[openstack-dev] Request for Input on multi-domain identifiers.

Adam Young ayoung at redhat.com
Wed Apr 16 02:39:08 UTC 2014

As we get closer to the summit, I'd like to make sure we have resolution 
on one of the most critical issues in Keystone.  How to deal with users 
coming out of multiple data sources.

The issue is that a userid out of one domain must fill two requirements:

1. one userid cannot conflict with a userid from any other domain
2. we must be able to map from the userid back to the domain backend 
that issued it.

We are trying to avoid an approach where we shadow the LDAP or Federated 
identity provider data in a SQL backend specific to Keystone.  That kind 
of data duplication has a host of problems we would rather not have to 
address.  Instead, we need to come up with a way to layer on the User ID 
scheme on top of the data from LDAP.

I suspect the scheme is going to end up being something like:

user the same field for username an userid.

The actual userid value will be composed of two parts.  One will be the 
username from LDAP, the other will be assigned by Keystone based on the 
domain id.  The last instalment we had a suggestion that looked like:


The @@ is to make sure we don;t trip over some place that decided to use 
email address, but still gives a separator character that is URL safe.

There is some concern with the length of the field.  Most of the 
services have userid as 64chars long, and we are pushing to syncronize 
all the projects on that length.  UUIDs ar 32 chars long, and Nova was 
the last to assume that as userid was a UUID.  Still, we can't go beyond 
the 64 char limit without some pain.

One question is whether we are stuck with requirement 2.  For example, 
if we said that a user login was always done with:  domain name and 
username, we would never have to look up a user by pure userid.

If we can loosen up on the "map userid back to domain" requirement, we 
can  get away with something more like  sha256("%s%S" %(username, 
domain_name))  for the userid.  This has the benefit of looking just 
like a UUID and fitting into the same size filed in the databases.

Resolving this issue is key to both Multiple LDAP and Federation.

More information about the OpenStack-dev mailing list