Thread Previous • Date Previous • Date Next • Thread Next |
On 07/25/2012 10:19 AM, Ionuț Arțăriși wrote:
On 07/17/2012 11:33 PM, Joseph Heck wrote:That's the general area I was going to head with the Active Directory backend I'm hacking on. Chris Hoge of UOregon presented today (@ OSCON) on a local keystone hack that they did to enable LDAP AuthN + a fail back to SQL based system for their scientific computing cluster - follows a very similar model.-joe On Jul 17, 2012, at 2:16 PM, Tim Bell <Tim.Bell@xxxxxxx> wrote:+1 The corporate LDAP should be read-only for a source of user, roles andattributes. Updating the corporate LDAP is not an option in manyenvironments which can significantly benefit from the structured directoryinformation available. Thus, at minimum, allow a r/o LDAP and local DB store for any openstack specific information that needs updating. Tim-----Original Message----- From: openstack-bounces+tim.bell=cern.ch@xxxxxxxxxxxxxxxxxxx[mailto:openstack-bounces+tim.bell=cern.ch@xxxxxxxxxxxxxxxxxxx] On BehalfOf Ryan Lane Sent: 17 July 2012 20:43 To: Adam Young Cc: Joseph Heck; openstack Subject: Re: [Openstack] [Keystone] Quotas: LDAP HelpI haven't been thinking about quotas, so bear with me here. A fewthoughts:Certain deployments might not be able to touch the LDAP backend. I amthinking specifically where there is a corporate AD/LDAP server. I tried to keep the scheme dependency simple enough that it could be layered onto a read-only scenario. If we put quotas into LDAP, it might break on those deployments.Many, many deployments won't be able to. Applications should generally assume they are read-only in regards to LDAP.I can see that we don't want to define them in the Nova database, as Swift might not have access to that, and swift is going to be one ofthe primary consumers of Quotas. I am Assuming Quantum will have themas well.As you are aware, there is no metadata storage in the LDAP driver, instead it is generated from the tenant and role information on the fly. There is no place to store metadata in "groupOfNames" which is the lowest( common denominator) grouping used for Tenants. Probably the most correct thing to do would be to use a "seeAlso" that points to where the quota data is stored.Let's try not to force things into attributes if possible.When LDAP is used, is the SQL backend not used at all? Why not store quotainfo in Keystone's SQL backend, but pull user info from LDAP, whenenabled?We should only consider storing something in LDAP if it's going to bereusedby other applications. LDAP has a strict schema for exactly this purpose.If thequota information isn't directly usable by other applications we shouldn'tstore it in LDAP.Many applications with an LDAP backend also have an SQL backend, and use the SQL as primary storage for most things, and as a cache for LDAP, ifit'sused. I think this is likely a sane approach here, as well. - Ryan _______________________________________________Hi,I just wanted to add a bit to this thread. We're currently working on a hybrid backend between LDAP and SQL. I have a working version for a specific setup in which the user accounts are stored in LDAP, but tenants and roles are all stored in SQL together with other openstack user accounts such as the nova admin account.I basically just Frankensteined the two backends together for user processing and left everything else to be handled by the SQL backend. I'd like to hear other people's opinion on this or alternative implementations.
Are tenants completely in the SQL DB? If so, how to you list tenants for a given user?
Do you copy users from LDAP to SQL for anything?
https://gist.github.com/3176390 -Ionuț _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@xxxxxxxxxxxxxxxxxxx Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Thread Previous • Date Previous • Date Next • Thread Next |