Keystone Integration¶
This guide provides and overview of the steps necessary to properly prepare your Keystone setup for integration with your SwiftStack environment.
Setup a Keystone environment¶
Setting up a Keystone environment from scratch is beyond the scope of this guide, but we have a script available to help get a sample setup running quickly.
Add SwiftStack specific data to a Keystone installation¶
The most complex part of Keystone is generating the proper data set for services. Please make sure you understand each table and its role within the Keystone database.
Create a Keystone swift service¶
On the Keystone server, create a service named swift. This service will be used for Swift users to authenticate against.
keystone service-create --name=swift --type="object-store" --description="Swift Service"
Create the admin account for the Keystone swift service¶
Know the admin ROLE
- The admin role should exist in Keystone server already. It will be the admin role based on Keystone's default policy.json file.
- If there is no admin role, one will need to be created.
Create the service TENANT
keystone tenant-create --name=service --description "Service Tenant"
Create the admin USER account
keystone user-create --name=swift --pass=swiftpass --tenant-id $SERVICE_TENANT
Assign admin ROLE to admin USER
keystone user-role-add --user-id $SWIFT_USER --role-id $ADMIN_ROLE --tenant-id $SERVICE_TENANT
Adding the service endpoint for the swift service¶
Keystone’s service endpoint creates several URLs (public, admin, internal etc) for access to a service. The SwiftStack auth process uses the public URL (publicurl), which should be pointing to Swift’s storage URL. Please review Keystone Auth for more information.
$REGION - Use the region defined in your Keystone server
$SWIFT_SERVICE - Use the name you called the swift service
$SWIFT_IP - Use the Cluster API IP address of your SwiftStack cluster
$(tenant_id) - use the user_id in the response body.
keystone endpoint-create --region $REGION --service-id $SWIFT_SERVICE --publicurl "http://$SWIFT_IP/v1/KEY_\$(tenant_id)s" --adminurl "http://$SWIFT_IP/v1" --internalurl "http://$SWIFT_IP/v1/KEY_\$(tenant_id)s"
In the above command we used KEY_ as the prefix for the Swift Keystone accounts. This should match the reseller_prefix set in the Keystone Auth middleware configuration.
Add users to the swift service¶
Each user will have their own tenant.
keystone tenant-create --name=$USER_NAME
keystone user-create --name=$USER_NAME --pass=$USER_PASS --tenant-id=$USER_NAME --email email@example.com --enabled true
Example:
keystone tenant-create –name=jdoe
keystone user-create --name=jdoe --pass=jdpassword --tenant-id=jdoe --email jdoe@example.com --enabled true
Test the Authentication from Keystone¶
$ curl -d '{"auth":{"passwordCredentials":{"username": \
"$swiftstack", "password": "$password"},"tenantName":"$SS_TENANT"}}' \
-H "Content-type: application/json" http://localhost:5000/v2.0/tokens | python -mjson.tool
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 | {
"access":{
"metadata":{
"is_admin":0,
"roles":[
"9fe2ff9ee4384b1894a90878d3e92bab"
]
},
"serviceCatalog":[
{
"endpoints":[
{
"adminURL":"http://localhost/v1",
"id":"498507b170e34d4c8a5a7cc933da00db",
"internalURL":"http://localhost/v1/SWIFTSTACK_5c5791c3dca54885a862bbd214587759",
"publicURL":"http://$SWIFT_API_ENTRY/v1/SWIFTSTACK_5c5791c3dca54885a862bbd214587759",
"region":"RegionOne"
}
],
"endpoints_links":[],
"name":"swift",
"type":"object-store"
}
],
"token":{
"expires":"2013-09-23T09:44:19Z",
"id":"6a16f3e46d3348dd998ed9a0bebf0a63",
"issued_at":"2013-09-22T09:44:19.335178",
"tenant":{
"description":"SwiftStack-DEV Tenant",
"enabled":true,
"id":"5c5791c3dca54885a862bbd214587759",
"name":"SS"
}
},
"user":{
"id":"3857a98d704e4ff8bece78f85dadb8a0",
"name":"swiftstack",
"roles":[
{
"name":"_member_"
}
],
"roles_links":[],
"username":"swiftstack"
}
}
}
|
If you got the response with SwiftStack cluster publicURL and role from Keystone, Keystone is properly configured. Otherwise, please recheck your Keystone configuration.
Configure the Keystone middleware in SwiftStack¶
To enable Keystone auth for SwiftStack cluster there are two middleware sections that need to be setup: Keystone Auth and Keystone Auth Token
Verify the Keystone user access to the SwiftStack cluster¶
Because a user is authenticated by Keystone, the auth_url does not point to the Swift Proxy. Instead the user retrieves the token and storage URL directly from Keystone.
Issue an authentication request to the Keystone service entry point via API call.
curl -d '{"auth":{"passwordCredentials":{"username": "USER", "password": "PASSWORD"},"tenantName":"TENANT"}}' -H "Content-type: application/json" http://$KEYSTONE_IP:5000/v2.0/tokens | python -mjson.tool
The curl command will return JSON data in the following format:
1 2 3 4 5 6 7
{ "publicURL": "http://$SWIFT_API_ENTRY/v1/KEY_5c5791c3dca5462bbd214587759", "token": { "expires": "2013-09-23T09:44:19Z" }, "id": "6a16f3e46d3348dd998ed9a0c9f0a63" }
With the publicURL and token, you are now ready to access your Swift account.
curl -v -H “x-auth-token: 6a16f3e46d3348dd998ed9a0bebf0a63” http:// $SWIFT_API_ENTRY /v1/KEY_5c5791c3dca54885a862bbd214587759
The response to this command should be a container list of the account.