diff options
author | Alan Pevec <apevec@redhat.com> | 2012-07-31 03:14:16 +0200 |
---|---|---|
committer | Alan Pevec <apevec@redhat.com> | 2012-08-22 20:50:31 +0200 |
commit | 174964498ba098f206d27119ce58d9fa6f43d302 (patch) | |
tree | 215f56e41de776f7f6daec9123d99c1ceaa0f68c /doc | |
parent | d04e99a513fe46c6ede8ef917ba24a52fc74294b (diff) | |
download | keystone-174964498ba098f206d27119ce58d9fa6f43d302.tar.gz keystone-174964498ba098f206d27119ce58d9fa6f43d302.tar.xz keystone-174964498ba098f206d27119ce58d9fa6f43d302.zip |
allow middleware configuration from app config
From markmc's proposal:
http://lists.openstack.org/pipermail/openstack-dev/2012-July/000277.html
For backward compatiblity, configuration from paste-deploy INI is used
if it exists. If not, section [keystone_authtoken] in global
configuration is expected, with the same parameter names.
Requires application using global cfg.CONF object (nova and glance since
folsom-2) and before there's openstack.common library, attempts to use
copy/pasted <application>.openstack.common.cfg
DocImpact
Change-Id: If6aa22280f4ce2cc698d99a130b5792dab808363
Diffstat (limited to 'doc')
-rw-r--r-- | doc/source/configuringservices.rst | 26 | ||||
-rw-r--r-- | doc/source/middlewarearchitecture.rst | 26 |
2 files changed, 49 insertions, 3 deletions
diff --git a/doc/source/configuringservices.rst b/doc/source/configuringservices.rst index 1c422530..4dbba55e 100644 --- a/doc/source/configuringservices.rst +++ b/doc/source/configuringservices.rst @@ -49,7 +49,7 @@ Admin Token For a default installation of Keystone, before you can use the REST API, you need to define an authorization token. This is configured in ``keystone.conf`` file under the section ``[DEFAULT]``. In the sample file provided with the -keystone project, the line defining this token is +keystone project, the line defining this token is:: [DEFAULT] admin_token = ADMIN @@ -70,7 +70,7 @@ be able to use to authenticate users against keystone. The ``auth_token`` middleware supports using either the shared secret described above as `admin_token` or users for each service. -See doc:`configuration` for a walk through on how to create tenants, users, +See :doc:`configuration` for a walk through on how to create tenants, users, and roles. Setting up services @@ -169,7 +169,8 @@ Configuring Nova to use Keystone When configuring Nova, it is important to create a admin service token for the service (from the Configuration step above) and include that as the key -'admin_token' in Nova's api-paste.ini. +'admin_token' in Nova's api-paste.ini [filter:authtoken] section or in +nova.conf [keystone_authtoken] section. Configuring Swift to use Keystone --------------------------------- @@ -344,3 +345,22 @@ Here is an example paste config filter that makes use of the 'admin_user' and It should be noted that when using this option an admin tenant/role relationship is required. The admin user is granted access to to the 'Admin' role to the 'admin' tenant. + +The auth_token middleware can also be configured in nova.conf +[keystone_authtoken] section to keep paste config clean of site-specific +parameters:: + + [filter:authtoken] + paste.filter_factory = keystone.middleware.auth_token:filter_factory + +and in nova.conf:: + + [DEFAULT] + ... + auth_strategy=keystone + + [keystone_authtoken] + auth_port = 35357 + auth_host = 127.0.0.1 + admin_user = admin + admin_password = keystone123 diff --git a/doc/source/middlewarearchitecture.rst b/doc/source/middlewarearchitecture.rst index dc0b1d53..8c92add4 100644 --- a/doc/source/middlewarearchitecture.rst +++ b/doc/source/middlewarearchitecture.rst @@ -137,6 +137,32 @@ a WSGI component. Example for the auth_token middleware:: certfile = <path to middleware public cert> keyfile = <path to middleware private cert> +For services which have separate paste-deploy ini file, auth_token middleware +can be alternatively configured in [keystone_authtoken] section in the main +config file. For example in Nova, all middleware parameters can be removed +from api-paste.ini:: + + [filter:authtoken] + paste.filter_factory = keystone.middleware.auth_token:filter_factory + +and set in nova.conf:: + + [DEFAULT] + ... + auth_strategy=keystone + + [keystone_authtoken] + auth_host = 127.0.0.1 + auth_port = 35357 + auth_protocol = http + auth_uri = http://127.0.0.1:5000/ + admin_user = admin + admin_password = SuperSekretPassword + admin_tenant_name = service + +Note that middleware parameters in paste config take priority, they must be +removed to use values in [keystone_authtoken] section. + Configuration Options --------------------- |