[openstack-dev] [tc][ptl][keystone] Proposal to split authentication part out of Keystone to separated project

Steve Martinelli stevemar at ca.ibm.com
Wed Apr 6 21:16:43 UTC 2016

This has been our hidden agenda for many releases (minus the project
split). There are other projects that you mention that are much better at
handling authentication, many enterprises already have these place as well.
We have been trying to get out of the identity management (and
consequently, the authentication) space for a while. That's why we have
been focusing on federated identity and removing write operations to LDAP.

Enter the admin, service users, and sql backed users. Many existing
deployments store users in an SQL based backend. We pushed back on adding
features for this use case for a while, but there are enough folks out
there that want to do this, which is why we approving a spec to enforce
password lifecycle in the N release. So the new project/repo would have to
handle this case as well.

Architecturally, I can see why you would want to split things up, it is a
logical break. But I also see a few arguments against a split: 1) we
already support Kerberos and OpenLDAP (and other auth services); 2) I don't
think we have a trouble with scope / not enough contribution; and 3)
inertia, adopting new services takes a long time (see v2 to v3 transition),
and this would add to that pile.


Steve Martinelli
OpenStack Keystone Project Team Lead

From:	Boris Pavlovic <bpavlovic at mirantis.com>
To:	OpenStack Development Mailing List
            <openstack-dev at lists.openstack.org>
Date:	2016/04/06 03:27 PM
Subject:	[openstack-dev] [tc][ptl][keystone] Proposal to split
            authentication part out of Keystone to separated project

Hi stackers,

I would like to suggest very simple idea of splitting out of Keystone
part in the separated project.

Such change has 2 positive outcomes:
1) It will be quite simple to create scalable service with high performance
for authentication based on very mature projects like: Kerberos[1] and

2) This will reduce scope of Keystone, which means 2 things
2.1) Smaller code base that has less issues and is simpler for testing
2.2) Keystone team would be able to concentrate more on fixing
perf/scalability issues of authorization, which is crucial at the moment
for large clouds.


[1] http://web.mit.edu/kerberos/
[2] http://ldapcon.org/2011/downloads/hummel-slides.pdf

Best regards,
Boris Pavlovic
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160406/b73cdc01/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160406/b73cdc01/attachment.gif>

More information about the OpenStack-dev mailing list