Keystone middleware usage Configuration

When keystone is used as the Uniform Identity Authentication Server for other openstack services, Keystone middleware, namely keystonemiddleware, needs to be deployed. The role of middleware is to intercept user requests to various services, the User Token is verified to reject the user's request or pass the request to the next middleware.

Some services in openstack have their own authentication methods. Therefore, to use a uniform authentication method, you must correctly configure keystone middleware.

This article describes how to configure and use keystonemiddleware.

　　

1. First, set the following two filters (usually built-in) in the paste. ini file of each service ):

[Filter: authtoken]

Paste. filter_factory = keystonemiddleware. auth_token: filter_factory

 

[Filter: keystonecontext]

Paste. filter_factory = Nova. API. Auth: novakeystonecontext. Factory

 

2. Next we will place the authtoken keystonecontext middleware defined in step 1 in the appropriate position of the target pipeline, so that we can complete the modification to the paste. ini file. In fact, write. the configuration information in the conf file [keystone_authtoken] can be supplemented with the [filter: authtoken] field, but this will make paste. the INI file becomes bloated, so we put the detailed configuration of the specific driver into one. CONF file to make paste. the INI file is concise and clear.

But for the object storage service swift, this service does not have its own paste. ini configuration file, but this is not important, because we can write the filter declaration and specific configuration to SWIFT. conf configuration file.

 

3. Set in the. conf file of each service:

[Default]

...

Auth_strategy = keystone

...

[Keystone_authtoken]

Auth_port = 35357

Auth_host = 127.0.0.1

Admin_user = Admin

Admin_password = keystone123

Note that these settings can be set in either of the two configuration files, but the configuration information in the paste. ini file has priority. Once set, the configuration information in. conf will be replaced.

 

The following lists all optional keystonemiddleware configuration items.

1.Auth_admin_prefix:Prefix added before path

2.Auth_host:(Required) URL of the API terminal that provides the keystone Service

3.Auth_port:(Optional, 35357 by default) port used to verify the token

4.Auth_protocol:(Optional, default https) protocol used to verify the token

5.Auth_uri:(Optional, auth_protocol: // auth_host: auth_port by default) complete URL of the authentication token

6.Auth_version:Version of the management API to be used

7.Delay_auth_demo:(Optional, off by default). If on is used, invalid authentication requests will not be rejected. Instead, the decision right will be delegated to the downstream wsgi component.

8.Http_connect_timeout:(Optional) How long a request is sent to the keystone server, even if the request times out.

9.Http_request_max_retries:(Default 3) number of requests to the keystone Server

10.Http_handler: (Optional) allows to pass in the name of a fake http_handler callback function used instead of httplib. httpconnection orhttplib. httpsconnection. Useful for unit testing where network is not available.

11.Admin_token: You must specify this item or all three options below. The value of this option should be the same as the administrator token set during keystone configuration.

12.Admin_user, admin_password, admin_tenant_name: If the Administrator token is not provided, the three configuration items should be the service account that has been configured in Keystone.

13.Certfile: (Required) if the keystone server requires the client to provide cert, this item must be provided

14.Keyfile: (Required) if the keystone server requires the client to provide cert, this item must be provided. If certfile contains the private key, the value of this item can be the same as that of certfile.

15.Cafile(Optional) The System Ca is used by default to verify the CA file path of the HTTPS connection.

16.Insecure: (Optional, false by default) do not verify the HTTPS connection.

17.Signing_dir: (Optional) directory for storing files related to the PKI token

　　18.Memcached_servers: (Optional) Specify the memcache server (s) used for caching if defined)

19.Token_cache_time: (300 seconds by default) to avoid excessive requests and verification, middleware uses the memory cache mechanism to cache the token returned by each keystone server. This item takes effect only after memcache_servers is defined. If it is set to-1, the cache will be completely disabled.

20.Cache: (Optional) ENV key for the swift Cache

21.Memcache_security_strategy: (Optional) indicates whether the token data requires authentication or authentication encryption. Acceptable values include Mac and encrypt. The Mac option will use the HMAC algorithm authentication token in the cache, And the encrypt option will be encrypted and authenticated in the cache. If none of these two values or null values, the middleware will report an error during the initialization phase.

22.Memcache_secret_key: (Required after defining memcache_security_strategy) this option is used to export the key;

23.Memcache_pool_dead_retry: (Optional) the number of seconds that the memcache server considered "dead" was retried;

24.Memcache_pool_maxsize: (Optional) Maximum number of open connections for each memcache server;

25.Memcache_pool_socket_timeout: (Optional) Number of timeout seconds for connecting a socket to the memcache server;

26.Memcache_pool_unused_timeout: (Optional) How long will the memcached connection be closed;

27.Memcache_pool_conn_get_timeout: (Optional). An operation obtains the waiting time for a memcache client connection from the connection pool;

28.Memcache_use_advanced_pool: (Optional) Advanced (eventlet secure) memcache client pool. Currently, this advanced connection pool is only applicable to Python 2.x.

29.Include_service_catalog:(Optional, true by default) indicates whether to set the X-service-catalog field. if the value is false, the middleware will not obtain the service directory during token verification, nor set the X-service-catalog field.

30.Enforce_token_bind:(Default permissive) is used to control the use and type of token binding. If it is set to disabled, the token binding will not be checked. permissive will verify that the system has known binding types and ignore those that are not defined in the system. Strict will verify that the system has known binding types, deny token binding of unknown type. Required allows token binding of any type. Finally, the bound method must appear in the token.

31.Check_revocations_for_cached:(False by default). If true, the system checks the revocation list of the cache token and requires that the PKI token be configured on the keystone server;

32.Hash_algorithms: (MD5 by default), used to hash the PKI token algorithm. One or more algorithms can be used as long as they are supported by Python standard hashlib. New. Hash attempts are performed according to the order given by this item. Therefore, the most preferred algorithm is set to the first one of this item. When you transition from a less secure algorithm to a safer algorithm, this item is usually set to multiple values. Once all old tokens expire, this item should be set to a single value to improve performance.

　　

Keystone middleware usage Configuration