Keystone to Keystone (K2K) federation allows multiple OpenStack deployments to share the same identity source. It is useful for cross-region sites where one site is used as the identity source.

A VMware Integrated OpenStack deployment can be configured as an identity provider or service provider for Keystone to Keystone federation. An identity provider provides user authentication services to a service provider.

Procedure

  1. Configure an OpenStack deployment as a Keystone identity provider.
    1. Log in to the Integrated OpenStack Manager web interface as the admin user.
    2. In OpenStack Deployment, click the name of your deployment and open the Manage tab.
    3. On the Identity Federation tab, click Add.
    4. From the Federation type drop-down menu, select K2K.
    5. Enter the required parameters.
      Option Description

      Name

      Enter a name for the identity provider.

      Description

      Enter a description of the identity provider.

      K2K provider type

      Select Keystone as identity provider.

      K2K service provider address

      Enter the public OpenStack endpoint of the OpenStack deployment that will act as the service provider (for example, 198.51.100.100).

      K2K service provider CA CERT

      Enter the contents of the vio.pem certificate from the OpenStack deployment that will act as the service provider.

      You can display the contents of the vio.pem file by running the following command:

      kubectl -n openstack get secrets certs -o jsonpath='{@.data.vio_certificate}' | base64 --decode
    6. Click OK.
  2. Configure the second OpenStack deployment as a Keystone service provider.
    1. Log in to the Integrated OpenStack Manager web interface as the admin user.
    2. In OpenStack Deployment, click the name of your deployment and open the Manage tab.
    3. On the Identity Federation tab, click Add.
    4. From the Federation type drop-down menu, select K2K.
    5. Enter the required parameters.
      Option Description

      Name

      Enter the name of the target identity provider. The value of this field must be the same on both deployments.

      Description

      Enter a description of the service provider.

      K2K provider type

      Select Keystone as service provider.

      K2K identity provider address

      Enter the public OpenStack endpoint of the OpenStack deployment acting as the identity provider (for example, 192.0.2.100).

      K2K identity provider port

      Enter the Keystone port number of the OpenStack deployment acting as the identity provider (for example, 5000).
    6. (Optional) You can select Advanced settings > Common advanced settings and enter an OpenStack domain, project, and group into which federated users will be imported.
      Note:
      • If you do not enter a domain, project, or group, the following default values are used:
        • Domain: federated_domain
        • Project: federated_project
        • Group: federated_group
      • Do not enter federated as the domain name. This name is reserved by Keystone.
      • If you provide custom mappings, you must enter all OpenStack domains, projects, and groups that are included in those mappings.
    7. Click OK.

Results

Users and groups are federated from the service provider deployment to the identity provider deployment. When you log in to the VMware Integrated OpenStack dashboard on the identity provider deployment, you can select the service provider in the top-right of the page. You can then perform actions on the service provider deployment.

Note: When using identity federation, you must access the VMware Integrated OpenStack dashboard over the public OpenStack endpoint. Do not use the private OpenStack endpoint or a controller IP address to log in as a federated user.