summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarcin Wilk <marcin.wilk@canonical.com>2022-04-04 09:37:33 +0000
committerMarcin Wilk <marcin.wilk@canonical.com>2022-04-25 07:57:30 +0000
commit3856cbf10d4d19b9d7797d600ef096b0c04aaedb (patch)
treea17417bff8ceda3e43eabb67e29e287bc1f1f19c
parent65e3e33b6b8be4d1a5b7c85456f3048244e4eb75 (diff)
downloadkeystone-3856cbf10d4d19b9d7797d600ef096b0c04aaedb.tar.gz
Add service_type config info for access rules
The service_type config param is crucial to successfully use application credentials with access rules. Closes-Bug: #1950464 Change-Id: I98d1cfcbd229f2939d900861f453efa996466c32
-rw-r--r--doc/source/user/application_credentials.rst43
1 files changed, 41 insertions, 2 deletions
diff --git a/doc/source/user/application_credentials.rst b/doc/source/user/application_credentials.rst
index eff86f7b3..5455a04e7 100644
--- a/doc/source/user/application_credentials.rst
+++ b/doc/source/user/application_credentials.rst
@@ -174,8 +174,47 @@ Access Rules
============
In addition to delegating a subset of roles to an application credential, you
-may also delegate more fine-grained access control by using access rules. For
-example, to create an application credential that is constricted to creating
+may also delegate more fine-grained access control by using access rules.
+
+.. note::
+
+ Application credentials with access rules require additional configuration
+ of each service that will use it. See below for details.
+
+If application credentials with access rules are required, an OpenStack
+service using keystonemiddleware to authenticate with keystone, needs to
+define ``service_type`` in its configuration file. Following is an example for the
+cinder V3 service:
+
+.. code-block:: ini
+
+ [keystone_authtoken]
+ service_type = volumev3
+
+For other OpenStack sevices, their types can be obtained using the OpenStack
+client. For example:
+
+.. code-block:: console
+
+ $ openstack service list -c Name -c Type
+ +-----------+-----------+
+ | Name | Type |
+ +-----------+-----------+
+ | glance | image |
+ | cinderv3 | volumev3 |
+ | cinderv2 | volumev2 |
+ | keystone | identity |
+ | nova | compute |
+ | neutron | network |
+ | placement | placement |
+ +-----------+-----------+
+
+.. note::
+
+ Updates to the configuration files of a service require restart of the appropriate
+ services for the changes to take effect.
+
+In order to create an example application credential that is constricted to creating
servers in nova, the user can add the following access rules:
.. code-block:: console