yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1481145] Re: Keystone could create domain when Identity driver is LDAP and Resource driver is SQL

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Henry Nash <henryn@xxxxxxxxxxxxxxxxxx>
Date: Tue, 04 Aug 2015 12:23:30 -0000
Reply-to: Bug 1481145 <1481145@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

So this is by design.Iif you are using LDAP for Identity and want to use
multiple domain, then you need to enable domain specific drivers in
Identity.  This is done using the identity config
domain_specific_drivers_enabled option.  However, I'd recommend you read
the keystone confirguration.rst for a description of the methods of
specifying how each domain is backed by LDAP.

** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1481145

Title:
  Keystone could create domain when Identity driver is LDAP and Resource
  driver is SQL

Status in Keystone:
  Invalid

Bug description:
  Recently , I found a problem about creating domain when I set my
  Identity driver to LDAP , and Resource driver to SQL(since I just
  found resource driver for LDAP is still working on, could do more
  actions on Domain resource).

  I could not create a domain when identity driver is LDAP , and
  resource driver is SQL,  but this use case could be done when identity
  driver is SQL and resource driver is SQL.

  I wonder if it is a design just like that , if so , could you help me
  to some guide docs about this ?

  Since checked with source code , I found it may be lead by code :
      path : ./keystone/identity/core.py
      def is_domain_aware(self):
          """Indicates if Driver supports domains."""
          return True

  since SQL backend driver inherited the Driver , and
  "is_domain_aware()" is true , but LDAP backend driver
  "is_domain_driver()" is False .

  So , there is one explain in "./keystone/identity/core.py" : this
  method "is_domain_driver()" is used to "Indicates if Driver supports
  domains." ,  and I checked with "./keystone/identity/backends/ldap.py"
  ,

  class UserApi(common_ldap.EnabledEmuMixIn, common_ldap.BaseLdap):
      DEFAULT_OU = 'ou=Users'
      DEFAULT_STRUCTURAL_CLASSES = ['person']
      DEFAULT_ID_ATTR = 'cn'
      DEFAULT_OBJECTCLASS = 'inetOrgPerson'
      NotFound = exception.UserNotFound
      options_name = 'user'
      attribute_options_names = {'password': 'pass',
                                 'email': 'mail',
                                 'name': 'name',
                                 'enabled': 'enabled',
                                 'default_project_id': 'default_project_id'}

  there is no "domain_id" section , so that is why "is_domain_aware()" ?

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1481145/+subscriptions

References

[Bug 1481145] [NEW] Keystone could create domain when Identity driver is LDAP and Resource driver is SQL
From: Zhao Jian, 2015-08-04