openstack-manuals/doc/config-reference/ch_identityconfigure.xml
Atsushi SAKAI e9b476491f Update Config Reference for keystone
Updates for Liberty Release

 Main changes are oslo_messaging issue like ceilometer/nova etc.
 And Adds keystone-tokenless.xml file.

Change-Id: Ib19008917e6c214238fc397faa3ce54b53d2f7e1
2015-10-14 16:31:43 +09:00

175 lines
9.8 KiB
XML

<?xml version="1.0" encoding="UTF-8"?>
<chapter xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0"
xml:id="ch_configuring-openstack-identity">
<title>Identity service</title>
<para>This chapter details the OpenStack Identity service configuration
options. For installation prerequisites and step-by-step walkthroughs, see the
<citetitle>OpenStack Installation Guide</citetitle> for your distribution (<link xlink:href="http://docs.openstack.org"
>docs.openstack.org</link>) and <citetitle><link
xlink:href="http://docs.openstack.org/admin-guide-cloud/">Cloud
Administrator Guide</link></citetitle>.</para>
<section xml:id="section_keystone-cache">
<title>Caching layer</title>
<para>Identity supports a caching layer that is above the
configurable subsystems, such as token or assignment. The
majority of the caching configuration options are set in the
<literal>[cache]</literal> section. However, each section that
has the capability to be cached usually has a
<option>caching</option> option that will toggle caching for that
specific section. By default, caching is globally disabled.
Options are as follows:</para>
<xi:include href="../common/tables/keystone-cache.xml"/>
<para>Current functional backends are:</para>
<itemizedlist>
<listitem><para><literal>dogpile.cache.memcached</literal> - Memcached backend using
the standard python-memcached library</para></listitem>
<listitem><para><literal>dogpile.cache.pylibmc</literal> - Memcached backend using
the pylibmc library</para></listitem>
<listitem><para><literal>dogpile.cache.bmemcached</literal> - Memcached using
python-binary-memcached library.</para></listitem>
<listitem><para><literal>dogpile.cache.redis</literal> - Redis backend</para></listitem>
<listitem><para><literal>dogpile.cache.dbm</literal> - Local DBM file backend</para></listitem>
<listitem><para><literal>dogpile.cache.memory</literal> - In-memory cache, not
suitable for use outside of testing as it does not cleanup it's
internal cache on cache expiration and does not share cache
between processes. This means that caching and cache invalidation
will not be consistent or reliable.</para>
</listitem>
<listitem><para><literal>dogpile.cache.mongo</literal> - MongoDB as caching
backend.</para></listitem>
</itemizedlist>
</section>
<section xml:id="keystone-configuration-file">
<title>Identity service configuration file</title>
<para>The Identity service is configured in the
<filename>/etc/keystone/keystone.conf</filename> file.</para>
<para>The following tables provide a comprehensive list of the Identity
service options.</para>
<xi:include href="../common/tables/keystone-api.xml"/>
<xi:include href="../common/tables/keystone-assignment.xml"/>
<xi:include href="../common/tables/keystone-auth.xml"/>
<xi:include href="../common/tables/keystone-auth_token.xml"/>
<xi:include href="../common/tables/keystone-ca.xml"/>
<xi:include href="../common/tables/keystone-catalog.xml"/>
<xi:include href="../common/tables/keystone-common.xml"/>
<xi:include href="../common/tables/keystone-cors.xml"/>
<xi:include href="../common/tables/keystone-credential.xml"/>
<xi:include href="../common/tables/keystone-database.xml"/>
<xi:include href="../common/tables/keystone-debug.xml"/>
<xi:include href="../common/tables/keystone-domain.xml"/>
<xi:include href="../common/tables/keystone-federation.xml"/>
<xi:include href="../common/tables/keystone-fernet_tokens.xml"/>
<xi:include href="../common/tables/keystone-identity.xml"/>
<xi:include href="../common/tables/keystone-kvs.xml"/>
<xi:include href="../common/tables/keystone-ldap.xml"/>
<xi:include href="../common/tables/keystone-logging.xml"/>
<xi:include href="../common/tables/keystone-mapping.xml"/>
<xi:include href="../common/tables/keystone-memcache.xml"/>
<xi:include href="../common/tables/keystone-oauth.xml"/>
<xi:include href="../common/tables/keystone-os_inherit.xml"/>
<xi:include href="../common/tables/keystone-policy.xml"/>
<xi:include href="../common/tables/keystone-revoke.xml"/>
<xi:include href="../common/tables/keystone-role.xml"/>
<xi:include href="../common/tables/keystone-saml.xml"/>
<xi:include href="../common/tables/keystone-security.xml"/>
<xi:include href="../common/tables/keystone-token.xml"/>
<xi:include href="../common/tables/keystone-tokenless.xml"/>
