From e91b4f55fea72942889ec5953553fd3814a67b10 Mon Sep 17 00:00:00 2001
From: Christian Schwede <cschwede@redhat.com>
Date: Thu, 15 Jun 2017 15:06:04 +0200
Subject: [PATCH] Update external Swift configuration doc

Change-Id: I8377b17e5557398007ce1b46e39dec26932c0448
---
 .../advanced_deployment/swift_external.rst    | 41 ++++++++++++++++---
 1 file changed, 36 insertions(+), 5 deletions(-)

diff --git a/doc/source/advanced_deployment/swift_external.rst b/doc/source/advanced_deployment/swift_external.rst
index 85aed3d1..a3b4cff1 100644
--- a/doc/source/advanced_deployment/swift_external.rst
+++ b/doc/source/advanced_deployment/swift_external.rst
@@ -12,11 +12,11 @@ its setup by creating a custom environment file (i.e.
 *~/my-swift-settings.yaml*)::
 
   parameter_defaults:
-     ExternalPublicUrl: 'http://swiftproxy:9024/v1/%(tenant_id)s'
-     ExternalInternalUrl: 'http://swiftproxy:9024/v1/%(tenant_id)s'
-     ExternalAdminUrl: 'http://swiftproxy:9024/v1/%(tenant_id)s'
+     ExternalPublicUrl: 'http://<Public Swift endpoint or loadbalancer>:9024/v1/AUTH_%(tenant_id)s'
+     ExternalInternalUrl: 'http://<Internal Swift endpoint>:9024/v1/AUTH_%(tenant_id)s'
+     ExternalAdminUrl: 'http://<Admin Swift endpoint>:9024'
      ExternalSwiftUserTenant: 'service'
-
+     SwiftPassword: 'choose_a_random_password'
 
 The user can create an environment file with the required settings
 and add the files above to the deploy commandline::
@@ -26,5 +26,36 @@ and add the files above to the deploy commandline::
 Once the deploy has succeeded, user has to complete the
 configuration on the external swift proxy, configuring it to use the
 keystone authentication provider. This environment files creates also
-a service user called *swift* that can be used for this purpose.
+a service user called *swift* that can be used for this purpose. The
+password for this user is defined by using the *SwiftPassword*
+parameter, as shown above.
 
+The external Swift proxy must use Keystone from the overcloud, otherwise
+authentication will fail. The public Keystone endpoint must be
+accessible from the proxy therefore.
+
+The following snippet from `/etc/swift/proxy-server.conf` is an example
+how to configure the Swift proxy to use Keystone from the overcloud::
+
+  [pipeline:main]
+  pipeline = [... other middlewares ...]  authtoken keystone [... other middlewares ...]
+
+  [filter:keystone]
+  use = egg:swift#keystoneauth
+  operator_roles = admin, SwiftOperator
+  cache = swift.cache
+
+  [filter:authtoken]
+  paste.filter_factory = keystonemiddleware.auth_token:filter_factory
+  signing_dir = /tmp/keystone-signing-swift
+  auth_uri = http://<public Keystone endpoint>:5000/
+  auth_url = http://<admin Keystone endpoint>:35357/
+  password = <Password as defined in the environment parameters>
+  auth_plugin = password
+  project_domain_id = default
+  user_domain_id = default
+  project_name = service
+  username = swift
+  cache = swift.cache
+  include_service_catalog = False
+  delay_auth_decision = True