x/craton
Code Issues Proposed changes
Files
2ae9f3c3fa50052ebcbb7f07ad5cbaab08de4c42
craton/doc/source/dev/install-keystone.rst
Ian Cordasco 2407803170 Fix Keystone integration 
We add the necessary Paste filters for Keystone middleware and context
usage inside of Craton so that operators can use Keystone for Identity
and Access Management of Craton.

We also clean up our Keystone Context Middleware to access the
attributes that the keystonemiddleware library set on a request object
so we can determine if the token sent has been validated and what the
roles the user own.

Due to the effort exerted to get this working, this also adds
documentation around how to set up Craton to use Keystone for identity
and adds a tiny script in the `tools/` directory so that one can explore
the API interactively with keystone authentication.

Change-Id: Ida86881f1e6097b1a1f6dec912f094c53c2f4cc2
2016-10-20 15:36:57 -05:00

2.7 KiB
Raw Blame History

Setting up Craton with Keystone Using OpenStack-Ansible

OpenStack-Ansible is an upstream project that uses Ansible to deploy and configure production OpenStack from source. It also has the ability to deploy an environment entirely on one machine like devstack. OpenStack-Ansible (a.k.a., OSA) refers to these as AIOs (All In One). OSA's Quick Start documentation describes how to build these.

Once you have an AIO set-up, you need to create the Craton service user, add the admin role to that user, set up the service and endpoints, and then you need to do something a little unusual, depending on how you are developing Craton.

If you have OSA and craton on the same machine, then Craton should be able to talk to what OSA calls it's "Internal LB VIP". This is usually an IP address that looks like 172.29.236.100. In this case, you should be fine to then start using Craton with Keystone authentication (assuming you've also followed the instructions for using Craton with Keystone).

If you do not have them on the same machine, then Craton will not be able to access the "Internal LB VIP" because (as its name might suggest) it is internal to that AIO. In that case, you need to use the openstack client to edit the Admin endpoint for Keystone itself. By default, the admin endpoint will be something like: http://172.29.236.100:35357/v3. Since we're talking to Keystone from outside that AIO we need it to be the same as the public endpoint which will look like https://<ip-of-server>:5000/v3. To update that, we need to do this:

export ADMIN_ENDPOINT_ID="$(openstack endpoint list --service identity \
                                                    --interface admin \
                                                    -c ID \
                                                    -f value)"
export PUBLIC_URL="$(openstack endpoint list --service identity \
                                             --interface admin \
                                             -c URL \
                                             -f value)"
openstack endpoint set --region RegionOne \
                       --service identity \
                       --url $PUBLIC_URL \
                       --interface admin \
                       $ADMIN_ENDPOINT_ID

This ensures that keystonemiddleware will get the public IP address from the service catalog when it needs to talk to the admin identity endpoint.