<xi:include href="../common/tables/keystone-trust.xml"/>
<xi:include href="../common/tables/keystone-rpc.xml"/>
<xi:include href="../common/tables/keystone-amqp.xml"/>
<xi:include href="../common/tables/keystone-qpid.xml"/>
<xi:include href="../common/tables/keystone-rabbitmq.xml"/>
<xi:include href="../common/tables/keystone-zeromq.xml"/>
<xi:include href="../common/tables/keystone-redis.xml"/>
</section>
<section xml:id="section_keystone-domain-configs">
<title>Domain-specific configuration</title>
<para>The Identity service supports domain-specific
Identity drivers which allow a domain to have its
own LDAP or SQL back end. By default, domain-specific
drivers are disabled.</para>
<para>Domain-specific Identity configuration options can be stored in
domain-specific configuration files, or in the Identity SQL database
using API REST calls.</para>
<note>
<para>Storing and managing configuration options in
a SQL database is experimental in Kilo.</para>
</note>
<section xml:id="section_keystone-domain-driver-enable">
<title>Enable drivers for domain-specific configuration files</title>
<para>To enable domain-specific drivers,
set these options in the <filename>/etc/keystone/keystone.conf</filename>
file:</para>
<programlisting language="ini">[identity]
domain_specific_drivers_enabled = True
domain_config_dir = /etc/keystone/domains</programlisting>
<para>When you enable domain-specific drivers, Identity looks
in the <option>domain_config_dir</option> directory for
configuration files that are named as
<filename>keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>.
Any domain without a domain-specific configuration
file uses options in the primary configuration file.</para>
</section>
<section xml:id="section_keystone-domain-config-file">
<title>Domain-specific configuration file</title>
<para>Any options that you define in the domain-specific
configuration file override options in the <filename>/etc/keystone/keystone.conf</filename>
configuration file.</para>
<para>Domains configured for the service user or project
use the Identity API v3 to retrieve the service token.</para>
<para>To configure the domain for the service user, set the
following options in the [DEFAULT] section of the
<filename>/etc/keystone/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>
file:</para>
<programlisting>admin_user_domain_id = <replaceable>USER_DOMAIN_ID</replaceable>
admin_user_domain_name = <replaceable>USER_DOMAIN_NAME</replaceable></programlisting>
<para>Replace <replaceable>USER_DOMAIN_ID</replaceable> with
the Identity service account user domain ID, and
<replaceable>USER_DOMAIN_NAME</replaceable> with the Identity
service account user domain name.</para>
<para>To configure the domain for the project, set the
following options in the [DEFAULT] section of the
<filename>/etc/keystone/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>
file:</para>
<programlisting>admin_project_domain_id = <replaceable>PROJECT_DOMAIN_ID</replaceable>
admin_project_domain_name = <replaceable>PROJECT_DOMAIN_NAME</replaceable></programlisting>
<para>Replace <replaceable>PROJECT_DOMAIN_ID</replaceable> with
the Identity service account project domain ID, and
<replaceable>PROJECT_DOMAIN_NAME</replaceable> with the
Identity service account project domain name.</para>
</section>
<section xml:id="section_keystone-domain-driver-sql">
<title>Enable drivers for storing configuration options in SQL database</title>
<para>To enable domain-specific drivers, set these options in
the <filename>/etc/keystone/keystone.conf</filename> file:</para>
<programlisting language="ini">[identity]
domain_specific_drivers_enabled = True
domain_configurations_from_database = True</programlisting>
<para>Any domain-specific configuration options specified through
the Identity v3 API will override domain-specific configuration files
in the <filename>/etc/keystone/domains</filename> directory.</para>
</section>
<section xml:id="section_keystone-domain-config-migration">
<title>Migrate domain-specific configuration files to the SQL database</title>
<para>You can use the <command>keystone-manage</command> command
to migrate configuration options in domain-specific configuration
files to the SQL database:</para>
<screen><prompt>$</prompt> keystone-manage domain_config_upload --all</screen>
<para>To upload options from a specific domain-configuration
file, specify the domain name:</para>
<screen><prompt>$</prompt> keystone-manage domain_config_upload --domain-name <replaceable>DOMAIN_NAME</replaceable></screen>
</section>
</section>
<xi:include href="identity/section_keystone-sample-conf-files.xml"/>
<xi:include href="conf-changes/keystone.xml"/>
</chapter>