e9b476491f
Updates for Liberty Release Main changes are oslo_messaging issue like ceilometer/nova etc. And Adds keystone-tokenless.xml file. Change-Id: Ib19008917e6c214238fc397faa3ce54b53d2f7e1
175 lines
9.8 KiB
XML
175 lines
9.8 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<chapter xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
version="5.0"
|
|
xml:id="ch_configuring-openstack-identity">
|
|
<title>Identity service</title>
|
|
<para>This chapter details the OpenStack Identity service configuration
|
|
options. For installation prerequisites and step-by-step walkthroughs, see the
|
|
<citetitle>OpenStack Installation Guide</citetitle> for your distribution (<link xlink:href="http://docs.openstack.org"
|
|
>docs.openstack.org</link>) and <citetitle><link
|
|
xlink:href="http://docs.openstack.org/admin-guide-cloud/">Cloud
|
|
Administrator Guide</link></citetitle>.</para>
|
|
|
|
<section xml:id="section_keystone-cache">
|
|
<title>Caching layer</title>
|
|
<para>Identity supports a caching layer that is above the
|
|
configurable subsystems, such as token or assignment. The
|
|
majority of the caching configuration options are set in the
|
|
<literal>[cache]</literal> section. However, each section that
|
|
has the capability to be cached usually has a
|
|
<option>caching</option> option that will toggle caching for that
|
|
specific section. By default, caching is globally disabled.
|
|
Options are as follows:</para>
|
|
|
|
<xi:include href="../common/tables/keystone-cache.xml"/>
|
|
|
|
<para>Current functional backends are:</para>
|
|
<itemizedlist>
|
|
<listitem><para><literal>dogpile.cache.memcached</literal> - Memcached backend using
|
|
the standard python-memcached library</para></listitem>
|
|
<listitem><para><literal>dogpile.cache.pylibmc</literal> - Memcached backend using
|
|
the pylibmc library</para></listitem>
|
|
<listitem><para><literal>dogpile.cache.bmemcached</literal> - Memcached using
|
|
python-binary-memcached library.</para></listitem>
|
|
<listitem><para><literal>dogpile.cache.redis</literal> - Redis backend</para></listitem>
|
|
<listitem><para><literal>dogpile.cache.dbm</literal> - Local DBM file backend</para></listitem>
|
|
<listitem><para><literal>dogpile.cache.memory</literal> - In-memory cache, not
|
|
suitable for use outside of testing as it does not cleanup it's
|
|
internal cache on cache expiration and does not share cache
|
|
between processes. This means that caching and cache invalidation
|
|
will not be consistent or reliable.</para>
|
|
</listitem>
|
|
<listitem><para><literal>dogpile.cache.mongo</literal> - MongoDB as caching
|
|
backend.</para></listitem>
|
|
</itemizedlist>
|
|
|
|
</section>
|
|
|
|
<section xml:id="keystone-configuration-file">
|
|
<title>Identity service configuration file</title>
|
|
<para>The Identity service is configured in the
|
|
<filename>/etc/keystone/keystone.conf</filename> file.</para>
|
|
<para>The following tables provide a comprehensive list of the Identity
|
|
service options.</para>
|
|
<xi:include href="../common/tables/keystone-api.xml"/>
|
|
<xi:include href="../common/tables/keystone-assignment.xml"/>
|
|
<xi:include href="../common/tables/keystone-auth.xml"/>
|
|
<xi:include href="../common/tables/keystone-auth_token.xml"/>
|
|
<xi:include href="../common/tables/keystone-ca.xml"/>
|
|
<xi:include href="../common/tables/keystone-catalog.xml"/>
|
|
<xi:include href="../common/tables/keystone-common.xml"/>
|
|
<xi:include href="../common/tables/keystone-cors.xml"/>
|
|
<xi:include href="../common/tables/keystone-credential.xml"/>
|
|
<xi:include href="../common/tables/keystone-database.xml"/>
|
|
<xi:include href="../common/tables/keystone-debug.xml"/>
|
|
<xi:include href="../common/tables/keystone-domain.xml"/>
|
|
<xi:include href="../common/tables/keystone-federation.xml"/>
|
|
<xi:include href="../common/tables/keystone-fernet_tokens.xml"/>
|
|
<xi:include href="../common/tables/keystone-identity.xml"/>
|
|
<xi:include href="../common/tables/keystone-kvs.xml"/>
|
|
<xi:include href="../common/tables/keystone-ldap.xml"/>
|
|
<xi:include href="../common/tables/keystone-logging.xml"/>
|
|
<xi:include href="../common/tables/keystone-mapping.xml"/>
|
|
<xi:include href="../common/tables/keystone-memcache.xml"/>
|
|
<xi:include href="../common/tables/keystone-oauth.xml"/>
|
|
<xi:include href="../common/tables/keystone-os_inherit.xml"/>
|
|
<xi:include href="../common/tables/keystone-policy.xml"/>
|
|
<xi:include href="../common/tables/keystone-revoke.xml"/>
|
|
<xi:include href="../common/tables/keystone-role.xml"/>
|
|
<xi:include href="../common/tables/keystone-saml.xml"/>
|
|
<xi:include href="../common/tables/keystone-security.xml"/>
|
|
<xi:include href="../common/tables/keystone-token.xml"/>
|
|
<xi:include href="../common/tables/keystone-tokenless.xml"/>
|
|
<xi:include href="../common/tables/keystone-trust.xml"/>
|
|
|
|
<xi:include href="../common/tables/keystone-rpc.xml"/>
