Adapter
Adapter for Integration to OpenStack Keystone identity service
Overview
This adapter is used to integrate the Itential Automation Platform (IAP) with the Openstack_keystone System. The API that was used to build the adapter for Openstack_keystone is usually available in the report directory of this adapter. The adapter utilizes the Openstack_keystone API to provide the integrations that are deemed pertinent to IAP. The ReadMe file is intended to provide information on this adapter it is generated from various other Markdown files.
Details
The OpenStack Keystone adapter from Itential is used to integrate the Itential Automation Platform (IAP) with Keystone, an OpenStack identity service. With this adapter you have the ability to perform operations such as:
- Add, update, manage and remove Security Policies.
- Access and manage credentials.
- Manage users, groups, and projects.
For further technical details on how to install and use this adapter, please click the Technical Documentation tab.
OpenStack Keystone
Table of Contents
Specific Adapter Information
Authentication
This document will go through the steps for authenticating the OpenStack Keystone adapter with Two Step Token. Properly configuring the properties for an adapter in IAP is critical for getting the adapter online. You can read more about adapter authentication HERE.
Two Step Token
The OpenStack Keystone adapter requires Token Authentication. If you change authentication methods, you should change this section accordingly and merge it back into the adapter repository. Current adapter supports Password authentication with scoped authorization (Project-Scoped with Project Name), check https://docs.openstack.org/api-ref/identity/v3/?expanded=password-authentication-with-unscoped-authorization-detail#password-authentication-with-scoped-authorization
STEPS
Ensure you have access to a OpenStack Keystone server and that it is running
Follow the steps in the README.md to import the adapter into IAP if you have not already done so
Use the properties below for the
properties.authentication
field"authentication": { "auth_method": "request_token", "username": "<username>", "password": "<password>", "token_timeout": 600000, "token_cache": "local", "invalid_token_error": 401, "auth_field": "header.headers.X-Auth-Token", "auth_field_format": "{token}", "auth_logging": false, "os_user_domain_name": "Default", "os_project_name": "admin", "os_project_domain_name": "Default", "sso": { "protocol": "https", "host": "<host>", "port": 5000 } }
You can leave all of the other properties in the authentication section, they will not be used when the auth_method is request_token.
sso
can be configured with keystone auth data in the authentication section of the adapter config as shown above. Optionally, it can also be configured in .system/action.json.Restart the adapter. If your properties were set correctly, the adapter should go online.
Troubleshooting
- Make sure you copied over the correct username and password.
- Turn on debug level logs for the adapter in IAP Admin Essentials.
- Turn on auth_logging for the adapter in IAP Admin Essentials (adapter properties).
- Investigate the logs - in particular:
- The FULL REQUEST log to make sure the proper headers are being sent with the request.
- The FULL BODY log to make sure the payload is accurate.
- The CALL RETURN log to see what the other system is telling us.
- Credentials should be masked by the adapter so make sure you verify the username and password - including that there are erroneous spaces at the front or end.
- Remember when you are done to turn auth_logging off as you do not want to log credentials.
Sample Properties
Sample Properties can be used to help you configure the adapter in the Itential Automation Platform. You will need to update connectivity information such as the host, port, protocol and credentials.
