[openstack-dev] Multidomain User Ids

Adam Young ayoung at redhat.com
Mon Nov 25 03:39:21 UTC 2013

The #1 pain point I hear from people in the field is that they need to 
consume read only  LDAP but have service users in something Keystone 
specific.  We are close to having this, but we have not closed the 
loop.  This was something that was Henry's to drive home to completion.  
Do we have a plan?  Federation depends on this, I think, but this 
problem stands alone.

Two Solutions:
1 always require domain ID along with the user id for role assignments.
2 provide some way to parse from the user ID what domain it is.

I was thinking that we could do something along the lines of 2 where we 
provide  "domain specific user_id prefix"  for example, if there is just 
one ldpa service, and they wanted to prefix anyting out of ldap with 
"ldap@", then an id would be  "prefix"  "field from LDAP".  And would be 
configured on a per domain basis.  THis would be optional.

The weakness is that itbe Log N to determine which Domain a user_id came 
from.  A better approach would be to use a divider, like '@' and then 
prefix would be the key for a hashtable lookup.  Since it is optional, 
domains could still be stored in SQL and user_ids could be uuids.

One problem is if someone comes by later an "must" use email address as 
the userid, the @ would mess them up.  So The default divider should be 
something URL safe but no likely to be part of a userid. I realize that 
it might be impossible to match this criterion.

Actually, there might be other reasons to forbid @ signs from IDs, as 
they look like phishing attempts in URLs.

More information about the OpenStack-dev mailing list