|
|
<xi:include href="../common/tables/keystone-amqp.xml"/>
|
|
<xi:include href="../common/tables/keystone-qpid.xml"/>
|
|
<xi:include href="../common/tables/keystone-rabbitmq.xml"/>
|
|
<xi:include href="../common/tables/keystone-zeromq.xml"/>
|
|
<xi:include href="../common/tables/keystone-redis.xml"/>
|
|
</section>
|
|
<section xml:id="section_keystone-domain-configs">
|
|
<title>Domain-specific configuration</title>
|
|
<para>The Identity service supports domain-specific
|
|
Identity drivers which allow a domain to have its
|
|
own LDAP or SQL back end. By default, domain-specific
|
|
drivers are disabled.</para>
|
|
<para>Domain-specific Identity configuration options can be stored in
|
|
domain-specific configuration files, or in the Identity SQL database
|
|
using API REST calls.</para>
|
|
<note>
|
|
<para>Storing and managing configuration options in
|
|
a SQL database is experimental in Kilo.</para>
|
|
</note>
|
|
<section xml:id="section_keystone-domain-driver-enable">
|
|
<title>Enable drivers for domain-specific configuration files</title>
|
|
<para>To enable domain-specific drivers,
|
|
set these options in the <filename>/etc/keystone/keystone.conf</filename>
|
|
file:</para>
|
|
<programlisting language="ini">[identity]
|
|
domain_specific_drivers_enabled = True
|
|
domain_config_dir = /etc/keystone/domains</programlisting>
|
|
<para>When you enable domain-specific drivers, Identity looks
|
|
in the <option>domain_config_dir</option> directory for
|
|
configuration files that are named as
|
|
<filename>keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>.
|
|
Any domain without a domain-specific configuration
|
|
file uses options in the primary configuration file.</para>
|
|
</section>
|
|
<section xml:id="section_keystone-domain-config-file">
|
|
<title>Domain-specific configuration file</title>
|
|
<para>Any options that you define in the domain-specific
|
|
configuration file override options in the <filename>/etc/keystone/keystone.conf</filename>
|
|
configuration file.</para>
|
|
<para>Domains configured for the service user or project
|
|
use the Identity API v3 to retrieve the service token.</para>
|
|
<para>To configure the domain for the service user, set the
|
|
following options in the [DEFAULT] section of the
|
|
<filename>/etc/keystone/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>
|
|
file:</para>
|
|
<programlisting>admin_user_domain_id = <replaceable>USER_DOMAIN_ID</replaceable>
|
|
admin_user_domain_name = <replaceable>USER_DOMAIN_NAME</replaceable></programlisting>
|
|
<para>Replace <replaceable>USER_DOMAIN_ID</replaceable> with
|
|
the Identity service account user domain ID, and
|
|
<replaceable>USER_DOMAIN_NAME</replaceable> with the Identity
|
|
service account user domain name.</para>
|
|
<para>To configure the domain for the project, set the
|
|
following options in the [DEFAULT] section of the
|
|
<filename>/etc/keystone/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>
|
|
file:</para>
|
|
<programlisting>admin_project_domain_id = <replaceable>PROJECT_DOMAIN_ID</replaceable>
|
|
admin_project_domain_name = <replaceable>PROJECT_DOMAIN_NAME</replaceable></programlisting>
|
|
<para>Replace <replaceable>PROJECT_DOMAIN_ID</replaceable> with
|
|
the Identity service account project domain ID, and
|
|
<replaceable>PROJECT_DOMAIN_NAME</replaceable> with the
|
|
Identity service account project domain name.</para>
|
|
</section>
|
|
<section xml:id="section_keystone-domain-driver-sql">
|
|
<title>Enable drivers for storing configuration options in SQL database</title>
|
|
<para>To enable domain-specific drivers, set these options in
|
|
the <filename>/etc/keystone/keystone.conf</filename> file:</para>
|
|
<programlisting language="ini">[identity]
|
|
domain_specific_drivers_enabled = True
|
|
domain_configurations_from_database = True</programlisting>
|
|
<para>Any domain-specific configuration options specified through
|
|
the Identity v3 API will override domain-specific configuration files
|
|
in the <filename>/etc/keystone/domains</filename> directory.</para>
|
|
</section>
|
|
<section xml:id="section_keystone-domain-config-migration">
|
|
<title>Migrate domain-specific configuration files to the SQL database</title>
|
|
<para>You can use the <command>keystone-manage</command> command
|
|
to migrate configuration options in domain-specific configuration
|
|
files to the SQL database:</para>
|
|
<screen><prompt>$</prompt> keystone-manage domain_config_upload --all</screen>
|
|
<para>To upload options from a specific domain-configuration
|
|
file, specify the domain name:</para>
|
|
<screen><prompt>$</prompt> keystone-manage domain_config_upload --domain-name <replaceable>DOMAIN_NAME</replaceable></screen>
|
|
</section>
|
|
</section>
|
|
<xi:include href="identity/section_keystone-sample-conf-files.xml"/>
|
|
<xi:include href="conf-changes/keystone.xml"/>
|
|
</chapter>
|