Keystone is another core component that is used by all other OpenStack services. It provides authentication and authorization services. Keystone needs to be installed on a Control Node. Keystone can be made highly available by deploying it on a cluster. You can configure the following parameters of this barclamp:
Algorithm for Token Generation
Set the algorithm used by Keystone to generate the tokens. It is strongly recom- mended to use PKI, since it will reduce network traffic.
Region Name
Allows to customize the region name that crowbar is going to manage.
Default Credentials: Default Tenant
Default Credentials: Regular User/Administrator User Name/Password
User name and password for the regular user and the administrator. Both accounts can be used to log in to the SUSE Cloud Dashboard to manage Keystone users and access.
Figure 6.6: The Keystone Barclamp
SSL Support: Protocol
When sticking with the default value HTTP, public communication will not be encrypted. Choose HTTPS to use SSL for encryption. See Section 2.3, “SSL Encryption” (page 24) for background information and Section 5.4.6, “Enabling SSL (optional)” (page 93) for installation instructions. The following additional configuration options will become available when choosing HTTPS:
Generate (self-signed) certificates
When set to true, self-signed certificates are automatically generated and
copied to the correct locations. This setting is for testing purposes only and should never be used in production environments!
SSL Certificate File / SSL (Private) Key File
SSL Certificate is insecure
Set this option to true when using self-signed certificates to disable certifi-
cate checks. This setting is for testing purposes only and should never be used in production environments!
Require Client Certificate
Set this option to true when using your own certificate authority (CA) for
signing. Having done so, you also need to specify a path to the CA Certificates File. If your certificates are signed by a trusted third party organization, Re- quire Client Certificate should be set to false, since the “official” certificate authorities (CA) are already known by the system.
Figure 6.7: The SSL Dialog
6.5.1 LDAP Authentication with Keystone
By default Keystone uses an SQL database back-end store for authentication. LDAP can be used in addition to the default or as an alternative. Using LDAP requires the Control Node on which Keystone is installed to be able to contact the LDAP server. See Appendix D, The Network Barclamp Template File (page 189) for instructions on how to adjust the network setup.
6.5.1.1 Using LDAP for Authentication
To configure LDAP as an alternative to the SQL database back-end store, you need to open the Keystone barclamp Attribute configuration in Raw mode. Search for the ldap
section.
Figure 6.8: The Keystone Barclamp: Raw Mode
Adjust the settings according to your LDAP setup. The default configura- tion does not include all attributes that can be set—a complete list of options is available in the file /opt/dell/chef/data_bags/crowbar/bc- template-keystone.schema on the Administration Server (search
for ldap). There are three types of attribute values: strings (for example, the
value for url:"ldap://localhost"), bool (for example, the value for
use_dumb_member: false) and integer for example, the value for page_size: 0). Attribute names and string values always need to be quoted with double quotes;
bool and integer values must not be quoted.
IMPORTANT: Using LDAP over SSL (ldaps) is recommended In a production environment, it is recommended to use LDAP over SSL (ldaps), otherwise passwords will be transferred as plain text.
6.5.1.2 Using Hybrid Authentication
The Hybrid LDAP back-end allows to create a mixed LDAP/SQL setup. This is es- pecially useful when an existing LDAP server should be used to authenticate cloud
users. The system and service users (administrators and operators) needed to set up and manage SUSE Cloud will be managed in the local SQL database. Assignments of users to projects and roles will also be stored in the local database.
In this scenario the LDAP Server can be read-only for SUSE Cloud installation and no Schema modifications are required. Therefore managing LDAP users from with- in SUSE Cloud is not possible and needs to be done using your established tools for LDAP user management. All user that are create with the Keystone command line client or the Horizon Web UI will be stored in the local SQL database.
To configure hybrid authentication, proceed as follows:
1 Open the Keystone barclamp Attribute configuration in Raw mode (see Figure 6.8, “The Keystone Barclamp: Raw Mode” (page 116)).
2 Set the identity and assignment drivers to the hybrid back-end:
"identity": { "driver": "keystone.identity.backends.hybrid.Identity" }, "assignment": { "driver": "keystone.assignment.backends.hybrid.Assignment" }
3 Adjust the settings according to your LDAP setup in the ldap. Since the LDAP backend is only used to acquire information on users (but not on projects and roles), only the user related settings matter here. See the following example of set- tings that may need to be adjusted:
"ldap": { "url": "ldap://localhost", "user": "", "password": "", "suffix": "cn=example,cn=com", "user_tree_dn": "cn=example,cn=com", "query_scope": "one", "user_id_attribute": "cn", "user_enabled_emulation_dn": "", "tls_req_cert": "demand", "user_attribute_ignore": "tenant_id,tenants", "user_objectclass": "inetOrgPerson", "user_mail_attribute": "mail", "user_filter": "", "use_tls": false, "user_allow_create": false, "user_pass_attribute": "userPassword", "user_enabled_attribute": "enabled", "user_enabled_default": "True",
"page_size": 0, "tls_cacertdir": "", "tls_cacertfile": "", "user_enabled_mask": 0, "user_allow_update": true, "group_allow_update": true, "user_enabled_emulation": false, "user_name_attribute": "cn" }
To access the LDAP server anonymously, leave the values for user and password
empty.
6.5.2 HA Setup for Keystone
Making Keystone highly available requires no special configuration—it is sufficient to deploy it on a cluster.