[openstack-dev] [Heat][Keystone] Native keystone resources in Heat

Zane Bitter zbitter at redhat.com
Fri Jan 30 13:17:41 UTC 2015

On 30/01/15 05:20, Steven Hardy wrote:
> On Thu, Jan 29, 2015 at 12:31:17PM -0500, Zane Bitter wrote:
>> On 29/01/15 12:03, Steven Hardy wrote:
>>> On Thu, Jan 29, 2015 at 11:41:36AM -0500, Zane Bitter wrote:
>>>>> IIUC keystone now allows you to add users to a domain that is otherwise
>>>>> backed by a read-only backend (i.e. LDAP). If this means that it's now
>>>>> possible to configure a cloud so that one need not be an admin to create
>>>>> users then I think it would be a really useful thing to expose in Heat. Does
>>>>> anyone know if that's the case?
>>> I've not heard of that feature, but it's definitely now possible to
>>> configure per-domain backends, so for example you could have the "heat"
>>> domain backed by SQL and other domains containing real human users backed
>>> by a read-only directory.
>> http://adam.younglogic.com/2014/08/getting-service-users-out-of-ldap/
> Perhaps we need to seek clarification from Adam/Henry, but my understanding
> of that feature is not that it enables you to add users to domains backed
> by a read-only directory, but rather that multiple backends are possible,
> such that one domain can be backed by a read-only backend, and another
> (different) domain can be backed by a different read/write one.
> E.g in the example above, you might have the "freeipa" domain backed by
> read-only LDAP which contains your directory of human users, and you might
> also have a different domain e.g "services" or "heat" backed by a
> read/write backend e.g Sql.

Ah, you're right, I've been misinterpreting that post this whole time. 

- ZB

More information about the OpenStack-dev mailing list