diff options
Diffstat (limited to 'keystone-moon/doc/source/apache-httpd.rst')
-rw-r--r-- | keystone-moon/doc/source/apache-httpd.rst | 50 |
1 files changed, 25 insertions, 25 deletions
diff --git a/keystone-moon/doc/source/apache-httpd.rst b/keystone-moon/doc/source/apache-httpd.rst index c075512f..91eb7011 100644 --- a/keystone-moon/doc/source/apache-httpd.rst +++ b/keystone-moon/doc/source/apache-httpd.rst @@ -31,38 +31,38 @@ Running Keystone in HTTPD Files ----- -Copy the file httpd/wsgi-keystone.conf to the appropriate location for your -Apache server, most likely:: +Copy the ``httpd/wsgi-keystone.conf`` sample configuration file to the +appropriate location for your Apache server:: - /etc/httpd/conf.d/wsgi-keystone.conf + /etc/$APACHE_DIR/conf.d/sites-available/wsgi-keystone.conf -Update this file to match your system configuration (for example, some -distributions put httpd logs in the ``apache2`` directory and some in the -``httpd`` directory; also, enable TLS). +Where ``$APACHE_DIR`` is ``httpd`` on Fedora-based systems and ``apache2`` on +Debian/Ubuntu systems. -Create the directory ``/var/www/cgi-bin/keystone/``. You can either hardlink or -softlink the files ``main`` and ``admin`` to the file ``keystone.py`` in this -directory. For a distribution appropriate place, it should probably be copied -to:: +Update the file to match your system configuration. Note the following: - /usr/share/openstack/keystone/httpd/keystone.py +* Make sure the correct log directory is used. Some distributions put httpd + server logs in the ``apache2`` directory and some in the ``httpd`` directory. +* Enable TLS by supplying the correct certificates. Keystone's primary configuration file (``etc/keystone.conf``) and the PasteDeploy configuration file (``etc/keystone-paste.ini``) must be readable to HTTPD in one of the default locations described in :doc:`configuration`. -SELinux -------- +Enable the site by creating a symlink from ``sites-enabled`` to the file in +``sites-available``:: -If you are running with SELinux enabled (and you should be) make sure that the -file has the appropriate SELinux context to access the linked file. If you -have the file in /var/www/cgi-bin, you can do this by running: + ln -s /etc/$APACHE_DIR/sites-available/keystone.conf /etc/$APACHE_DIR/sites-enabled/ -.. code-block:: bash +Restart Apache to have it start serving keystone. - $ sudo restorecon /var/www/cgi-bin -Putting it somewhere else requires you set up your SELinux policy accordingly. +Access Control +-------------- + +If you are running with Linux kernel security module enabled (for example +SELinux or AppArmor) make sure that the file has the appropriate context to +access the linked file. Keystone Configuration ---------------------- @@ -74,20 +74,20 @@ between processes. .. WARNING:: - The KVS (``keystone.token.persistence.backends.kvs.Token``) token - persistence driver cannot be shared between processes so must not be used - when running keystone under HTTPD (the tokens will not be shared between - the processes of the server and validation will fail). + The KVS (``kvs``) token persistence driver cannot be shared between + processes so must not be used when running keystone under HTTPD (the tokens + will not be shared between the processes of the server and validation will + fail). For SQL, in ``/etc/keystone/keystone.conf`` set:: [token] - driver = keystone.token.persistence.backends.sql.Token + driver = sql For memcached, in ``/etc/keystone/keystone.conf`` set:: [token] - driver = keystone.token.persistence.backends.memcache.Token + driver = memcache All servers that are storing tokens need a shared backend. This means that either all servers use the same database server or use a common memcached pool. |