openstack
/
tripleo-image-elements
Code Issues Proposed changes
tripleo-image-elements/elements/keystone
History
Victor Lowther b1197b3819 Have all os-refresh-config elements use su instead of sudo 
Using sudo -u to change users for a command can fail if sudo thinks it needs
a controlling TTY as part of its authentication.  Since this is the default config,
that means that whenever the command is run in an environment that does not have
a TTY (such as from init(1)), sudo will die.

su does not care or check for a controlling TTY, so it will succeed as long as
it is being run by root (which should be the case for all os-refresh-config elements).

Therefore, instead of using sudo -u <username> -- <command> to run commands as other
users, use su -s /bin/bash -c "<command>" <username>

This will allow things to function in the face of a misconfigured sudo as well as
allow commands to run against an account that has been locked out or has a shell
that otherwise restricts what commands can be run.

Change-Id: I5cc518ce42536a09e9f25c6635e191884aaaef92
 		2015-05-19 16:47:18 -04:00
..
cleanup.d Remove /opt/stack/{repo} files 2015-02-03 09:50:31 +00:00
environment.d Wire in _EXTRA_INSTALL_OPTS... 2014-04-19 08:08:45 -04:00
install.d Add openstack-keystone to pkg-map 2015-04-23 09:32:21 +09:00
os-apply-config Check stunnel.connect_host not stunnel.connect_ip 2014-11-13 09:34:31 +00:00
os-refresh-config Have all os-refresh-config elements use su instead of sudo 2015-05-19 16:47:18 -04:00
README.md Correct the README.md descriptions 2014-10-31 16:30:58 -04:00
cleanup-keystone-tokens.sh Migrate keystone to svc-map 2014-11-20 14:12:12 -05:00
element-deps Reserve the keystone high port out of ephemeral 2014-07-25 13:39:08 -04:00
keystone.crontab keystone crontab PATH needs /usr/local/bin 2014-02-07 13:31:53 -08:00
pkg-map Add openstack-keystone to pkg-map 2015-04-23 09:32:21 +09:00
source-repository-keystone Use openstack git repos when possible 2013-11-15 10:48:11 +02:00
svc-map Migrate keystone to svc-map 2014-11-20 14:12:12 -05:00

README.md

Install and configure Keystone.

Upon booting the image, the service should be running on port 5000.

Configuration

Default template for /etc/keystone/keystone.conf file contains minimal set of configuration parameters, which are expected to be passed in with Heat Metadata. For example, keystone.db key is required to provide MySQL connection string:

keystone:
  db: "mysql://keyuser:keypass@localhost/keystone"

All customizations to /etc/keystone/keystone.conf are expected to be done using passthrough configuration feature.

Additional configuration file /etc/keystone/domains/keystone.ldap.conf is also maintained to provide domain-specific configuration for LDAP. This file is also populated using passthrough configuration feature with "keystone_ldap" key. Here is a sample content for ExtraConfig Heat Metadata parameter:

{
    "keystone": {
        "config": [
            {
                "section": "identity",
                "values": [
                    {
                        "option": "domain_specific_drivers_enabled",
                        "value": "True"
                    },
                    {
                        "option": "domain_config_dir",
                        "value": "/etc/keystone/domains"
                    }
                ]
            }
        ]
    },
    "keystone_ldap": {
        "config": [
            {
                "section": "identity",
                "values": [
                    {
                        "option": "driver",
                        "value": "keystone.identity.backends.ldap.Identity"
                    }
                ]
            },
            {
                "section": "assignment",
                "values": [
                    {
                        "option": "driver",
                        "value": "keystone.assignment.backends.sql.Assignment"
                    }
                ]
            },
            {
                "section": "ldap",
                "values": [
                    {
                        "option": "url",
                        "value": "ldap://ldap.example.com"
                    },
                    {
                        "option": "suffix",
                        "value": "dc=example,dc=com"
                    },
                    . . .
                ]
            }
        ]
    }
}

NOTE: Token cleanup will cause poor performance until the upstream bug (https://bugs.launchpad.net/keystone/+bug/1188378) is fixed. This problem is fixed in some distributions (Ubuntu, RHEL, CentOS) where percona-toolkit's is supported and used to clean out the table on mysql. http://www.percona.com/mysql-support/policies/percona-toolkit-supported-platforms-and-versions