Skip to content

Latest commit

 

History

History
87 lines (63 loc) · 3.12 KB

2.3-full-openstack-aaa.md

File metadata and controls

87 lines (63 loc) · 3.12 KB

Configuration of full Openstack AAA

Full Openstack AAA is suitable for federations where members assume that each site runs its own identity provider. The discussion below is for Version 3 of the Keystone service used in Openstack clouds. The content of the aaa.conf file for an Openstack site could be the following:

$ cat aaa.conf
# Required
token_generator_plugin_class=org.fogbowcloud.ras.core.plugins.aaa.tokengenerator.openstack.v3.OpenStackTokenGeneratorPlugin

# Required
federation_identity_plugin_class=org.fogbowcloud.ras.core.plugins.aaa.identity.openstack.v3.OpenStackIdentityPlugin

# Required
authentication_plugin_class=org.fogbowcloud.ras.core.plugins.aaa.authentication.openstack.v3.OpenStackAuthenticationPlugin

# Required
authorization_plugin_class=org.fogbowcloud.ras.core.plugins.aaa.authorization.DefaultAuthorizationPlugin

# Required
local_user_credentials_mapper_plugin_class=org.fogbowcloud.ras.core.plugins.aaa.mapper.all2one.OpenStackAllToOneMapper

All authentic users are allowed to execute all operations, and an all-to-one mapping is used to map all federation users to a single local user in the cloud. Alternatively, one can use a one-to-one mapping that uses the all-to-one mapping only when dealing with remote requests, and uses the federation token to issue requests of local users to the underlying cloud. Note that in this case, since the federation token is a valid token in the local cloud, local users need not be restrained to the resources quotas defined for remote users. In this case, the aaa.conf file would look like this:

$ cat aaa.conf
# Required
token_generator_plugin_class=org.fogbowcloud.ras.core.plugins.aaa.tokengenerator.openstack.v3.OpenStackTokenGeneratorPlugin

# Required
federation_identity_plugin_class=org.fogbowcloud.ras.core.plugins.aaa.identity.openstack.v3.OpenStackIdentityPlugin

# Required
authentication_plugin_class=org.fogbowcloud.ras.core.plugins.aaa.authentication.openstack.v3.OpenStackAuthenticationPlugin

# Required
authorization_plugin_class=org.fogbowcloud.ras.core.plugins.aaa.authorization.DefaultAuthorizationPlugin

# Required
local_user_credentials_mapper_plugin_class=org.fogbowcloud.ras.core.plugins.aaa.mapper.one2one.OpenStackOneToOneMapper

Keystone mapper configuration configuration

No matter whether an all-to-one or a one-to-one approach is used for mapping, a single configuration file needs to be edited.

File: aaa-plugins/local-user-credentials-mapper/keystone-v3-mapper.conf

$ cat aaa-plugins/local-user-credentials-mapper/keystone-v3-mapper.conf
# Required
local_token_credentials_domain=

# Required
local_token_credentials_username=

# Required
local_token_credentials_projectname=

# Required
local_token_credentials_password=

Considering the example values assumed in this guide, the content of the keystone-v3-mapper.conf file would be:

$ cat aaa-plugins/keystone-v3-mapper.conf
# Required
local_token_credentials_domain=general

# Required
local_token_credentials_username=fogbow-resources-user

# Required
local_token_credentials_projectname=fogbow-resources

# Required
local_token_credentials_password=userpasswd