5.4 KiB
Configuring Keystone
Identity sources
One of the most impactful decisions you'll have to make when configuring keystone is deciding how you want keystone to source your identity data. Keystone supports several different choices that will substantially impact how you'll configure, deploy, and interact with keystone.
You can also mix-and-match various sources of identity (see Domain-specific Configuration for an example). For example, you can store OpenStack service users and their passwords in SQL, manage customers in LDAP, and authenticate employees via SAML federation.
Public ID Generators
Keystone supports a customizable public ID generator and it is
specified in the [identity_mapping] section of the
configuration file. Keystone provides a sha256 generator as default,
which produces regenerable public IDs. The generator algorithm for
public IDs is a balance between key size (i.e. the length of the public
ID), the probability of collision and, in some circumstances, the
security of the public ID. The maximum length of public ID supported by
keystone is 64 characters, and the default generator (sha256) uses this
full capability. Since the public ID is what is exposed externally by
keystone and potentially stored in external systems, some installations
may wish to make use of other generator algorithms that have a different
trade-off of attributes. A different generator can be installed by
configuring the following property:
generator- identity mapping generator. Defaults tosha256(implemented bykeystone.identity.id_generators.sha256.Generator)
Warning
Changing the generator may cause all existing public IDs to be become invalid, so typically the generator selection should be considered immutable for a given installation.
SSL
A secure deployment should have keystone running in a web server (such as Apache httpd), or behind an SSL terminator.
Limiting list return size
Keystone provides a method of setting a limit to the number of
entities returned in a collection, which is useful to prevent overly
long response times for list queries that have not specified a
sufficiently narrow filter. This limit can be set globally by setting
list_limit in the default section of
keystone.conf, with no limit set by default. Individual
driver sections may override this global value with a specific limit,
for example:
[resource]
list_limit = 100If a response to list_{entity} call has been truncated,
then the response status code will still be 200 (OK), but the
truncated attribute in the collection will be set to
true.
Supported clients
There are two supported clients, python-keystoneclient project provides python bindings and python-openstackclient provides a command line interface.
Authenticating with a Password via CLI
To authenticate with keystone using a password and
python-openstackclient, set the following flags, note that
the following user referenced below should be granted the
admin role.
--os-username OS_USERNAME: Name of your user--os-password OS_PASSWORD: Password for your user--os-project-name OS_PROJECT_NAME: Name of your project--os-auth-url OS_AUTH_URL: URL of the keystone authentication server
You can also set these variables in your environment so that they do not need to be passed as arguments each time:
$ export OS_USERNAME=my_username
$ export OS_PASSWORD=my_password
$ export OS_PROJECT_NAME=my_project
$ export OS_AUTH_URL=http://localhost:5000/v3For example, the commands user list,
token issue and project create can be invoked
as follows:
# Using password authentication, with environment variables
$ export OS_USERNAME=admin
$ export OS_PASSWORD=secret
$ export OS_PROJECT_NAME=admin
$ export OS_AUTH_URL=http://localhost:5000/v3
$ openstack user list
$ openstack project create demo
$ openstack token issue
# Using password authentication, with flags
$ openstack --os-username=admin --os-password=secret --os-project-name=admin --os-auth-url=http://localhost:5000/v3 user list
$ openstack --os-username=admin --os-password=secret --os-project-name=admin --os-auth-url=http://localhost:5000/v3 project create demo