On 07/06/2016 10:23 AM, Ben Morrice wrote:
Hello,
We have a small private OpenStack deployment with 300 VMs across 2
regions.
We currently use the Keystone v2.0 API and all accounts are currently
stored in SQL.
We would like to move keystone to authenticate users from LDAP
(identity), whilst still having the service accounts stored in SQL
(migrating to Keystone v3 in the process).
In our testing environment we have configured domain-specific drivers
to support the above configuration, with the 'default' domain being
SQL and a separate domain 'ldap' for credentials from LDAP.
Usernames are the same for accounts in both 'default' and 'ldap'.
Assignments would still reside in SQL.
This setup works for the creation of new resources, however any
resources defined in the old domain ('default') is obviously not
available in the 'ldap' domain.
Has anyone migrated resources between domains? There doesn't appear to
be any OpenStack tooling to support this (?).
Or is the solution to simply configure the ldap domain named as
'default' and the SQL domain named as something like 'services' ?
You can do cross domain resource assignments. Assuming the usernames
are the same from sql to LDAP, you could script a role assignment
migration that lists users, lists roles for each user, and creates that
same role assignment for a user defined in LDAP with a matching username.
Or, if you can setup a name to name mapping manually, you could do the
same thing.
something like
for default_user in `openstack user list --domain default --format json
| jq ' <insert magic here>'`
do
for os_role in `openstack role list --user $default_user --format
json | jq '<more majik>' `
do
openstack role add --user $default_user --domain <new
domain id> --role $os_role
done
done
I have to admit, I'd probably code it in python using the Keystone API,
but then, I work in Python a lot.
_______________________________________________
OpenStack-operators mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
