Setup the Keystone Federation Plugin
Create the domain
Create the identity provider
openstack --os-cloud default identity provider create --remote-id rackspace --domain rackspace_cloud_domain rackspace
Create the mapping for our identity provider
You're also welcome to generate your own mapping to suit your needs; however, if you want to use the example mapping (which is suitable for production) you can.
Example keystone mapping.json file
[
{
"local": [
{
"user": {
"name": "{0}",
"email": "{1}",
"domain": {
"name": "rackspace_cloud_domain"
}
}
},
{
"projects": [
{
"name": "{2}",
"domain": {
"name": "rackspace_cloud_domain"
},
"roles": [
{
"name": "member"
},
{
"name": "load-balancer_member"
},
{
"name": "heat_stack_user"
},
{
"name": "creator"
}
]
}
]
}
],
"remote": [
{
"type": "RXT_UserName"
},
{
"type": "RXT_Email"
},
{
"type": "RXT_TenantName"
},
{
"type": "RXT_orgPersonType",
"any_one_of": [
"admin",
"default",
"user-admin",
"tenant-access"
]
}
]
}
]
The example mapping JSON file can be found within the genestack repository at /opt/genestack/etc/keystone/mapping.json.
Now register the mapping within Keystone
openstack --os-cloud default mapping create --rules /tmp/mapping.json --schema-version 2.0 rackspace_mapping
Create the federation protocol
openstack --os-cloud default federation protocol create rackspace --mapping rackspace_mapping --identity-provider rackspace
Rackspace Configuration Options
The [rackspace] section can also be used in your keystone.conf to allow you to configure how to anchor on
roles.
| key | value | default |
|---|---|---|
role_attribute |
A string option used as an anchor to discover roles attributed to a given user | os_flex |
role_attribute_enforcement |
When set true will limit a users project to only the discovered GUID for the defined role_attribute |
false |