<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 07/23/2013 12:15 PM, Alexius Ludeman
wrote:<br>
</div>
<blockquote
cite="mid:CAD_-DunymiPXcGLCWJ0KD+q4hLC-nHL3tR2L_5LjwAhJT7t-2w@mail.gmail.com"
type="cite">
<div dir="ltr">hi Adam,
<div><br>
</div>
<div>Can you explain why RoleApi() and ProjectApi() are
duplicated in assignment/backends/ldap.py and
identity/backends/ldap.py?</div>
<div><br>
</div>
<div>It would seem duplicating the same class in two files
should be refactored into new shared file.</div>
</div>
</blockquote>
<br>
That is the "backwards compatbility" I was referring to earlier.
Roles and Projects are now owned by the assignment API, but have
been accessed via the Identity backend up until now. Thus, the
Identity implementation should be nothing but a shim to call the
assignment implementation. <br>
<br>
<blockquote
cite="mid:CAD_-DunymiPXcGLCWJ0KD+q4hLC-nHL3tR2L_5LjwAhJT7t-2w@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>thanks</div>
<div>lex</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Tue, Jul 23, 2013 at 7:21 AM, Adam
Young <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div class="im">
<div>On 07/22/2013 09:49 PM, Miller, Mark M (EB SW Cloud
- R&D - Corvallis) wrote:<br>
</div>
</div>
<blockquote type="cite">
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Adam,</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Sorry
for the questions, but even though I have been
programming for nearly 30 years I am new to Python
and I find the code base somewhat difficult to
follow. I have noticed that the file </span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">keystone.identity.backends.ldap.Identity
has a set of methods and file
keystone.assignment.backends.sql.Assignment has a
set of methods. My question is this: is there a
way to specify which methods to use the
ldap.Identity backend with and which methods to
use the sql. Assignment backend with or does each
backend only support all of the methods provided
by each file? In working with an enterprise LDAP
server, there is no way we will be able to create
users or to write to it. If there is a way to pick
and choose which methods access the LDAP server
and which ones access the SQL keystone database,
then I have what we need.</span></p>
</div>
</blockquote>
<br>
Here's the general gist:<br>
<br>
We split off the Assignment functions from Identity in
order to be able to vary the two backends
independently. THe expectation is that people will use
the LDAP backlend for Identity and the SQL backend for
Assignments. LDAP will be read only, and Assignments will
be read-write. That being said, there are cases where
people will have writable LDAP, or will use the SQL
Identity backend, so there are functions which can change
the state of the Identity backend, and those are not going
to go away.<br>
<br>
The general code set up is as follows:<br>
<br>
Routers describe the mappings from URLs to Python Code.<br>
Controllers ate stateless objects. In theory they should
be protocol agnostic, but in practice they are aware that
they are being used with HTTP.<br>
Managers and Drivers implement the Data layer. The
managers start as simple accessors, but over time they get
more and more logic. We don't have a clear place for
Business logic. Since the Backends are radically
different, a lot of the logic has gotten duplicated
between LDAP, SQL, Memcahced, and others. We are working
to minimize this. The general approach is that code that
should not be duplicated gets "pulled up" to the manager.
This kind of refactoring is constant and ongoing.<br>
<br>
When I split out the Assignment backend, I tried to to it
in a way that did not modify the unit tests, so that other
reviewers would have theassurance that the chagnes were
just restructuring, not fundamentally changing
functionality. Thus, we had a shim layer in the Identity
Layer that called through to the assignment layer. This
has the added benefit of maintaining API compatibility for
anyone who has customized code. However, I've found a lot
of our tests were talking to the driver, not talking
through the manager, and thus I had to clean up a bunch of
the tests to go through the manager as well. <br>
<br>
As an end user, you should specify that the Identity
backend is LDAP and the Assignment backend is SQL.
Assuimg your LDAP backend is not writable, and call to the
Identity layer that attempts to morph the state of the
Directory store will fail. However, what you should be
doing is using the user groups from LDAP as a way to
manage users, and place those groups into Role
Assignments. Roles, Role Assignments, and Projects all
live in the Identity (SQL) backend, and all of those
should be writeable regardless of LDAP state. <br>
<br>
<blockquote type="cite">
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Thanks,</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Mark</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<div>
<div style="border:none;border-top:solid #b5c4df
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Adam Young [<a moz-do-not-send="true"
href="mailto:ayoung@redhat.com"
target="_blank">mailto:ayoung@redhat.com</a>]
<br>
<b>Sent:</b> Monday, July 22, 2013 4:52 PM</span></p>
<div>
<div class="h5"><br>
<b>To:</b> Miller, Mark M (EB SW Cloud -
R&D - Corvallis)<br>
<b>Cc:</b> Dolph Mathews; OpenStack
Development Mailing List<br>
<b>Subject:</b> Re: [keystone] Split the
Identity Backend blueprint</div>
</div>
</div>
</div>
<div>
<div class="h5">
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal">On 07/22/2013 07:43 PM,
Miller, Mark M (EB SW Cloud - R&D -
Corvallis) wrote:</p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Adam,</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">You
wrote:</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal" style="text-indent:.5in"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">[identity]</span>
</p>
<p class="MsoNormal" style="text-indent:.5in"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> driver
= keystone.identity.backends.ldap.Identity</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal" style="text-indent:.5in"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">[assignment]</span>
</p>
<p class="MsoNormal" style="text-indent:.5in"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">driver
= keystone.assignment.backends.sql.<span
style="background:yellow">Identity</span></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Did
you mean to write: </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal" style="text-indent:.5in"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">[assignment]</span>
</p>
<p class="MsoNormal" style="text-indent:.5in"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">driver
= keystone.assignment.backends.sql.<span
style="background:yellow">Assignment</span></span></p>
</blockquote>
<p class="MsoNormal">Yes, that was a mistake on my
part. Sorry<br>
<br>
</p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Mark</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<div>
<div style="border:none;border-top:solid #b5c4df
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Adam Young [<a moz-do-not-send="true"
href="mailto:ayoung@redhat.com"
target="_blank">mailto:ayoung@redhat.com</a>]
<br>
<b>Sent:</b> Monday, July 22, 2013 12:50
PM<br>
<b>To:</b> Miller, Mark M (EB SW Cloud -
R&D - Corvallis)<br>
<b>Cc:</b> Dolph Mathews; OpenStack
Development Mailing List<br>
<b>Subject:</b> Re: [keystone] Split the
Identity Backend blueprint</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal">On 07/22/2013 01:38 PM,
Miller, Mark M (EB SW Cloud - R&D -
Corvallis) wrote:</p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Hello,</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I
have been reading source code in an attempt
to figure out how to use the new split
backend feature, specifically how to split
the identity data between an ldap server and
the standard Keystone sql database. However,
I haven’t been able to figure it out quite
yet. Does someone have some examples of this
new feature in action? Is there another
configuration file that is required?</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">
[identity]</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">
driver = driver =
keystone.identity.backends.sql.Identity</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">
[assignment]</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">
driver = ???</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">
[ldap]</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">
Quite a few options</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Regards,</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Mark
Miller</span></p>
</blockquote>
<p class="MsoNormal"><br>
RIght now the only support split approach is
LDAP for Identity, SQL for assignments.<br>
<br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">[identity]</span>
</p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> driver
= keystone.identity.backends.ldap.Identity</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">[assignment]</span>
</p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">driver
= keystone.assignment.backends.sql.Identity</span></p>
<p class="MsoNormal"> </p>
</div>
</div>
</div>
</blockquote>
<br>
</div>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>