Assignments (user to project, group to project, user to domain, group to
domain) are OpenStack specific Data, where as Identity (users, groups,
and user to group assignments) is general organizational data. When all
of this was in a single backend, we had no choice but to force people to
use LDAP in a writeable mode, and put their assignments in there.
Assignments and LDAP were always a bad match.
With the split of the identity backend, we can now manage identity in a
backend separate from assignments. There is an identity backend, and an
assignments backend. For Havana, if the user has configured the
identity backend to use LDAP, and have not specified anything for
assignments, assignments will be in LDAP as well
We can't drop support for LDAP assignments without breaking the
deployments for all these people. I'd like to propose deprecating the
LDAP backend for assignments as soon as feasible, with an eye to helping
people migrate their existing assignments to the SQL backend.
What might a migration look like:
1. lock down the LDAP backend so that no updates can occur to Projects,
ROles, or Role assignments
2. For projects, roles, and role assignments, do an LDAP query and
generate a single row in the SQL backend. These don't need to be
identical to the existing ones, but it is not required that the IDs be
UUIDs: they will be treated as blobs and keeping the old values is fine
if desired.
3. Change the config file so that the Assignments backend is SQL, not
LDAP, and restart Keystone.
We should deprecate the LDAP Assignments backend when Icehouse is GA, to
be removed two releases later. We know we have some rough spots to
smooth over in the Havana and Icehouse timeframe regarding the LDAP/SQL
approach. I'd like to warn people that this is coming, so that we have
some participation in discussions around this migration, and that, by
the time we finally remove the last of the support for LDAP assignments,
it will be nothing but a fading memory.
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
