Configuring object authentication with an external Keystone server
Object can be configured with an external Keystone server. This is done when either there is already an existing Keystone server that is deployed in the environment or when the system administrator wants to host a keystone server externally so that it can be used for other OpenStack services.
The following prerequisites must be met before you start configuring
an external Keystone server with the IBM Spectrum Scale™ system.
- The external Keystone Server must be running and reachable from all protocol nodes.
- The Keystone server administrator must create an Object Storage service for the required user, for Object authentication configuration.
To configure an external Keystone server with the IBM
Spectrum Scale system, issue
the mmuserauth service create command as shown
in the following example:
mmuserauth service create –data-access-method object –type
userdefined --ks-swift-user <SWIFTserviceUser> --ks-swift-pwd <SWIFTserviceUserpassword>
-ks-ext-endpoint <endpoint of keystone server>
Configuring an external Keystone server for object authentication when using the installation toolkit
If you plan to configure authentication for IBM Spectrum Scale for object storage with an external Keystone server and you are using the installation toolkit, do the following steps:
- When configuring IBM
Spectrum Scale for object
storage with the installation toolkit, do not configure object authentication
with external Keystone.
After successful installation and deployment, IBM Spectrum Scale for object storage is configured with local authentication.
- Run the following commands to configure object authentication
with external Keystone:
mmuserauth service remove --data-access-method object mmuserauth service remove --data-access-method object --idmapdelete mmuserauth service create --data-access-method object --type userdefined --ks-ext-endpoint http://specscaleswift:35357/v3 --ks-swift-user swift --ks-swift-pwd password
Note: Cleaning up authentication leads to loss of data access
to the end clients. For example, in the preceding command sequence,
client access to data created with local authentication enabled is
lost when you remove local authentication before configuring external
Keystone.