Configuring object authentication with an external Keystone server

Object can be configured with an external Keystone server. This is done when either there is already an existing Keystone server that is deployed in the environment or when the system administrator wants to host a keystone server externally so that it can be used for other OpenStack services.

The following prerequisites must be met before you start configuring an external Keystone server with the IBM Spectrum Scale™ system.
  • The external Keystone Server must be running and reachable from all protocol nodes.
  • The Keystone server administrator must create an Object Storage service for the required user, for Object authentication configuration.
To configure an external Keystone server with the IBM Spectrum Scale system, issue the mmuserauth service create command as shown in the following example: 
mmuserauth service create –data-access-method object –type
userdefined --ks-swift-user <SWIFTserviceUser> --ks-swift-pwd <SWIFTserviceUserpassword> 
-ks-ext-endpoint <endpoint of keystone server>

Configuring an external Keystone server for object authentication when using the installation toolkit

If you plan to configure authentication for IBM Spectrum Scale for object storage with an external Keystone server and you are using the installation toolkit, do the following steps:

  1. When configuring IBM Spectrum Scale for object storage with the installation toolkit, do not configure object authentication with external Keystone.

    After successful installation and deployment, IBM Spectrum Scale for object storage is configured with local authentication.

  2. Run the following commands to configure object authentication with external Keystone:
    mmuserauth service remove --data-access-method object

mmuserauth service remove --data-access-method object --idmapdelete

mmuserauth service create --data-access-method object --type userdefined 
--ks-ext-endpoint http://specscaleswift:35357/v3 
--ks-swift-user swift --ks-swift-pwd password
Note: Cleaning up authentication leads to loss of data access to the end clients. For example, in the preceding command sequence, client access to data created with local authentication enabled is lost when you remove local authentication before configuring external Keystone.
Parent topic: Configuring authentication for object access
Related concepts:
Configuring an AD-based authentication for object access
Configuring an LDAP-based authentication for object access
Managing object users, roles, and projects
Related tasks:
Configuring local authentication for object access
Creating object accounts
Deleting expired tokens
Related reference:
mmuserauth command