[openstack-dev] [keystone] design summit outcomes

David Chadwick d.w.chadwick at kent.ac.uk
Wed Nov 13 17:00:38 UTC 2013

Hi Dolph

I have one comment concerning Refactoring:
role assignment tables in SQL backend should be unified into a SQL table 
which lacks referential integrity

I am not quite sure what this means, but I did suggest creating an 
attribute definition table that would include the definitions of all 
Keystone authz attributes such as role, domain, project as well as 
identity attributes such as location, group, email address etc. 
Definitions would include such things as: delegatable or not, for 
keystone authz or not (see below). Once this table has been defined, 
then all user role assignments can be collapsed into one table (no need 
for separate role, domain tables etc) with the assigned attribute 
pointing to the entry in the definition table.

Was this what your bullet point was referring to, or was it something 

Here is a strawman proposal

Table name = Attribute
id: the unique primary key
Attribute name: (user friendly name e.g. role, domain, etc.)
Attribute Ref: (global id of attribute such as OID or URL, as used by 
Type: (authz or identity)
Delegatable: [Yes|No]
Values: [string|integer|Boolean]

Now when you assign a role, domain, location, email address or any other 
attribute to a user a single assignment table can be used such as:

Table name: Attribute Assignment
id: the unique primary key of this assignment
UserID: id of user this attribute is assigned to
AttributeID: id of attribute from above table
Value: the value of the assigned attribute

you dont need to change the existing APIs and procedure calls, as they 
can be re-written to access the new tables.



On 13/11/2013 16:04, Dolph Mathews wrote:
> I guarantee there's a few things I'm forgetting, but this is my
> collection of things we discussed at the summit and determined to be
> good things to pursue during the icehouse timeframe. The contents
> represent a high level mix of etherpad conclusions and hallway meetings.
> https://gist.github.com/dolph/7366031
> Corrections and amendments appreciated - thanks!
> -Dolph
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list