Open Stack

On Fri, 2014-02-28 at 15:25 -0800, Mark Washenberger wrote:
> I believe we have some agreement here. Other openstack services should
> be able to use a strongly typed identifier for users. I just think if
> we want to go that route, we probably need to create a new field to
> act as the proper user uuid, rather than repurposing the existing
> field. It sounds like many existing LDAP deployments would break if we
> repurpose the existing field.

Hi Mark,

Please see my earlier response on this thread. I am proposing putting
external identifiers into a mapping table that would correlate a
Keystone UUID user ID with external identifiers (of variable length). 

Once authentication has occurred (with any auth backend including LDAP),
Keystone would only communicate to the other OpenStack services the UUID
user ID from Keystone. This would indeed require a migration to each
non-Keystone service that stores the user IDs as-is from Keystone
currently (such as Glance or Nova).

Once the migrations are run, then only UUID values would be stored, and
further migrations could be run that would streamline the columns that
stores these user IDs to a more efficient CHAR(32) or BINARY(16)
internal storage format.

Hope that clears things up.

Best,
-jay