Setup the Keystone Federation Plugin
Create the domain
Create the identity provider
openstack --os-cloud default identity provider create --remote-id rackspace --domain rackspace_cloud_domain rackspace
Create the mapping for our identity provider
You're also welcome to generate your own mapping to suit your needs; however, if you want to use the example mapping (which is suitable for production) you can.
Example keystone mapping.json
file
[
{
"local": [
{
"user": {
"name": "{0}",
"email": "{1}",
"domain": {
"name": "rackspace_cloud_domain"
}
}
},
{
"projects": [
{
"name": "{2}",
"domain": {
"name": "rackspace_cloud_domain"
},
"description": "Project for DDI {3}",
"metadata": [
{
"key": "ddi",
"value": "{3}"
}
],
"tags": [
{
"project_tag": "{3}"
}
],
"roles": []
}
]
}
],
"remote": [
{
"type": "RXT_UserName"
},
{
"type": "RXT_Email"
},
{
"type": "RXT_TenantName"
},
{
"type": "RXT_DomainID"
},
{
"type": "RXT_orgPersonType",
"any_one_of": [
"creator",
"member",
"reader"
]
}
]
}
]
The example mapping JSON file can be found within the genestack repository at /opt/genestack/etc/keystone/mapping.json
.
Creating the creator
role
The creator role does not exist by default, but is included in the example mapping. One must create the creator role in order to prevent authentication errors if using the mapping "as is".
Now register the mapping within Keystone
openstack --os-cloud default mapping create --rules /tmp/mapping.json --schema-version 2.0 rackspace_mapping
Create the federation protocol
openstack --os-cloud default federation protocol create rackspace --mapping rackspace_mapping --identity-provider rackspace
Rackspace Configuration Options
The [rackspace]
section can also be used in your keystone.conf
to allow you to configure how to anchor on
roles.
key | value | default |
---|---|---|
role_attribute |
A string option used as an anchor to discover roles attributed to a given user | os_flex |
role_attribute_enforcement |
When set true will limit a users project to only the discovered GUID for the defined role_attribute |
false |