[openstack-dev] Change in openstack/keystone[master]: Implement domain specific Identity backends

Henry Nash henryn at linux.vnet.ibm.com
Tue Aug 6 21:10:14 UTC 2013

Hi Mark,

Of particular interest are your views on the changes to keystone/common/config.py.  The requirement is that we need to be able to instantiate multiple conf objects (built from different sets of config files).  We tried two approaches to this:

https://review.openstack.org/#/c/39530/11 which attempts to keep the current keystone config helper apps (register_bool() etc.) by passing on the conf instance, and
https://review.openstack.org/#/c/39530/12 which removes these helper apps and just calls the methods on the conf itself (conf.register_opt())

Both functionally work, but interested in your views on both approaches.

On 6 Aug 2013, at 19:26, ayoung (Code Review) wrote:

> Hello Mark McLoughlin,
> I'd like you to do a code review.  Please visit
>   https://review.openstack.org/39530
> to review the following change.
> Change subject: Implement domain specific Identity backends
> ......................................................................
> Implement domain specific Identity backends
> A common scenario in shared clouds will be that a cloud provider will
> want to be able to offer larger customers the ability to interface to
> their chosen identity provider. In the base case, this might well be
> their own corporate LDAP/AD directory.  A cloud provider might also
> want smaller customers to have their identity managed solely
> within the OpenStack cloud, perhaps in a shared SQL database.
> This patch allows domain specifc backends for identity objects
> (namely User and groups), which are specified by creation of a domain
> configuration file for each domain that requires its own backend.
> A side benefit of this change is that it clearly separates the
> backends into those that are domain-aware and those that are not,
> allowing, for example, the removal of domain validation from the
> LDAP identity backend.
> Implements bp multiple-ldap-servers
> Change-Id: I489e8e50035f88eca4235908ae8b1a532645daab
> ---
> M doc/source/configuration.rst
> M etc/keystone.conf.sample
> M keystone/auth/plugins/password.py
> M keystone/catalog/backends/templated.py
> M keystone/common/config.py
> M keystone/common/controller.py
> M keystone/common/ldap/fakeldap.py
> M keystone/common/utils.py
> M keystone/config.py
> M keystone/identity/backends/kvs.py
> M keystone/identity/backends/ldap.py
> M keystone/identity/backends/pam.py
> M keystone/identity/backends/sql.py
> M keystone/identity/controllers.py
> M keystone/identity/core.py
> M keystone/test.py
> M keystone/token/backends/memcache.py
> M keystone/token/core.py
> A tests/backend_multi_ldap_sql.conf
> A tests/keystone.Default.conf
> A tests/keystone.domain1.conf
> A tests/keystone.domain2.conf
> M tests/test_backend.py
> M tests/test_backend_ldap.py
> 24 files changed, 1,028 insertions(+), 372 deletions(-)
> git pull ssh://review.openstack.org:29418/openstack/keystone refs/changes/30/39530/12
> --
> To view, visit https://review.openstack.org/39530
> To unsubscribe, visit https://review.openstack.org/settings
> Gerrit-MessageType: newchange
> Gerrit-Change-Id: I489e8e50035f88eca4235908ae8b1a532645daab
> Gerrit-PatchSet: 12
> Gerrit-Project: openstack/keystone
> Gerrit-Branch: master
> Gerrit-Owner: henry-nash <henryn at linux.vnet.ibm.com>
> Gerrit-Reviewer: Brant Knudson <bknudson at us.ibm.com>
> Gerrit-Reviewer: Dolph Mathews <dolph.mathews at gmail.com>
> Gerrit-Reviewer: Jenkins
> Gerrit-Reviewer: Mark McLoughlin <markmc at redhat.com>
> Gerrit-Reviewer: Sahdev Zala <spzala at us.ibm.com>
> Gerrit-Reviewer: SmokeStack
> Gerrit-Reviewer: ayoung <ayoung at redhat.com>
> Gerrit-Reviewer: henry-nash <henryn at linux.vnet.ibm.com>

More information about the OpenStack-dev mailing list