<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 26, 2014 at 4:23 AM, Marco Fargetta <span dir="ltr"><<a href="mailto:Marco.Fargetta@ct.infn.it" target="_blank">Marco.Fargetta@ct.infn.it</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Hi Morgan,<br>
<div class=""><br>
On Tue, Feb 25, 2014 at 11:47:43AM -0800, Morgan Fainberg wrote:<br>
</div><div class="">> For purposes of supporting multiple backends for Identity (multiple LDAP, mix<br>
> of LDAP and SQL, federation, etc) Keystone is planning to increase the maximum<br>
> size of the USER_ID field from an upper limit of 64 to an upper limit of 255.<br>
> This change would not impact any currently assigned USER_IDs (they would remain<br>
> in the old simple UUID format), however, new USER_IDs would be increased to<br>
> include the IDP identifier (e.g. USER_ID@@IDP_IDENTIFIER).<br>
><br>
<br>
</div>in this case if a user would access with different systems (e.g. SAML with<br>
portal, LDAP with CLI) it is mapped to two different identities inside keystone.<br>
Is this correct? If so, is there any way to map an individual person with two</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
identities sharing resources?<br></blockquote><div><br></div><div>That's correct - they'd result in different identities and keystone has no means of presuming they are the same "person." But I think you answered it yourself, in that they would effectively be sharing resources with themselves, so you'd just have to ensure they had the same authorization on the same projects using both identities.<br>
</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
Cheers,<br>
Marco<br>
<div class="im"><br>
<br>
> There is the obvious concern that projects are utilizing (and storing) the<br>
> user_id in a field that cannot accommodate the increased upper limit. Before<br>
> this change is merged in, it is important for the Keystone team to understand<br>
> if there are any places that would be overflowed by the increased size.<br>
><br>
> The review that would implement this change in size is https://<br>
> <a href="http://review.openstack.org/#/c/74214" target="_blank">review.openstack.org/#/c/74214</a> and is actively being worked on/reviewed.<br>
><br>
> I have already spoken with the Nova team, and a single instance has been<br>
> identified that would require a migration (that will have a fix proposed for<br>
> the I3 timeline).<br>
><br>
> If there are any other known locations that would have issues with an increased<br>
> USER_ID size, or any concerns with this change to USER_ID format, please<br>
> respond so that the issues/concerns can be addressed. Again, the plan is not<br>
> to change current USER_IDs but that new ones could be up to 255 characters in<br>
> length.<br>
><br>
> Cheers,<br>
> Morgan Fainberg<br>
><br>
> —<br>
> Morgan Fainberg<br>
> Principal Software Engineer<br>
> Core Developer, Keystone<br>
> <a href="mailto:m@metacloud.com">m@metacloud.com</a><br>
><br>
<br>
</div><div class=""><div class="h5">> _______________________________________________<br>
> OpenStack-dev mailing list<br>
> <a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
<br>
</div></div><span class=""><font color="#888888">--<br>
====================================================<br>
Eng. Marco Fargetta, PhD<br>
<br>
Istituto Nazionale di Fisica Nucleare (INFN)<br>
Catania, Italy<br>
<br>
EMail: <a href="mailto:Marco.Fargetta@ct.infn.it">Marco.Fargetta@ct.infn.it</a><br>
====================================================<br>
<br>
</font></span><br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div></div>