[openstack-dev] [keystone] Custom ProjectID upon creation

Andrey Grebennikov agrebennikov at mirantis.com
Tue Dec 6 15:18:05 UTC 2016

>> I'm surprised any AD administrator let Keystone write to it. I've always
>> hear the inverse that AD admins never would allow keystone to write to it,
>> therefore it was never used for Projects or Assignments. Users were
>> likewise read-only when AD was involved.
>> I have seen normal LDAP setups work with Keystone and used in both
>> read/write mode (but even still the write-allowed was the extreme minority).
> Yes agreed. AD administrators are generally pretty protective of write
> access. And especially so of some Linux-based open source project writing
> into their Windows kingdom. We got over our lack of being able to store
> assignment in LDAP, mainly because the blocker was not Keystone, it was
> corporate policy.
> Neither the admins allow to write to the AD (even though it is not quite
true and there were at least 2 projects where writing to AD was allowed
(specific groups) and they were Very big customers) nor I mentioned that.
What was happening all the time is read-only AD with project and
assignments Stored in the AD. Which means whenever you need the project and
the user has to have access to it - the admin creates the group in AD and
adds users to the according groups. It looked not Very transparent (because
the roles were stored in the separate group and the assignments were not
very clear), but admins could live with that.

As for everything else that's been discussed, I think database replication
> is easier, and when you're not replicating tokens, there's just not that
> much traffic across the WAN. It's been very stable for us, especially since
> we started using Fernet tokens.
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Andrey Grebennikov
Principal Deployment Engineer
Mirantis Inc, Austin TX
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20161206/b25b1483/attachment.html>

More information about the OpenStack-dev mailing list