summaryrefslogtreecommitdiffstats
path: root/keystone-moon/doc/source/apache-httpd.rst
blob: 91eb7011ab35c908e18cad8b18ae1e688c940f8f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
..
      Copyright 2011-2012 OpenStack Foundation
      All Rights Reserved.

      Licensed under the Apache License, Version 2.0 (the "License"); you may
      not use this file except in compliance with the License. You may obtain
      a copy of the License at

          http://www.apache.org/licenses/LICENSE-2.0

      Unless required by applicable law or agreed to in writing, software
      distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
      WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
      License for the specific language governing permissions and limitations
      under the License.

=========================
Running Keystone in HTTPD
=========================

.. WARNING::

    Running Keystone under HTTPD in the recommended (and tested) configuration
    does not support the use of ``Transfer-Encoding: chunked``. This is due to
    a limitation with the WSGI spec and the implementation used by
    ``mod_wsgi``. It is recommended that all clients assume Keystone will not
    support ``Transfer-Encoding: chunked``.


Files
-----

Copy the ``httpd/wsgi-keystone.conf`` sample configuration file to the
appropriate location for your Apache server::

    /etc/$APACHE_DIR/conf.d/sites-available/wsgi-keystone.conf

Where ``$APACHE_DIR`` is ``httpd`` on Fedora-based systems and ``apache2`` on
Debian/Ubuntu systems.

Update the file to match your system configuration. Note the following:

* Make sure the correct log directory is used. Some distributions put httpd
  server logs in the ``apache2`` directory and some in the ``httpd`` directory.
* Enable TLS by supplying the correct certificates.

Keystone's primary configuration file (``etc/keystone.conf``) and the
PasteDeploy configuration file (``etc/keystone-paste.ini``) must be readable to
HTTPD in one of the default locations described in :doc:`configuration`.

Enable the site by creating a symlink from ``sites-enabled`` to the file in
``sites-available``::

  ln -s /etc/$APACHE_DIR/sites-available/keystone.conf /etc/$APACHE_DIR/sites-enabled/

Restart Apache to have it start serving keystone.


Access Control
--------------

If you are running with Linux kernel security module enabled (for example
SELinux or AppArmor) make sure that the file has the appropriate context to
access the linked file.

Keystone Configuration
----------------------

Make sure that when using a token format that requires persistence, you use a
token persistence driver that can be shared between processes. The SQL and
memcached token persistence drivers provided with keystone can be shared
between processes.

.. WARNING::

    The KVS (``kvs``) token persistence driver cannot be shared between
    processes so must not be used when running keystone under HTTPD (the tokens
    will not be shared between the processes of the server and validation will
    fail).

For SQL, in ``/etc/keystone/keystone.conf`` set::

    [token]
    driver = sql

For memcached, in ``/etc/keystone/keystone.conf`` set::

    [token]
    driver = memcache

All servers that are storing tokens need a shared backend. This means that
either all servers use the same database server or use a common memcached pool.