<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Feb 7, 2014 at 3:29 AM, Jamie Lennox <span dir="ltr"><<a href="mailto:jamielennox@redhat.com" target="_blank">jamielennox@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class=""><br>
<br>
----- Original Message -----<br>
> From: "Noorul Islam K M" <<a href="mailto:noorul@noorul.com">noorul@noorul.com</a>><br>
</div><div class="">> To: "Jamie Lennox" <<a href="mailto:jamielennox@redhat.com">jamielennox@redhat.com</a>><br>
> Cc: "OpenStack Development Mailing List (not for usage questions)" <<a href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a>><br>
</div><div><div class="h5">> Sent: Friday, 7 February, 2014 7:13:20 PM<br>
> Subject: Re: [openstack-dev] [keystone] Integrating with 3rd party DB<br>
><br>
> Jamie Lennox <<a href="mailto:jamielennox@redhat.com">jamielennox@redhat.com</a>> writes:<br>
><br>
> > ----- Original Message -----<br>
> >> From: "Noorul Islam K M" <<a href="mailto:noorul@noorul.com">noorul@noorul.com</a>><br>
> >> To: "Dolph Mathews" <<a href="mailto:dolph.mathews@gmail.com">dolph.mathews@gmail.com</a>><br>
> >> Cc: "OpenStack Development Mailing List (not for usage questions)"<br>
> >> <<a href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a>><br>
> >> Sent: Friday, 7 February, 2014 2:00:34 PM<br>
> >> Subject: Re: [openstack-dev] [keystone] Integrating with 3rd party DB<br>
> >><br>
> >> Dolph Mathews <<a href="mailto:dolph.mathews@gmail.com">dolph.mathews@gmail.com</a>> writes:<br>
> >><br>
> >> > On Thu, Feb 6, 2014 at 6:38 AM, Noorul Islam Kamal Malmiyoda <<br>
> >> > <a href="mailto:noorul@noorul.com">noorul@noorul.com</a>> wrote:<br>
> >> ><br>
> >> >> Hello stackers,<br>
> >> >><br>
> >> >> We have a database with tables users, projects, roles, etc. Is there<br>
> >> >> any reference implementation or best practices to make keystone use<br>
> >> >> this DB instead of its own?<br>
> >> >><br>
> >> ><br>
> >> > What's the problem you're having? Does the schema in this database<br>
> >> > differ<br>
> >> > from what keystone expects? What have you tried so far?<br>
> >> ><br>
> >><br>
> >> I am trying to figure out the best way of integrating keystone with 3rd<br>
> >> party database. I have been reading but I would like to get expert<br>
> >> opinion on which is the best way of doing it.<br>
> >><br>
> >> Regards,<br>
> >> Noorul<br>
> ><br>
> > How obscure is this database? If it can integrate with SQLAlchemy then it's<br>
> > going to be relatively trivial and BY FAR the best approach.<br>
> ><br>
><br>
> That database is accessible only using APIs. We have APIs to<br>
> authenticate users against this DB, read projects to which user has<br>
> access to, and roles to which user belongs to.<br>
><br>
> > If that's not going to work then your only other option is to implement the<br>
> > database as its own backend for each of the managers. If you look through<br>
> > the folders in keystone (identity, credentials etc) you'll see a Driver<br>
> > class<br>
> > for most of them that you will have to implement for your database. There<br>
> > are examples of the sqlalchemy (and some LDAP) backends there that you can<br>
> > work from.<br>
> ><br>
><br>
> I will look at LDAP back-end code.<br>
><br>
> > I'd try to avoid the second case if you can avoid it. We've gotten better<br>
> > at<br>
> > keeping the driver interface stable but you're going to have a constant<br>
> > battle keeping interfaces and functionality up to date with the keystone<br>
> > code.<br>
> ><br>
><br>
> So, if I understand correctly, in any case we need to modify keystone<br>
> code.<br>
<br>
</div></div>No, you can write the driver and then load it from outside of keystone via<br>
the config file. However you will need to closely look at the Driver calls<br>
within keystone, i'm pretty sure that these aren't documented anywhere.<br>
<div class="HOEnZb"><div class="h5"><br></div></div></blockquote><div><br></div><div>++ It sounds like the data at least loosely follows keystone's existing schema... you could adjust for any differences using SQL views to present the schema that keystone expects.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">
> Thank you for the explanation.<br>
><br>
> Regards,<br>
> Noorul<br>
><br>
> >><br>
> >> ><br>
> >> >><br>
> >> >> I have been reading<br>
> >> >> <a href="https://wiki.openstack.org/wiki/Keystone/Federation/Blueprint" target="_blank">https://wiki.openstack.org/wiki/Keystone/Federation/Blueprint</a> but I<br>
> >> >> could not find a open reference implementation for the same.<br>
> >> >><br>
> >> >> Regards,<br>
> >> >> Noorul<br>
> >> >><br>
> >> >> _______________________________________________<br>
> >> >> OpenStack-dev mailing list<br>
> >> >> <a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
> >> >> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
> >> >><br>
> >> > _______________________________________________<br>
> >> > OpenStack-dev mailing list<br>
> >> > <a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
> >> > <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
> >><br>
> >> _______________________________________________<br>
> >> OpenStack-dev mailing list<br>
> >> <a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
> >> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
> >><br>
> ><br>
> > _______________________________________________<br>
> > OpenStack-dev mailing list<br>
> > <a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
> > <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
><br>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</div></div></blockquote></div><br></div></div>