<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 07/22/2013 09:49 PM, Miller, Mark M
(EB SW Cloud - R&D - Corvallis) wrote:<br>
</div>
<blockquote
cite="mid:D6182642CE6D2D4FBFCDF99946E249883B35B43F@G9W0343.americas.hpqcorp.net"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";
color:black;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Adam,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Sorry
for the questions, but even though I have been programming
for nearly 30 years I am new to Python and I find the code
base somewhat difficult to follow. I have noticed that the
file </span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">keystone.identity.backends.ldap.Identity
has a set of methods and file
keystone.assignment.backends.sql.Assignment has a set of
methods. My question is this: is there a way to specify
which methods to use the ldap.Identity backend with and
which methods to use the sql. Assignment backend with or
does each backend only support all of the methods provided
by each file? In working with an enterprise LDAP server,
there is no way we will be able to create users or to write
to it. If there is a way to pick and choose which methods
access the LDAP server and which ones access the SQL
keystone database, then I have what we need.</span></p>
</div>
</blockquote>
<br>
Here's the general gist:<br>
<br>
We split off the Assignment functions from Identity in order to be
able to vary the two backends independently. THe expectation is
that people will use the LDAP backlend for Identity and the SQL
backend for Assignments. LDAP will be read only, and Assignments
will be read-write. That being said, there are cases where people
will have writable LDAP, or will use the SQL Identity backend, so
there are functions which can change the state of the Identity
backend, and those are not going to go away.<br>
<br>
The general code set up is as follows:<br>
<br>
Routers describe the mappings from URLs to Python Code.<br>
Controllers ate stateless objects. In theory they should be
protocol agnostic, but in practice they are aware that they are
being used with HTTP.<br>
Managers and Drivers implement the Data layer. The managers start
as simple accessors, but over time they get more and more logic.
We don't have a clear place for Business logic. Since the Backends
are radically different, a lot of the logic has gotten duplicated
between LDAP, SQL, Memcahced, and others. We are working to
minimize this. The general approach is that code that should not be
duplicated gets "pulled up" to the manager. This kind of
refactoring is constant and ongoing.<br>
<br>
When I split out the Assignment backend, I tried to to it in a way
that did not modify the unit tests, so that other reviewers would
have theassurance that the chagnes were just restructuring, not
fundamentally changing functionality. Thus, we had a shim layer in
the Identity Layer that called through to the assignment layer.
This has the added benefit of maintaining API compatibility for
anyone who has customized code. However, I've found a lot of our
tests were talking to the driver, not talking through the manager,
and thus I had to clean up a bunch of the tests to go through the
manager as well. <br>
<br>
As an end user, you should specify that the Identity backend is LDAP
and the Assignment backend is SQL. Assuimg your LDAP backend is not
writable, and call to the Identity layer that attempts to morph the
state of the Directory store will fail. However, what you should be
doing is using the user groups from LDAP as a way to manage users,
and place those groups into Role Assignments. Roles, Role
Assignments, and Projects all live in the Identity (SQL) backend,
and all of those should be writeable regardless of LDAP state. <br>
<br>
<blockquote
cite="mid:D6182642CE6D2D4FBFCDF99946E249883B35B43F@G9W0343.americas.hpqcorp.net"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Mark<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Adam Young [<a class="moz-txt-link-freetext" href="mailto:ayoung@redhat.com">mailto:ayoung@redhat.com</a>]
<br>
<b>Sent:</b> Monday, July 22, 2013 4:52 PM<br>
<b>To:</b> Miller, Mark M (EB SW Cloud - R&D -
Corvallis)<br>
<b>Cc:</b> Dolph Mathews; OpenStack Development Mailing
List<br>
<b>Subject:</b> Re: [keystone] Split the Identity
Backend blueprint<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 07/22/2013 07:43 PM, Miller, Mark M
(EB SW Cloud - R&D - Corvallis) wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Adam,</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">You
wrote:</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="text-indent:.5in"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">[identity]</span>
<o:p></o:p></p>
<p class="MsoNormal" style="text-indent:.5in"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> driver
= keystone.identity.backends.ldap.Identity</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="text-indent:.5in"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">[assignment]</span>
<o:p></o:p></p>
<p class="MsoNormal" style="text-indent:.5in"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">driver
= keystone.assignment.backends.sql.<span
style="background:yellow;mso-highlight:yellow">Identity</span></span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Did
you mean to write:
</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="text-indent:.5in"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">[assignment]</span>
<o:p></o:p></p>
<p class="MsoNormal" style="text-indent:.5in"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">driver
= keystone.assignment.backends.sql.<span
style="background:yellow;mso-highlight:yellow">Assignment</span></span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal">Yes, that was a mistake on my part. Sorry<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Mark</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Adam Young [<a moz-do-not-send="true"
href="mailto:ayoung@redhat.com">mailto:ayoung@redhat.com</a>]
<br>
<b>Sent:</b> Monday, July 22, 2013 12:50 PM<br>
<b>To:</b> Miller, Mark M (EB SW Cloud - R&D -
Corvallis)<br>
<b>Cc:</b> Dolph Mathews; OpenStack Development Mailing
List<br>
<b>Subject:</b> Re: [keystone] Split the Identity
Backend blueprint</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal">On 07/22/2013 01:38 PM, Miller, Mark M
(EB SW Cloud - R&D - Corvallis) wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hello,</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
have been reading source code in an attempt to figure out
how to use the new split backend feature, specifically how
to split the identity data between an ldap server and the
standard Keystone sql database. However, I haven’t been
able to figure it out quite yet. Does someone have some
examples of this new feature in action? Is there another
configuration file that is required?</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
[identity]</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
driver = driver = keystone.identity.backends.sql.Identity</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
[assignment]</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
driver = ???</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
[ldap]</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
Quite a few options</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Regards,</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Mark
Miller</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><br>
RIght now the only support split approach is LDAP for
Identity, SQL for assignments.<br>
<br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">[identity]</span>
<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> driver
= keystone.identity.backends.ldap.Identity</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">[assignment]</span>
<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">driver
= keystone.assignment.backends.sql.Identity</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<br>
</body>
</html>