summaryrefslogtreecommitdiff
path: root/doc/source/admin/identity-domain-specific-config.rst
blob: b15f69889a28365ca18766729c7203dc46b328a5 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
=============================
Domain-specific configuration
=============================

The Identity service supports domain-specific Identity drivers.
The drivers allow a domain to have its own LDAP or SQL back end.
By default, domain-specific drivers are disabled.

Domain-specific Identity configuration options can be stored in
domain-specific configuration files, or in the Identity SQL
database using API REST calls.

.. note::

   Storing and managing configuration options in an SQL database is
   experimental in Kilo, and added to the Identity service in the
   Liberty release.

Enable drivers for domain-specific configuration files
------------------------------------------------------

To enable domain-specific drivers, set these options in the
``/etc/keystone/keystone.conf`` file:

.. code-block:: ini

   [identity]
   domain_specific_drivers_enabled = True
   domain_config_dir = /etc/keystone/domains

When you enable domain-specific drivers, Identity looks in the
``domain_config_dir`` directory for configuration files that are named as
``keystone.DOMAIN_NAME.conf``. A domain without a domain-specific
configuration file uses options in the primary configuration file.

Enable drivers for storing configuration options in SQL database
----------------------------------------------------------------

To enable domain-specific drivers, set these options in the
``/etc/keystone/keystone.conf`` file:

.. code-block:: ini

   [identity]
   domain_specific_drivers_enabled = True
   domain_configurations_from_database = True

Any domain-specific configuration options specified through the
Identity v3 API will override domain-specific configuration files in the
``/etc/keystone/domains`` directory.

Migrate domain-specific configuration files to the SQL database
---------------------------------------------------------------

You can use the ``keystone-manage`` command to migrate configuration
options in domain-specific configuration files to the SQL database:

.. code-block:: console

   # keystone-manage domain_config_upload --all

To upload options from a specific domain-configuration file, specify the
domain name:

.. code-block:: console

   # keystone-manage domain_config_upload --domain-name DOMAIN_NAME