openstack
/
keystone
Code Issues Proposed changes

Removed apache-httpd guide from docs 

After addition of installation guides from openstack-manuals,
this doc contains redundant informantion and can be removed.
This commit removes the apache-httpd guide and its references.

Change-Id: Ibffb99538214843500936bf6af843fe01bda2bc3
This commit is contained in:
Samriddhi Jain 2017-06-27 00:15:06 +05:30 committed by Samriddhi
parent 0bc462a8c1
commit 71f714e551
3 changed files with 5 additions and 158 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
doc/source/advanced-topics/external-auth.rst
View File

@ -3,10 +3,10 @@ Using external authentication with Keystone
===========================================
.. _external-auth:
When Keystone is executed in a web server like :doc:`Apache HTTPD
<../getting-started/apache-httpd>`, it is possible to have the web server
also handle authentication. This enables support for additional methods of
authentication that are not provided by the identity store backend and
When Keystone is executed in a web server like Apache HTTPD,
it is possible to have the web server also handle authentication.
This enables support for additional methods of authentication that
are not provided by the identity store backend and
the authentication plugins that Keystone supports.
Having the web server handle authentication is not exclusive, and both
@ -72,8 +72,7 @@ server, that will pass down the authenticated user to Keystone using the
``REMOTE_USER`` environment variable. This user must exist in advance in the
identity backend to get a token from the controller.
To use this method, Keystone should be running on
:doc:`HTTPD <../getting-started/apache-httpd>`.
To use this method, Keystone should be running on HTTPD.
X.509 example
-------------

151
doc/source/getting-started/apache-httpd.rst
View File

@ -1,151 +0,0 @@
..
Copyright 2011-2012 OpenStack Foundation
All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
=========================
Running Keystone in HTTPD
=========================
mod_proxy_uwsgi
---------------
The recommended keystone deployment is to have a real web server such as Apache
HTTPD or nginx handle the HTTP connections and proxy requests to an independent
keystone server (or servers) running under a wsgi container such as uwsgi or
gunicorn. The typical deployment will have several applications proxied by the
web server (for example horizon on /dashboard and keystone on /identity,
/identity_admin, port :5000, and :35357). Proxying allows the applications to
be shut down and restarted independently, and a problem in one application
isn't going to affect the web server or other applications. The servers can
easily be run in their own virtualenvs.
The httpd/ directory contains sample files for configuring HTTPD to proxy
requests to keystone servers running under uwsgi.
Copy the `httpd/uwsgi-keystone.conf` sample configuration file to the
appropriate location for your Apache server, on Debian/Ubuntu systems it is::
/etc/apache2/sites-available/uwsgi-keystone.conf
On Red Hat based systems it is::
/etc/httpd/conf.d/uwsgi-keystone.conf
Update the file to match your system configuration. Enable TLS by supplying the
correct certificates.
Enable mod_proxy_uwsgi.
* On Ubuntu the required package is libapache2-mod-proxy-uwsgi; enable using
``sudo a2enmod proxy``, ``sudo a2enmod proxy_uwsgi``.
* On Fedora the required package is mod_proxy_uwsgi; enable by creating a file
``/etc/httpd/conf.modules.d/11-proxy_uwsgi.conf`` containing
``LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so``
Enable the site by creating a symlink from the file in ``sites-available`` to
``sites-enabled``, for example, on Debian/Ubuntu systems
(not required on Red Hat based systems)::
ln -s /etc/apache2/sites-available/uwsgi-keystone.conf /etc/apache2/sites-enabled/
Start or restart HTTPD to pick up the new configuration.
Now configure and start the uwsgi services. Copy the
`httpd/keystone-uwsgi-admin.ini` and `httpd/keystone-uwsgi-public.ini` files to
`/etc/keystone`. Update the files to match your system configuration (for
example, you'll want to set the number of processes and threads for the public
and admin servers).
Start up the keystone servers using uwsgi::
$ sudo pip install uwsgi
$ uwsgi /etc/keystone/keystone-uwsgi-admin.ini
$ uwsgi /etc/keystone/keystone-uwsgi-public.ini
mod_wsgi
--------
.. WARNING::
Running Keystone under HTTPD in this configuration does not support the use
of ``Transfer-Encoding: chunked``. This is due to a limitation with the
WSGI spec and the implementation used by ``mod_wsgi``. It is recommended
that all clients assume Keystone will not support
``Transfer-Encoding: chunked``.
Copy the ``httpd/wsgi-keystone.conf`` sample configuration file to the
appropriate location for your Apache server, on Debian/Ubuntu systems
it is::
/etc/apache2/sites-available/wsgi-keystone.conf
On Red Hat based systems it is::
/etc/httpd/conf.d/wsgi-keystone.conf
Update the file to match your system configuration. Note the following:
* Make sure the correct log directory is used. Some distributions put httpd
server logs in the ``apache2`` directory and some in the ``httpd`` directory.
* Enable TLS by supplying the correct certificates.
Keystone's primary configuration file (``etc/keystone.conf``) and the
PasteDeploy configuration file (``etc/keystone-paste.ini``) must be readable to
HTTPD in one of the default locations described in :doc:`../configuration`.
Configuration file location can be customized using the ``OS_KEYSTONE_CONFIG_DIR``
environment variable: if this is set, the ``keystone.conf`` file will be searched
inside this directory. Arbitrary configuration file locations can be specified
using ``OS_KEYSTONE_CONFIG_FILES`` variable as semicolon separated entries,
representing either configuration directory based relative paths or absolute
paths.
Enable the site by creating a symlink from the file in ``sites-available`` to
``sites-enabled``, for example, on Debian/Ubuntu systems
(not required on Red Hat based systems)::
ln -s /etc/apache2/sites-available/wsgi-keystone.conf /etc/apache2/sites-enabled/
Restart Apache to have it start serving keystone.
Access Control
--------------
If you are running with Linux kernel security module enabled (for example
SELinux or AppArmor) make sure that the file has the appropriate context to
access the linked file.
Keystone Configuration
----------------------
Make sure that when using a token format that requires persistence, you use a
token persistence driver that can be shared between processes. The SQL and
memcached token persistence drivers provided with keystone can be shared
between processes.
For SQL, in ``/etc/keystone/keystone.conf`` set::
[token]
driver = sql
For memcached, in ``/etc/keystone/keystone.conf`` set::
[token]
driver = memcache
All servers that are storing tokens need a shared backend. This means that
either all servers use the same database server or use a common memcached pool.

1
doc/source/getting-started/index.rst
View File

@ -8,7 +8,6 @@ Getting Started
installing.rst
upgrading.rst
performance.rst
apache-httpd.rst
architecture.rst
policy_mapping.rst
community.rst