<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 02/11/2014 03:14 PM, Fischer, Matt
wrote:<br>
</div>
<blockquote cite="mid:CF1FB66D.1B2F%25matt.fischer@twcable.com"
type="cite">
<div>Sorry to follow-up my own question, but for anyone else who
has backed Keystone with LDAP, did you store the service
accounts (nova, glance, etc) in LDAP as well?</div>
</blockquote>
yes, i do<br>
<blockquote cite="mid:CF1FB66D.1B2F%25matt.fischer@twcable.com"
type="cite">
<div> If so, how did you handle password management (the
plaintext passwords in the config files)?</div>
</blockquote>
same as sql based account, i put the password in clear text on the
config files<br>
i use salt to manage my config files, if that what you ask<br>
<br>
<blockquote cite="mid:CF1FB66D.1B2F%25matt.fischer@twcable.com"
type="cite">
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt;
text-align:left; color:black; BORDER-BOTTOM: medium none;
BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT:
0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid;
BORDER-RIGHT: medium none; PADDING-TOP: 3pt"><span
style="font-weight:bold">From: </span> <Fischer>,
Matt <<a moz-do-not-send="true"
href="mailto:matthew.fischer@twcable.com">matthew.fischer@twcable.com</a>><br>
<span style="font-weight:bold">Date: </span> Tuesday,
February 11, 2014 9:45 AM<br>
<span style="font-weight:bold">To: </span> Adam Young <<a
moz-do-not-send="true" href="mailto:ayoung@redhat.com">ayoung@redhat.com</a>>,
"<a moz-do-not-send="true"
href="mailto:openstack-operators@lists.openstack.org">openstack-operators@lists.openstack.org</a>"
<<a moz-do-not-send="true"
href="mailto:openstack-operators@lists.openstack.org">openstack-operators@lists.openstack.org</a>><br>
<span style="font-weight:bold">Subject: </span> Re:
[Openstack-operators] Keystone backed by LDAP: What's still
stored locally?<br>
</div>
<div><br>
</div>
<div>
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space; color: rgb(0, 0, 0);
font-size: 14px; font-family: Calibri, sans-serif; ">
<div><br>
</div>
<div>Thanks Adam, I think we're willing to live without
domain support. So if Policy is the policy.json file
(which seems obvious to me now) then we should be good
with no replication.</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt;
text-align:left; color:black; BORDER-BOTTOM: medium
none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in;
PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP:
#b5c4df 1pt solid; BORDER-RIGHT: medium none;
PADDING-TOP: 3pt"><span style="font-weight:bold">From: </span>Adam
Young <<a moz-do-not-send="true"
href="mailto:ayoung@redhat.com">ayoung@redhat.com</a>><br>
<span style="font-weight:bold">Date: </span>Monday,
February 10, 2014 6:53 PM<br>
<span style="font-weight:bold">To: </span>"<a
moz-do-not-send="true"
href="mailto:openstack-operators@lists.openstack.org">openstack-operators@lists.openstack.org</a>"
<<a moz-do-not-send="true"
href="mailto:openstack-operators@lists.openstack.org">openstack-operators@lists.openstack.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re:
[Openstack-operators] Keystone backed by LDAP: What's
still stored locally?<br>
</div>
<div><br>
</div>
<div>
<div bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 02/10/2014 03:27 PM,
Fischer, Matt wrote:<br>
</div>
<blockquote
cite="mid:CF1E8456.1ADA%25matt.fischer@twcable.com"
type="cite">
<div><br>
</div>
<div>If we use LDAP to provide Assignment and
Identity for Keystone, what things is keystone
still managing locally? The reason I'm asking is
that we're setting up Openstack in a couple data
centers and would like to centrally manage
users/tenants/roles without replicating keystone
databases (if that's possible). It looks like
Tokens, Catalogs, and Policy are the remaining
services. I don't think we'd ever want to
replicate Tokens, and the data in Catalogs might
differ across DCs anyway, but "Policy" is what I'm
not sure about. Is Policy the same as Assignment?
<br>
</div>
</blockquote>
No, policy is the flat file that has the rules for
RBAC.<br>
<br>
Assignment is what you want to replicate: the
assignment of roles to users and groups within
projects or domains.<br>
<br>
<blockquote
cite="mid:CF1E8456.1ADA%25matt.fischer@twcable.com"
type="cite">
<div><br>
</div>
<div>Finally, has anyone else set this up and if so
do you have any caveats/must-dos? I think I have
all the connection to LDAP stuff figured out but
have not tried with multiple keystone instances.</div>
</blockquote>
LDAP can support assignment, but you lose multiple
domain support. It might be your simplest replication
strategy, though.<br>
</div>
</div>
</span>
<div><br>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div>
<div bgcolor="#FFFFFF" text="#000000"><br>
<blockquote
cite="mid:CF1E8456.1ADA%25matt.fischer@twcable.com"
type="cite"><br>
<hr><font color="Gray" face="Arial" size="1">This
E-mail and any of its attachments may contain Time
Warner Cable proprietary information, which is
privileged, confidential, or subject to copyright
belonging to Time Warner Cable. This E-mail is
intended solely for the use of the individual or
entity to which it is addressed. If you are not
the intended recipient of this E-mail, you are
hereby notified that any dissemination,
distribution, copying, or action taken in relation
to the contents of and attachments to this E-mail
is strictly prohibited and may be unlawful. If you
have received this E-mail in error, please notify
the sender immediately and permanently delete the
original and any copy of this E-mail and any
printout.<br>
</font><br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
OpenStack-operators mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OpenStack-operators@lists.openstack.org">OpenStack-operators@lists.openstack.org</a><a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a></pre>
</blockquote>
<br>
</div>
</div>
</span></div>
</div>
</span>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
OpenStack-operators mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OpenStack-operators@lists.openstack.org">OpenStack-operators@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
1AE0 322E B8F7 4717 BDEA BF1D 44BB 1BA7 9F6C 6333</pre>
</body>
</html>