فایل local.conf:
[[local|localrc]] DATABASE_PASSWORD=secret ADMIN_PASSWORD=secret SERVICE_PASSWORD=secret RABBIT_PASSWORD=secret IP_VERSION=4
با این کانفیگ devstack را نصب می کنیم.
در horizon لاگین کرده و یک پروژه با اسم sso می سازیم. یک گروه sso هم میسازیم و آن را member پروژه sso می کنیم.
openstack identity provider create --remote-id https://keycloak.example.ir/realms/Mpaas --domain default sso openstack mapping create --rules rules.json sso_oidc_mapping openstack federation protocol create --identity-provider sso --mapping sso_oidc_mapping openid
فایل rules.json به صورت زیر باید باشد:
rulse.json: [ { "local": [ { "user": { "name": "{0}" }, "group": { "name": "sso", "domain": { "name": "default" } } } ], "remote": [ { "type": "OIDC-preferred_username" } ] } ]
در آخر فایل etc/keystone/keyston.conf مقدار زیر را اضافه می کنیم.
[auth] methods = external,password,token,mapped,openid [openid] remote_id_attribute = HTTP_OIDC_ISS [federation] trusted_dashboard = https://iaas.example.ir/api/openstack/skyline/api/v1/websso remote_id_attribute = HTTP_OIDC_ISS
در آخر فایل opt/stack/horizon/openstack_dashboard/local/local_settings.py مقادیر زیر را اضافه می کنیم:
WEBSSO_ENABLED = True WEBSSO_CHOICES = ( ("openid", _("Authenticate Externally")), )
فایل /etc/apache2/sites-enabled/horizon.conf به صورت زیر خواهد بود:
<VirtualHost *:80> WSGIScriptAlias /dashboard /opt/stack/horizon/openstack_dashboard/wsgi.py WSGIDaemonProcess horizon user=stack group=stack processes=3 threads=10 ome=/opt/stack/horizon display-name=%{GROUP} WSGIApplicationGroup %{GLOBAL} SetEnv APACHE_RUN_USER stack SetEnv APACHE_RUN_GROUP stack WSGIProcessGroup horizon DocumentRoot /opt/stack/horizon/.blackhole/ Alias /dashboard/media /opt/stack/horizon/openstack_dashboard/static Alias /dashboard/static /opt/stack/horizon/static RedirectMatch "^/$" "/dashboard/" <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /opt/stack/horizon/> Options Indexes FollowSymLinks MultiViews AllowOverride None # Apache 2.4 uses mod_authz_host for access control now (instead of # "Allow") <IfVersion < 2.4> Order allow,deny Allow from all </IfVersion> <IfVersion >= 2.4> Require all granted </IfVersion> </Directory> <IfVersion >= 2.4> ErrorLogFormat "%{cu}t %M" </IfVersion> ErrorLog /var/log/apache2/horizon_error.log LogLevel warn CustomLog /var/log/apache2/horizon_access.log combined # Configure OIDC OIDCSSLValidateServer Off OIDCOAuthSSLValidateServer Off OIDCCookieSameSite On OIDCPKCEMethod "S256" OIDCOAuthClientID keystone OIDCOAuthClientSecret 9Bnci8fIcspdDh0doMGvDrRze0Dywjcp OIDCOAuthVerifyJwksUri https://sso.example.ir/realms/Mpaas/protocol/openid- onnect/certs OIDCClaimPrefix "OIDC-" #OIDCResponseType "id_token" OIDCScope "openid email profile" OIDCRemoteUserClaim preferred_username OIDCProviderMetadataURL https://sso.example.ir/realms/Mpaas/.well-known/openid- onfiguration OIDCClientID keystone OIDCClientSecret 9Bnci8fIcspdDh0doMGvDrRze0Dywjcp OIDCCryptoPassphrase openstack OIDCRedirectURI http://192.168.1.3/identity/v3/OS- EDERATION/identity_providers/myidp/protocols/openid/auth OIDCRedirectURI http://192.168.1.3/identity/v3/auth/OS-FEDERATION/websso OIDCRedirectURI http://192.168.1.3/identity/v3/auth/OS- EDERATION/identity_providers/myidp/protocols/openid/websso # For keystone <LocationMatch /identity/v3/OS-FEDERATION/identity_providers/.*?/protocols/openid/auth> AuthType oauth20 Require valid-user LogLevel debug </LocationMatch> # For horizon <Location ~ "/identity/v3/auth/OS-FEDERATION/websso/openid"> AuthType openid-connect Require valid-user LogLevel debug </Location> <Location ~ "/identity/v3/auth/OS- EDERATION/identity_providers/myidp/protocols/openid/websso"> AuthType openid-connect Require valid-user </Location> </VirtualHost> WSGIPythonHome /opt/stack/data/venv WSGISocketPrefix /var/run/apache2
سرویس apache و keystone را ریستارت می کنیم و تمام.