[openstack-dev] [Heat][Keystone] Native keystone resources in Heat

Steven Hardy shardy at redhat.com
Fri Jan 30 10:20:29 UTC 2015

On Thu, Jan 29, 2015 at 12:31:17PM -0500, Zane Bitter wrote:
> On 29/01/15 12:03, Steven Hardy wrote:
> >On Thu, Jan 29, 2015 at 11:41:36AM -0500, Zane Bitter wrote:
> >>>IIUC keystone now allows you to add users to a domain that is otherwise
> >>>backed by a read-only backend (i.e. LDAP). If this means that it's now
> >>>possible to configure a cloud so that one need not be an admin to create
> >>>users then I think it would be a really useful thing to expose in Heat. Does
> >>>anyone know if that's the case?
> >
> >I've not heard of that feature, but it's definitely now possible to
> >configure per-domain backends, so for example you could have the "heat"
> >domain backed by SQL and other domains containing real human users backed
> >by a read-only directory.
> http://adam.younglogic.com/2014/08/getting-service-users-out-of-ldap/

Perhaps we need to seek clarification from Adam/Henry, but my understanding
of that feature is not that it enables you to add users to domains backed
by a read-only directory, but rather that multiple backends are possible,
such that one domain can be backed by a read-only backend, and another
(different) domain can be backed by a different read/write one.

E.g in the example above, you might have the "freeipa" domain backed by
read-only LDAP which contains your directory of human users, and you might
also have a different domain e.g "services" or "heat" backed by a
read/write backend e.g Sql.


More information about the OpenStack-dev mailing list