Skip to content

Latest commit

 

History

History
55 lines (38 loc) · 2.16 KB

keystone-auth.md

File metadata and controls

55 lines (38 loc) · 2.16 KB

Keystone Authentication

An authentication backend for Openstack's Keystone is maintained in this source tree as haas.ext.auth.keystone. This document describes its configuration and usage in detail.

NOTE: The HaaS command line interface only supports the keystone v3 API. The server supports anything supported by keystonemiddleware.

Usage

Once HaaS has been configured to work with Keystone, an administrator must manually add Openstack projects to HaaS before they can access the HaaS API. The HaaS project names must correspond to the Openstack UUIDs. For example, an administrator may execute the command:

haas project_create 00de7c85e594473db7461cdf7367166a

To grant the Openstack project with that UUID access to HaaS.

Note that the plugin recognizes any user with an admin role on any project as a HaaS administrator, similar to the default policy for core Openstack projects. This is true even for projects not that do not exist within HaaS; such projects will not be able to own resources (such as nodes networks, etc), but may perform admin-only operations (such as creating projects).

The HaaS command line interface will look for the same OS_* environment variables used by the Openstack command line tools; these may be set by a user to authenticate when using the CLI.

A script to set these variables correctly can be downloaded from the Openstack web dashboard via "Access & Security."

Configuration

As with any other extension, you must load the extension in haas.cfg:

[extensions]
haas.ext.auth.keystone =

The backend must then be configured to talk to your keystone server. The keystone project maintains documentation on how to do this at:

http://docs.openstack.org/developer/keystonemiddleware/middlewarearchitecture.html

Configuring HaaS to talk to Keystone deviates in the following ways:

  • The paste configuration is not used; you can simply ignore the sections that refer to paste.
  • The options that the Keystone documentation puts in the section [keystone_authtoken] should instead be placed in the extension's section in haas.cfg, i.e. [haas.ext.auth.keystone].