Setup the Keystone Federation Plugin

Create the domain

openstack --os-cloud default domain create rackspace_cloud_domain

Create the identity provider

openstack --os-cloud default identity provider create --remote-id rackspace --domain rackspace_cloud_domain rackspace

Create the mapping for our identity provider

You're also welcome to generate your own mapping to suit your needs; however, if you want to use the example mapping (which is suitable for production) you can.

Example keystone mapping.json file

[
    {
        "local": [
            {
                "user": {
                    "name": "{0}",
                    "email": "{1}",
                    "domain": {
                        "name": "rackspace_cloud_domain"
                    }
                }
            },
            {
                "projects": [
                    {
                        "name": "{2}",
                        "domain": {
                            "name": "rackspace_cloud_domain"
                        },
                        "description": "Project for DDI {3}",
                        "metadata": [
                            {
                                "key": "ddi",
                                "value": "{3}"
                            }
                        ],
                        "tags": [
                            {
                                "project_tag": "{3}"
                            }
                        ],
                        "roles": []
                    }
                ]
            }
        ],
        "remote": [
            {
                "type": "RXT_UserName"
            },
            {
                "type": "RXT_Email"
            },
            {
                "type": "RXT_TenantName"
            },
            {
                "type": "RXT_DomainID"
            },
            {
                "type": "RXT_orgPersonType",
                "any_one_of": [
                    "creator",
                    "member",
                    "reader"
                ]
            }
        ]
    }
]

The example mapping JSON file can be found within the genestack repository at /opt/genestack/etc/keystone/mapping.json.

Creating the creator role

The creator role does not exist by default, but is included in the example mapping. One must create the creator role in order to prevent authentication errors if using the mapping "as is".

openstack --os-cloud default role create creator

Now register the mapping within Keystone

openstack --os-cloud default mapping create --rules /tmp/mapping.json --schema-version 2.0 rackspace_mapping

Create the federation protocol

openstack --os-cloud default federation protocol create rackspace --mapping rackspace_mapping --identity-provider rackspace

Rackspace Configuration Options

The [rackspace] section can also be used in your keystone.conf to allow you to configure how to anchor on roles.

key	value	default
role_attribute	A string option used as an anchor to discover roles attributed to a given user	os_flex
role_attribute_enforcement	When set true will limit a users project to only the discovered GUID for the defined role_attribute	false