← Back to team overview

openstack team mailing list archive

Re: [Keystone] Splitting the Identity Backend

 

Hello Adam,

I have been waiting for a separation such as this. There is no way HP would allow us to muck with their LDAP servers other than read only.

Mark

-----Original Message-----
From: Openstack [mailto:openstack-bounces+mark.m.miller=hp.com@xxxxxxxxxxxxxxxxxxx] On Behalf Of Adam Young
Sent: Monday, May 20, 2013 9:47 AM
To: openstack
Subject: [Openstack] [Keystone] Splitting the Identity Backend

Currently, the Identity backend  has Domains, Users , Groups, Roles, Role Assignments and Projects.  I've proposed splitting it into 3 distinct pieces.  Domain, Identity, and Projects.

Here is the rationale:

Somewhere between a third and a half of the OpenStack deployments are using LDAP.  However, the mapping from LDAP to Identity does not work. 
LDAP is almost always a read only  datasource.   While Keystone *can* 
manage these, it should also be possible to treat the users and groups piece as externally managed.

In addition, several organizations have multiple LDAP servers. Not a huge number of servers,  but more than one is a very common scenario due to a merger.  Each of these should map to a domain. Thus, domain management has to be extracted out of the LDAP backend.

Identity would contain users and groups.  Projects would contain Projects, Roles, and Role Assignments.  Domains would contain only domains.

For people happily deploying SQL, nothing should change.  A single Database instance can still serve all three backends.  It should only mean removing some foreign key constraints.

For people that are deploying the current LDAP code and are happy with the layout, we will continue to support the LDAP Project backend.


Say an organization has two LDAP servers, and also maintains a public 
facing cloud backed by SQL.  Each of the two LDAP servers would have 
configurations that correspond to the current layout, although limited 
only to the user and group subtrees.  The domain registry  would live in 
the SQL backend.  It would have two entries for the LDAP servers, and 
these would be immutable.  Dynamic domain allocation and deletion would 
work only for the domains backed by SQL.



The main blueprint for this is:
https://blueprints.launchpad.net/keystone/+spec/split-identity
with supporting blueprints for pieces that can be completed 
interdependently.

Comments welcome.

_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


References