openstack team mailing list archive

[Jay Pipes <jaypipes@xxxxxxxxx>]

On 03/09/2012 10:23 AM, Jason Hedden wrote:
> On Mar 8, 2012, at 10:01 PM, Deepak Garg wrote:
>
> > I have also been trying to find a cli to get a user's role in a
> > particular tenant.
> > I could not do that even with db tables mapping. Following are the fields
> > in the tables:
> >
> > tenant table  ->  tenant_Id, name, extras
> > user_tenant_membership  ->  user_id, tenant_id
> > user table  ->  id, name, extra
> > role table ->  id, name
> >
> > So when we bind a user to a tenant with a particular role. How do we
> > store the data in the db so that its possible to verify it and may be
> > retrieve it using cli (when it gets implemented) ?
>
> The data is stored in a python dictionary, inside of the metadata table.  You will not be able to use SQL without an unwieldy wildcard search.  IMO this seems overly complicated for a core function of the tool, and possibly the reason why listing user/tenant roles hasn't been implemented.

++

I suspect the existing SQL schema has more to do with the default of 
using a key-value store until recently.

I think that storing in the roles relationships in the "extra" column is 
a bit of premature optimization that is a little ill-conceived at this 
point -- it sacrifices functionality for a perceived performance 
improvement. I don't believe there's any evidence that the join to a 
roles table (or two joins for a mapping many-to-many relationship table) 
had an adverse impact on performance in the legacy Keystone.

-jay