This section explains configuration of OpenStack using NSX Advanced Load Balancer cloud connector.
Importing User Accounts from Keystone
Using the NSX Advanced Load Balancer REST API, you can export user roles from Keystone into the Controller and directly map to role names in the Controller. You need not recreate the accounts on the Controller. For instance,
"openstack_configuration": { .... "role_mapping": [ {"os_role": "admin", "avi_role": "Tenant-Admin"}, {"os_role": "_member_", "avi_role": "Tenant-Admin"}, {"os_role": "*", "avi_role": "Application-Operator"} ], .... }
The role_mapping
parameter is an ordered list, where each item specifies how a Keystone role (os_role
) maps to a role in the Controller (avi_role
). You can define a default mapping for any Keystone role by specifying the “ /* ” wildcard for the os_role field. In the above example, roles administrator and member from Keystone are mapped to the Tenant-Admin role in the Controller. Further, any other role from Keystone is mapped to Application-Operator role on the Controller.
In the following example, only the users with role lbaas_project_admin
are allowed to access the Controller:
"openstack_configuration": { .... "role_mapping": [ {"os_role": "lbaas_project_admin", "avi_role": "Tenant-Admin"} ], .... }
Metadata instead of config_drive
for NSX Advanced Load Balancer SEs
In some OpenStack environments, config_drive
support is either absent or not installed properly. Also, under certain conditions, you may not allow NSX Advanced Load Balancer SEs to use config_drive
, as VM can prevent SE migration while configuring.
The NSX Advanced Load Balancer OpenStack configuration option uses metadata instead of config_drive
for SE VMs. You can enable NSX Advanced Load Balancer to use metadata by deactivating config_drive
.
The following is the CLI command to deactivate config_drive
:
: > configure cloud Default-Cloud : cloud> openstack_configuration : cloud:openstack_configuration> no config_drive : cloud:openstack_configuration> save : cloud> save