From 3f7394289faa2945e8f36d008cfb7dacf06279d6 Mon Sep 17 00:00:00 2001 From: joehuang Date: Tue, 20 Sep 2016 05:20:31 -0400 Subject: Cherry Pick the update from the master branch to stable/colorado branch These patches should be cherry picked to colorado branch: https://gerrit.opnfv.org/gerrit/#/c/20077/ https://gerrit.opnfv.org/gerrit/#/c/20635/ https://gerrit.opnfv.org/gerrit/#/c/19833/ https://gerrit.opnfv.org/gerrit/#/c/19587/ But because the structure of the folder was changed in https://gerrit.opnfv.org/gerrit/#/c/19833/ cherry pick using gerrit will lead to merge conflict, has to update the colorado branch through this patch. Change-Id: I971eb28520b47b14de52a761269518b959c6921c Signed-off-by: joehuang --- .../multisite.configuration.rst | 110 +++++++++++++++++++++ 1 file changed, 110 insertions(+) create mode 100644 docs/installationprocedure/multisite.configuration.rst (limited to 'docs/installationprocedure/multisite.configuration.rst') diff --git a/docs/installationprocedure/multisite.configuration.rst b/docs/installationprocedure/multisite.configuration.rst new file mode 100644 index 0000000..c005e8d --- /dev/null +++ b/docs/installationprocedure/multisite.configuration.rst @@ -0,0 +1,110 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 + +============================= +Multisite configuration guide +============================= + +Multisite identity service management +===================================== + +Goal +---- + +A user should, using a single authentication point be able to manage virtual +resources spread over multiple OpenStack regions. + +Before you read +--------------- + +This chapter does not intend to cover all configuration of KeyStone and other +OpenStack services to work together with KeyStone. + +This chapter focuses only on the configuration part should be taken into +account in multi-site scenario. + +Please read the configuration documentation related to identity management +of OpenStack for all configuration items. + +http://docs.openstack.org/liberty/config-reference/content/ch_configuring-openstack-identity.html + +How to configure the database cluster for synchronization or asynchrounous +repliation in multi-site scenario is out of scope of this document. The only +remainder is that for the synchronization or replication, only Keystone +database is required. If you are using MySQL, you can configure like this: + +In the master: + + .. code-block:: bash + + binlog-do-db=keystone + +In the slave: + + .. code-block:: bash + + replicate-do-db=keystone + + +Deployment options +------------------ + +For each detail description of each deployment option, please refer to the +admin-user-guide. + +- Distributed KeyStone service with PKI token + + In KeyStone configuration file, PKI token format should be configured + + .. code-block:: bash + + provider = pki + + or + + .. code-block:: bash + + provider = pkiz + + In the [keystone_authtoken] section of each OpenStack service configuration + file in each site, configure the identity_url and auth_uri to the address + of KeyStone service + + .. code-block:: bash + + identity_uri = https://keystone.your.com:35357/ + auth_uri = http://keystone.your.com:5000/v2.0 + + It's better to use domain name for the KeyStone service, but not to use IP + address directly, especially if you deployed KeyStone service in at least + two sites for site level high availability. + +- Distributed KeyStone service with Fernet token +- Distributed KeyStone service with Fernet token + Async replication ( + star-mode). + + In these two deployment options, the token validation is planned to be done + in local site. + + In KeyStone configuration file, Fernet token format should be configured + + .. code-block:: bash + + provider = fernet + + In the [keystone_authtoken] section of each OpenStack service configuration + file in each site, configure the identity_url and auth_uri to the address + of local KeyStone service + + .. code-block:: bash + + identity_uri = https://local-keystone.your.com:35357/ + auth_uri = http://local-keystone.your.com:5000/v2.0 + + and especially, configure the region_name to your local region name, for + example, if you are configuring services in RegionOne, and there is local + KeyStone service in RegionOne, then + + .. code-block:: bash + + region_name = RegionOne -- cgit 1.2.3-korg