[openstack-dev] [keystone][puppet] Federation using ipsilon

Adam Young ayoung at redhat.com
Mon Jun 15 03:24:45 UTC 2015


On 06/13/2015 01:37 PM, Rich Megginson wrote:
> On 06/12/2015 07:30 PM, Adam Young wrote:
>> On 06/12/2015 04:53 PM, Rich Megginson wrote:
>>> I've done a first pass of setting up a puppet module to configure 
>>> Keystone to use ipsilon for federation, using 
>>> https://github.com/richm/puppet-apache-auth-mods, and a version of 
>>> ipsilon-client-install with patches 
>>> https://fedorahosted.org/ipsilon/ticket/141 and 
>>> https://fedorahosted.org/ipsilon/ticket/142, and a heavily modified 
>>> version of the ipa/rdo federation setup scripts - 
>>> https://github.com/richm/rdo-vm-factory.
>>>
>>> I would like some feedback from the Keystone and puppet folks about 
>>> this approach.
>>>
>>> __________________________________________________________________________ 
>>>
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe: 
>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>> I take it this is not WebSSO yet, but only Federation.
>>
>> Around here...
>>
>> https://github.com/richm/puppet-apache-auth-mods/blob/master/manifests/keystone_ipsilon.pp#L64 
>>
>>
>> You would need to have the trusted dashboard, etc.
>
> Right.  In order to do websso, there is some additional setup that 
> needs to be done in the apache conf for the keystone wsgi virtual 
> hosts (which is in the rdo-federation-setup script).  There is also 
> some additional configuration to do to Horizon to enable federated 
> auth and/or websso.
>
>>
>>
>> But I think that is what you intend.
>
> Right.  What I've done so far is only the first step.
It looks good at first blush.  I'm trying to get to the point where I 
can recreate RDO factory, but on a machine I launch in the  Cloud Lab.  
I've gotten it as far as allocating a floating IP address:

https://github.com/admiyo/ossipee/


Once I can get through the RDO Factory steps, I'll give it a live test.

>
>> However, without an ECP setup, we really have no way to test it.
>>
>> __________________________________________________________________________ 
>>
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: 
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
> __________________________________________________________________________ 
>
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: 
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




More information about the OpenStack-dev mailing list