Connecting to OpenStack-based clouds with Keystone authentication

To use the accounts on an OpenStack Keystone server for authentication to the OpenStack cloud connection, create an authentication realm that points to the Keystone server. Then, configure security for that authentication realm.

Before you begin

Configure the images for use with the blueprint designer. See Configuring OpenStack images.
Obtain an OpenStack Keystone server. In most cases, use the Keystone server that is connected to the cloud that you are connecting to. You can reuse a Keystone server that is connected to a different cloud, or you can install a Keystone server for use with the target cloud. See the OpenStack documentation.
Obtain an engine. The engine version must match the version of the OpenStack Keystone server. You can use any of the following options for the engine:
- Install an engine. See Installing engines in silent mode or Installing engines in interactive mode.
- If you already have an engine, connect it to the Keystone server as described in Connecting engines to Keystone servers.
- Extend an existing Heat orchestration engine and connect it to the Keystone server. See Extending Heat orchestration engines.
Install the blueprint design server. See Installing the blueprint design server.
Connect the blueprint design server to the server. See Connecting the blueprint design server to the server.
Ensure that the blueprint design server can connect to the cloud. You can verify the connection path with the curl or telnet commands. For example, make sure that no firewall, proxy, or security settings prevent communication between the blueprint design server and the cloud.

About this task

The following diagram shows a typical topology for this scenario. The blueprint design server and engine connect to the OpenStack-based cloud. The blueprint design server also connects to the license server and the Keystone identity service. The blueprint design server retrieves authentication information from this Keystone identity service.

A topology that includes the blueprint design server, an engine, an OpenStack-based cloud, and a Keystone server

Procedure

Log in to the blueprint designer as a user with the following permissions:
- Configure Security
- Manage Users & Groups
Create an authentication realm that points to the Keystone server. See Creating OpenStack identity service authentication realms for the blueprint designer.
Import the users from that authentication realm. The blueprint designer creates the following artifacts:
- The blueprint designer creates a user in the authentication realm for each user on the Keystone server.
- The blueprint designer creates a cloud connection on the Clouds tab. (Click Settings > Clouds.)
- The blueprint designer creates a cloud project for each tenant or project on the cloud. If your OpenStack identity service uses Identity API v3, the domain for each project is specified.
Add the cloud projects to teams.
Add one or more users from that authentication realm to a team and assign those users one or more roles. The users on the team have access to the cloud projects that are associated with that team.
Make sure that the team roles include the appropriate permissions for those users, such as creating and editing blueprints.
If the cloud uses SSL security, configure SSL security on the blueprint design server. See Configuring SSL security for OpenStack clouds.

Results

Users can log in to the blueprint designer with the accounts on the Keystone server. At the top of the page, users can select the cloud connection, cloud project, and region. When they edit blueprints, the palette shows resources that are available from the cloud that the user account is associated with.

Note: When a user logs in to the blueprint designer, the blueprint designer matches the user name to the authentication realms, starting at the top of the list. If the user name is present in more than one authentication realm, the blueprint designer uses the listing in the highest authentication realm.

Feedback