[openstack-dev] [keystone] design summit outcomes
d.w.chadwick at kent.ac.uk
Wed Nov 13 17:00:38 UTC 2013
I have one comment concerning Refactoring:
role assignment tables in SQL backend should be unified into a SQL table
which lacks referential integrity
I am not quite sure what this means, but I did suggest creating an
attribute definition table that would include the definitions of all
Keystone authz attributes such as role, domain, project as well as
identity attributes such as location, group, email address etc.
Definitions would include such things as: delegatable or not, for
keystone authz or not (see below). Once this table has been defined,
then all user role assignments can be collapsed into one table (no need
for separate role, domain tables etc) with the assigned attribute
pointing to the entry in the definition table.
Was this what your bullet point was referring to, or was it something
Here is a strawman proposal
Table name = Attribute
id: the unique primary key
Attribute name: (user friendly name e.g. role, domain, etc.)
Attribute Ref: (global id of attribute such as OID or URL, as used by
SAML and LDAP)
Type: (authz or identity)
Now when you assign a role, domain, location, email address or any other
attribute to a user a single assignment table can be used such as:
Table name: Attribute Assignment
id: the unique primary key of this assignment
UserID: id of user this attribute is assigned to
AttributeID: id of attribute from above table
Value: the value of the assigned attribute
you dont need to change the existing APIs and procedure calls, as they
can be re-written to access the new tables.
On 13/11/2013 16:04, Dolph Mathews wrote:
> I guarantee there's a few things I'm forgetting, but this is my
> collection of things we discussed at the summit and determined to be
> good things to pursue during the icehouse timeframe. The contents
> represent a high level mix of etherpad conclusions and hallway meetings.
> Corrections and amendments appreciated - thanks!
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
More information about the OpenStack-dev