README
¶
Openstack Keystone plugin
This is a standalone backend plugin for use with Hashicorp Vault. This plugin provides the functionality to generate users in Openstack Keystone.
Getting Started
This is a Vault plugin and is meant to work with Vault. This guide assumes you have already installed Vault and have a basic understanding of how Vault works.
Otherwise, first read this guide on how to get started with Vault.
To learn specifically about how plugins work, see documentation on Vault plugins.
Build
- manually
go get github.com/parnurzeal/gorequest
go get github.com/hashicorp/vault/plugins
go get github.com/hashicorp/go-plugin
go get github.com/fatih/structs
go get github.com/google/gofuzz
go build -o vault_keystone_plugin .
- using build.sh
$ ./build.sh
Plugin binary will be builded in bin directory
Installation
Put the plugin binary into a location of your choice. This directory
will be specified as the plugin_directory
in the Vault config used to start the server.
{
...
"plugin_directory" : "path/to/plugin/directory"
...
}
Start a Vault server with this config file:
$ vault server -config=path/to/config.json ...
- CLI
$ sha256sum vault_keystone_plugin
$ vault write sys/plugins/catalog/vault_keystone_plugin sha_256="<SHA from the previous step>" command="keystone"
$ vault mount -path=keystone -plugin-name=vault_keystone_plugin plugin
- API
$ curl -X PUT VAULT_URL/sys/plugins/catalog/keystone -d '{"sha_256" : "<SHA_256>", "command" : "keystone"}' \
-H 'content-type: application/json' -H "x-vault-token : <VAULT_TOKEN>"
$ curl -X POST VAULT_URL/sys/mounts/keystone \
-d '{"type": "plugin","plugin_name" : "keystone","config": {"default_lease_ttl": 0,"max_lease_ttl": 0,"force_no_cache": false}}' \
-H 'content-type: application/json' -H "x-vault-token : <VAULT_TOKEN>"
$ curl -X POST VAULT_URL/keystone/config/connection \
-d '{"connection_url" : "<KEYSTONE_HOST:KEYSTONE_PORT", "admin_auth_token" : "<AUTH_TOKEN>"}' \
-H 'content-type: application/json' -H "x-vault-token : <VAULT_TOKEN>"
Routes
CLI write / API POST - set connection configuration
Parameters:
connection_url: URL of your Keystone instance, formatted likekeystone_host:portadmin_auth_token: admin user token
keystone/users/{user}
- CLI write / API POST - register new user
- CLI read / API GET - save new user
Parameters:
namedefault_project_id(optional)domain_id(optional)enabled(optional)password(optional)
keystone/users/{user}/credentials/OS-EC2
CLI write / API POST - generate new EC2-style credentials
Parameters:
user_idtenant_id
keystone/groups
CLI write / API POST CLI read / API GET - generate new group
Parameters:
namedescription(optional)domain_id(optional)
keystone/projects
- CLI write / API POST
- CLI read / API GET - generate new project
Parameters:
nameis_domain(optional)description(optional)domain_id(optional)enabled(optional)parent_id(optional)
keystone/domains
CLI write / API POST CLI read / API GET - generate new domain
Parameters:
namedescription(optional)enabled(optional)
keystone/roles
CLI write / API POST CLI read / API GET - generate new role
Parameters:
namedomain_id(optional)
keystone/roles/{role}/groups/{group}/domains/{domain} action="grant"
CLI write / API POST - Assign role to group on domain
Parameters:
domain_idgroup_idrole_id
keystone/roles/{role}/users/{user}/domains/{domain} action="grant"
CLI write / API POST - Assign role to user on domain
Parameters:
domain_iduser_idrole_id
keystone/roles/{role}/groups/{group}/projects/{project} action="grant"
CLI write / API POST - Assign role to group on project
Parameters:
project_idgroup_idrole_id
keystone/roles/{role}/users/{user}/projects/{project} action="grant"
CLI write / API POST - Assign role to user on project
Parameters:
project_iduser_idrole_id
- Groups
- Policies
License
This project is licensed under the BSD-3-Clause license - see the LICENSE.
Documentation
¶
There is no documentation for this package.
Source Files
Directories