From 174964498ba098f206d27119ce58d9fa6f43d302 Mon Sep 17 00:00:00 2001 From: Alan Pevec Date: Tue, 31 Jul 2012 03:14:16 +0200 Subject: allow middleware configuration from app config From markmc's proposal: http://lists.openstack.org/pipermail/openstack-dev/2012-July/000277.html For backward compatiblity, configuration from paste-deploy INI is used if it exists. If not, section [keystone_authtoken] in global configuration is expected, with the same parameter names. Requires application using global cfg.CONF object (nova and glance since folsom-2) and before there's openstack.common library, attempts to use copy/pasted .openstack.common.cfg DocImpact Change-Id: If6aa22280f4ce2cc698d99a130b5792dab808363 --- doc/source/configuringservices.rst | 26 +++++++++++++++++++++++--- doc/source/middlewarearchitecture.rst | 26 ++++++++++++++++++++++++++ 2 files changed, 49 insertions(+), 3 deletions(-) (limited to 'doc/source') diff --git a/doc/source/configuringservices.rst b/doc/source/configuringservices.rst index 1c422530..4dbba55e 100644 --- a/doc/source/configuringservices.rst +++ b/doc/source/configuringservices.rst @@ -49,7 +49,7 @@ Admin Token For a default installation of Keystone, before you can use the REST API, you need to define an authorization token. This is configured in ``keystone.conf`` file under the section ``[DEFAULT]``. In the sample file provided with the -keystone project, the line defining this token is +keystone project, the line defining this token is:: [DEFAULT] admin_token = ADMIN @@ -70,7 +70,7 @@ be able to use to authenticate users against keystone. The ``auth_token`` middleware supports using either the shared secret described above as `admin_token` or users for each service. -See doc:`configuration` for a walk through on how to create tenants, users, +See :doc:`configuration` for a walk through on how to create tenants, users, and roles. Setting up services @@ -169,7 +169,8 @@ Configuring Nova to use Keystone When configuring Nova, it is important to create a admin service token for the service (from the Configuration step above) and include that as the key -'admin_token' in Nova's api-paste.ini. +'admin_token' in Nova's api-paste.ini [filter:authtoken] section or in +nova.conf [keystone_authtoken] section. Configuring Swift to use Keystone --------------------------------- @@ -344,3 +345,22 @@ Here is an example paste config filter that makes use of the 'admin_user' and It should be noted that when using this option an admin tenant/role relationship is required. The admin user is granted access to to the 'Admin' role to the 'admin' tenant. + +The auth_token middleware can also be configured in nova.conf +[keystone_authtoken] section to keep paste config clean of site-specific +parameters:: + + [filter:authtoken] + paste.filter_factory = keystone.middleware.auth_token:filter_factory + +and in nova.conf:: + + [DEFAULT] + ... + auth_strategy=keystone + + [keystone_authtoken] + auth_port = 35357 + auth_host = 127.0.0.1 + admin_user = admin + admin_password = keystone123 diff --git a/doc/source/middlewarearchitecture.rst b/doc/source/middlewarearchitecture.rst index dc0b1d53..8c92add4 100644 --- a/doc/source/middlewarearchitecture.rst +++ b/doc/source/middlewarearchitecture.rst @@ -137,6 +137,32 @@ a WSGI component. Example for the auth_token middleware:: certfile = keyfile = +For services which have separate paste-deploy ini file, auth_token middleware +can be alternatively configured in [keystone_authtoken] section in the main +config file. For example in Nova, all middleware parameters can be removed +from api-paste.ini:: + + [filter:authtoken] + paste.filter_factory = keystone.middleware.auth_token:filter_factory + +and set in nova.conf:: + + [DEFAULT] + ... + auth_strategy=keystone + + [keystone_authtoken] + auth_host = 127.0.0.1 + auth_port = 35357 + auth_protocol = http + auth_uri = http://127.0.0.1:5000/ + admin_user = admin + admin_password = SuperSekretPassword + admin_tenant_name = service + +Note that middleware parameters in paste config take priority, they must be +removed to use values in [keystone_authtoken] section. + Configuration Options --------------------- -- cgit