[openstack-dev] [Keystone] Trusts (Preauth) and LDAP

David Chadwick d.w.chadwick at kent.ac.uk
Wed Nov 28 16:05:18 UTC 2012


Hi Adam

I have seen your spec and commented on it. This is yet another case of 
delegation is it not?

regards

David

On 28/11/2012 15:45, Adam Young wrote:
> I have a very rudimentary Trust  (what I used to call Preauth
> https://blueprints.launchpad.net/keystone/+spec/trusts) implementation
> working with the SQL backend for Identity.
>
> With LDAP, I am not sure where I would store the trust information. The
> data for the trust itself is simply the uuid user_ids for the trustor
> and  trustee and tenant Id.  There is also a table for the roles, and a
> second table for the endpoints associated with the trust.While we could
> shoehorn this into the user object, I am not sure that there is an
> intuitive way to implement it in LDAP.
>
> I see three choices.
>
> 1.  Leave the Trusts in the identity schema.  This has the nice effect
> of keeping the user-ids as foreign keys.  It has the drawback of forcing
> an LDAP backend solution.
> 2.  Move the Trusts into the Token backend.  This will get avoid the
> issue of LDAP support.  It does mean that tokens, which is a schema that
> is high volume, read intensive, and populated by short lifespan
> entities, gets mixed with trusts, which is low volume, and long lived.
> 3. Move it into its own backend.  This seems a little heavy weight.
>
>
> Thoughts?
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



More information about the OpenStack-dev mailing list