1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
.. This work is licensed under a Creative Commons Attribution 4.0 International License.
.. http://creativecommons.org/licenses/by/4.0
Multisite identity service management
=====================================
Goal
----
A user should, using a single authentication point be able to manage virtual
resources spread over multiple OpenStack regions.
Before you read
---------------
This chapter does not intend to cover all configuration of KeyStone and other
OpenStack services to work together with KeyStone.
This chapter focuses only on the configuration part should be taken into
account in multi-site scenario.
Please read the configuration documentation related to identity management
of OpenStack for all configuration items.
http://docs.openstack.org/liberty/config-reference/content/ch_configuring-openstack-identity.html
How to configure the database cluster for synchronization or asynchrounous
repliation in multi-site scenario is out of scope of this document. The only
remainder is that for the synchronization or replication, only Keystone
database is required. If you are using MySQL, you can configure like this:
In the master:
.. code-block:: bash
binlog-do-db=keystone
In the slave:
.. code-block:: bash
replicate-do-db=keystone
Deployment options
------------------
For each detail description of each deployment option, please refer to the
admin-user-guide.
- Distributed KeyStone service with PKI token
In KeyStone configuration file, PKI token format should be configured
.. code-block:: bash
provider = pki
or
.. code-block:: bash
provider = pkiz
In the [keystone_authtoken] section of each OpenStack service configuration
file in each site, configure the identity_url and auth_uri to the address
of KeyStone service
.. code-block:: bash
identity_uri = https://keystone.your.com:35357/
auth_uri = http://keystone.your.com:5000/v2.0
It's better to use domain name for the KeyStone service, but not to use IP
address directly, especially if you deployed KeyStone service in at least
two sites for site level high availability.
- Distributed KeyStone service with Fernet token
- Distributed KeyStone service with Fernet token + Async replication (
star-mode).
In these two deployment options, the token validation is planned to be done
in local site.
In KeyStone configuration file, Fernet token format should be configured
.. code-block:: bash
provider = fernet
In the [keystone_authtoken] section of each OpenStack service configuration
file in each site, configure the identity_url and auth_uri to the address
of local KeyStone service
.. code-block:: bash
identity_uri = https://local-keystone.your.com:35357/
auth_uri = http://local-keystone.your.com:5000/v2.0
and especially, configure the region_name to your local region name, for
example, if you are configuring services in RegionOne, and there is local
KeyStone service in RegionOne, then
.. code-block:: bash
region_name = RegionOne
|