[Openstack] [Keystone] Quotas: LDAP Help
Adam Young
ayoung at redhat.com
Tue Jul 17 01:20:02 UTC 2012
On 07/16/2012 07:31 PM, Everett Toews wrote:
> Hi All,
>
> I've got a working implementation of quotas in Keystone. However it's
> only working for the KVS and SQL backends right now and I need it to
> work with LDAP before submitting it for review. I have limited
> experience with LDAP and only from an ops perspective, I've never
> developed any application code against an LDAP backed app, so I'm here
> asking for help.
>
> My original plan was to just piggy back on the metadata code in the
> LDAP backend (like I did with SQL). But, as you can see from
> get_metadata [1] and create_metadata [2], it's not really there. Since
> that's not possible I'll need to build something myself but I'm not
> too sure what's the best way to go about doing that. Based on a bit of
> research, I've come up with a couple of options.
>
> Option 1 - Separate Quota ou
>
> Looking at ldap/core.py, I could create a new QuotaApi class with the
> fields
>
> DEFAULT_OU = 'ou=Quota'
> DEFAULT_STRUCTURAL_CLASSES = []
> DEFAULT_OBJECTCLASS = '???'
> DEFAULT_ID_ATTR = 'cn'
> DEFAULT_MEMBER_ATTRIBUTE = 'cn'
> options_name = 'quota'
> attribute_mapping = {'quota': 'cn'}
> model = models.Quota
>
> The idea being that quota information is an ou associated with a
> tenant (somehow). I'm not sure how best to store the quota data itself
> in this case. Could it just be stored as JSON in the cn? I'm not sure
> if that's a good idea or a bad idea but I suspect bad...
That does not sound right.
>
> Option 2 - Metadata Attribute on Tenant
>
> Quotas are just an attribute of a Tenant so why not just add a single
> 'quotas' attribute to the Tenant ou. Then the quotas JSON could be
> stored in this attribute. This seems like a simple and
> straight-forward solution but I don't know how to add this attribute
> via an objectclass to Tenant.
>
> How would I add a quotas attribute to the Tenant ou?
> How would I reference that attribute?
> Is there an existing attribute on Tenant where I could reasonably
> store the quotas JSON instead of adding another one?
Usually a Quota is a limitation on a resource. I suspect that the
problem here is we have not nailed down the resource objects that you
would then apply a quota to. If, for example, we were talking about
disk quotas, we could look at the LDAP schema's that are in place for
disks, automount, and so forth. For network or CPU quotas, the concepts
don't really exist.
My immediate thought is that maybe these things are not really Keystone
quantities to manage. Nova has the database that deals with the actual
quantities of disk and so forth. BUt I know that LDAP is the system of
record for Hosts in many systems, so the Data from LDAP needs to feed
into Nova somehow....
Can you post your code to a GIthub repo and send out a link to the
commit so that I could take a look? It would be much more clear to
discuss with actual code in front of me.
>
> Thoughts or feedback on these options? Are there any other options I'm
> missing?
>
> Thanks,
> Everett
>
>
> [1]
> https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L140-147
> [2]
> https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L205-206
More information about the Openstack
mailing list