summaryrefslogtreecommitdiffstats
path: root/docs/configguide/multisite-configuration-guide.rst
blob: 8e0c190a9eee7ba85ff0ef3df74fea66ff838d58 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
.. This work is licensed under a Creative Commons Attribution 4.0 International License.
.. http://creativecommons.org/licenses/by/4.0

=============================
Multisite configuration guide
=============================

Multisite identity service management
=====================================

Goal
----

a user should, using a single authentication point be able to manage virtual
resources spread over multiple OpenStack regions.

Before you read
---------------

This chapter does not intend to cover all configuration of KeyStone and other
OpenStack services to work together with KeyStone.

This chapter focuses only on the configuration part should be taken into
account in multi-site scenario.

Please read the configuration documentation related to identity management
of OpenStack for all configuration items.

http://docs.openstack.org/liberty/config-reference/content/ch_configuring-openstack-identity.html

How to configure the database cluster for synchronization or asynchrounous
repliation in multi-site scenario is out of scope of this document. The only
remainder is that for the synchronization or replication, only Keystone
database is required. If you are using MySQL, you can configure like this:

In the master:

   .. code-block:: bash

      binlog-do-db=keystone

In the slave:

   .. code-block:: bash

      replicate-do-db=keystone


Deployment options
------------------

For each detail description of each deployment option, please refer to the
admin-user-guide.

-  Distributed KeyStone service with PKI token

   In KeyStone configuration file, PKI token format should be configured

   .. code-block:: bash

      provider = pki

   or

   .. code-block:: bash

      provider = pkiz

   In the [keystone_authtoken] section of each OpenStack service configuration
   file in each site, configure the identity_url and auth_uri to the address
   of KeyStone service

   .. code-block:: bash

      identity_uri = https://keystone.your.com:35357/
      auth_uri = http://keystone.your.com:5000/v2.0

   It's better to use domain name for the KeyStone service, but not to use IP
   address directly, especially if you deployed KeyStone service in at least
   two sites for site level high availability.

-  Distributed KeyStone service with Fernet token
-  Distributed KeyStone service with Fernet token + Async replication (
   star-mode).

   In these two deployment options, the token validation is planned to be done
   in local site.

   In KeyStone configuration file, Fernet token format should be configured

   .. code-block:: bash

      provider = fernet

   In the [keystone_authtoken] section of each OpenStack service configuration
   file in each site, configure the identity_url and auth_uri to the address
   of local KeyStone service

   .. code-block:: bash

      identity_uri = https://local-keystone.your.com:35357/
      auth_uri = http://local-keystone.your.com:5000/v2.0

   and especially, configure the region_name to your local region name, for
   example, if you are configuring services in RegionOne, and there is local
   KeyStone service in RegionOne, then

   .. code-block:: bash

      region_name = RegionOne