"properties": {
"host": "localhost",
"port": 5000,
"choosepath": "",
"base_path": "/",
"version": "",
"cache_location": "none",
"encode_pathvars": true,
"encode_queryvars": true,
"save_metric": false,
"stub": true,
"protocol": "https",
"authentication": {
"auth_method": "request_token",
"username": "username",
"password": "password",
"token": "token",
"token_timeout": 600000,
"token_cache": "local",
"invalid_token_error": 401,
"auth_field": "header.headers.X-Auth-Token",
"auth_field_format": "{token}",
"auth_logging": false,
"client_id": "",
"client_secret": "",
"grant_type": "",
"os_user_domain_name": "Default",
"os_project_name": "admin",
"os_project_domain_name": "Default",
"sensitive": [],
"sso": {
"protocol": "",
"host": "",
"port": 0
},
"multiStepAuthCalls": [
{
"name": "",
"requestFields": {},
"responseFields": {},
"successfullResponseCode": 200
}
]
},
"healthcheck": {
"type": "intermittent",
"frequency": 60000,
"query_object": {},
"addlHeaders": {}
},
"throttle": {
"throttle_enabled": false,
"number_pronghorns": 1,
"sync_async": "sync",
"max_in_queue": 1000,
"concurrent_max": 1,
"expire_timeout": 0,
"avg_runtime": 200,
"priorities": [
{
"value": 0,
"percent": 100
}
]
},
"request": {
"number_redirects": 0,
"number_retries": 3,
"limit_retry_error": [
0
],
"failover_codes": [],
"attempt_timeout": 5000,
"global_request": {
"payload": {},
"uriOptions": {},
"addlHeaders": {},
"authData": {}
},
"healthcheck_on_timeout": true,
"return_raw": false,
"archiving": false,
"return_request": false
},
"proxy": {
"enabled": false,
"host": "",
"port": 1,
"protocol": "http",
"username": "",
"password": ""
},
"ssl": {
"ecdhCurve": "",
"enabled": false,
"accept_invalid_cert": false,
"ca_file": "",
"key_file": "",
"cert_file": "",
"secure_protocol": "",
"ciphers": ""
},
"mongo": {
"host": "",
"port": 0,
"database": "",
"username": "",
"password": "",
"replSet": "",
"db_ssl": {
"enabled": false,
"accept_invalid_cert": false,
"ca_file": "",
"key_file": "",
"cert_file": ""
}
},
"devicebroker": {
"enabled": false,
"getDevice": [
{
"path": "/not/mapped",
"method": "GET",
"query": {},
"body": {},
"headers": {},
"handleFailure": "ignore",
"requestFields": {
"insample": "{port}"
},
"responseDatakey": "",
"responseFields": {
"name": "{this}{||}{that}",
"ostype": "{osfield}",
"ostypePrefix": "meraki-",
"port": "{port}",
"ipaddress": "{ip_addr}",
"serial": "{serial}"
}
}
],
"getDevicesFiltered": [
{
"path": "/not/mapped",
"method": "GET",
"pagination": {
"offsetVar": "",
"limitVar": "",
"incrementBy": "limit",
"requestLocation": "query"
},
"query": {},
"body": {},
"headers": {},
"handleFailure": "ignore",
"requestFields": {},
"responseDatakey": "",
"responseFields": {
"name": "{this}{||}{that}",
"ostype": "{osfield}",
"ostypePrefix": "meraki-",
"port": "{port}",
"ipaddress": "{ip_addr}",
"serial": "{serial}",
"id": "{myid}"
}
}
],
"isAlive": [
{
"path": "/not/mapped/{devID}",
"method": "GET",
"query": {},
"body": {},
"headers": {},
"handleFailure": "ignore",
"requestFields": {
"devID": "{id}"
},
"responseDatakey": "",
"responseFields": {
"status": "return2xx",
"statusValue": "AD.200"
}
}
],
"getConfig": [
{
"path": "/not/mapped/{devID}",
"method": "GET",
"query": {},
"body": {},
"headers": {},
"handleFailure": "ignore",
"requestFields": {
"devID": "{id}"
},
"responseDatakey": "",
"responseFields": {}
}
],
"getCount": [
{
"path": "/not/mapped",
"method": "GET",
"query": {},
"body": {},
"headers": {},
"handleFailure": "ignore",
"requestFields": {},
"responseDatakey": "",
"responseFields": {}
}
]
},
"cache": {
"enabled": false,
"entities": [
{
"entityType": "device",
"frequency": 3600,
"flushOnFail": false,
"limit": 10000,
"retryAttempts": 5,
"sort": true,
"populate": [
{
"path": "/not/mapped",
"method": "GET",
"pagination": {
"offsetVar": "",
"limitVar": "",
"incrementBy": "limit",
"requestLocation": "query"
},
"query": {},
"body": {},
"headers": {},
"handleFailure": "ignore",
"requestFields": {},
"responseDatakey": "",
"responseFields": {
"name": "{this}{||}{that}",
"ostype": "{osfield}",
"ostypePrefix": "meraki-",
"port": "{port}",
"ipaddress": "{ip_addr}",
"serial": "{serial}",
"id": "{myid}"
}
}
],
"cachedTasks": [
{
"name": "",
"filterField": "",
"filterLoc": ""
}
]
}
]
}
}