_uri = <None>
+        auth_type = password
    identity_uri = http://IDENTITY_IP:5000
-    # Keystone account username (string value)
+        # Authentication URL (unknown value)
-    #admin_user=<None>
+        #auth_url = <None>
-    admin_user=watcher
+        auth_url = http://IDENTITY_IP:35357
-    # Keystone account password (string value)
+        # Username (unknown value)
-    #admin_password=<None>
+        # Deprecated group/name - [DEFAULT]/username
-    admin_password=WATCHER_DBPASSWORD
+        #username = <None>
        username=watcher
-    # Keystone service account tenant name to validate user tokens
+        # User's password (unknown value)
-    # (string value)
+        #password = <None>
-    #admin_tenant_name=admin
+        password = WATCHER_PASSWORD
    admin_tenant_name=KEYSTONE_SERVICE_PROJECT_NAME
-    # Directory used to cache files related to PKI tokens (string
+        # Domain ID containing project (unknown value)
-    # value)
+        #project_domain_id = <None>
-    #signing_dir=<None>
+        project_domain_id = default
-#. Configure the credentials to use to authenticate with the Identity Service
+        # User's domain id (unknown value)
-   for the different project clients::
+        #user_domain_id = <None>
        user_domain_id = default
-    [watcher_clients_auth]
+        # Project name to scope to (unknown value)
        # Deprecated group/name - [DEFAULT]/tenant-name
        #project_name = <None>
        project_name = KEYSTONE_SERVICE_PROJECT_NAME
-    # Authentication type to load (unknown value)
+#. Watcher's decision engine and applier interact with other OpenStack
-    # Deprecated group/name - [DEFAULT]/auth_plugin
+   projects through those projects' clients. In order to instantiate these
-    #auth_type = <None>
+   clients, Watcher needs to request a new session from the Identity service
-    auth_type = password
+   using the right credentials.
-    # Authentication URL (unknown value)
+   In the configuration section here below:
    #auth_url = <None>
    auth_url = http://IDENTITY_IP:35357
-    # Username (unknown value)
+   * replace IDENTITY_IP with the IP of the Identity server
-    # Deprecated group/name - [DEFAULT]/username
+   * replace WATCHER_PASSWORD with the password you chose for the ``watcher``
-    #username = <None>
+     user
-    username=watcher
+   * replace KEYSTONE_SERVICE_PROJECT_NAME with the name of project created
     for OpenStack services (e.g. ``service``) ::
-    # User's password (unknown value)
+        [watcher_clients_auth]
    #password = <None>
    password = WATCHER_PASSWORD
-    # Domain ID containing project (unknown value)
+        # Authentication type to load (unknown value)
-    #project_domain_id = <None>
+        # Deprecated group/name - [DEFAULT]/auth_plugin
-    project_domain_id = default
+        #auth_type = <None>
        auth_type = password
-    # User's domain id (unknown value)
+        # Authentication URL (unknown value)
-    #user_domain_id = <None>
+        #auth_url = <None>
-    user_domain_id = default
+        auth_url = http://IDENTITY_IP:35357
        # Username (unknown value)
        # Deprecated group/name - [DEFAULT]/username
        #username = <None>
        username=watcher
        # User's password (unknown value)
        #password = <None>
        password = WATCHER_PASSWORD
        # Domain ID containing project (unknown value)
        #project_domain_id = <None>
        project_domain_id = default
        # User's domain id (unknown value)
        #user_domain_id = <None>
        user_domain_id = default
        # Project name to scope to (unknown value)
        # Deprecated group/name - [DEFAULT]/tenant-name
        #project_name = <None>
        project_name = KEYSTONE_SERVICE_PROJECT_NAME
 #. Configure the clients to use a specific version if desired. For example, to
   configure Watcher to use a Nova client with version 2.1, use::
--- a/tox.ini
+++ b/tox.ini
@ -67,4 +67,4 @@ import_exceptions = watcher._i18n
 [doc8]
 extension=.rst
 # todo: stop ignoring doc/source/man when https://bugs.launchpad.net/doc8/+bug/1502391 is fixed
-ignore-path=doc/source/image_src,doc/source/man
+ignore-path=doc/source/image_src,doc/source/man,doc/source/api