[openstack-dev] [Heat][Keystone] Native keystone resources in Heat

Brant Knudson blk at acm.org
Fri Jan 30 15:46:13 UTC 2015

On Fri, Jan 30, 2015 at 4:20 AM, Steven Hardy <shardy at redhat.com> wrote:

> On Thu, Jan 29, 2015 at 12:31:17PM -0500, Zane Bitter wrote:
> > On 29/01/15 12:03, Steven Hardy wrote:
> > >On Thu, Jan 29, 2015 at 11:41:36AM -0500, Zane Bitter wrote:
> > >>>IIUC keystone now allows you to add users to a domain that is
> otherwise
> > >>>backed by a read-only backend (i.e. LDAP). If this means that it's now
> > >>>possible to configure a cloud so that one need not be an admin to
> create
> > >>>users then I think it would be a really useful thing to expose in
> Heat. Does
> > >>>anyone know if that's the case?
> > >
> > >I've not heard of that feature, but it's definitely now possible to
> > >configure per-domain backends, so for example you could have the "heat"
> > >domain backed by SQL and other domains containing real human users
> backed
> > >by a read-only directory.
> >
> > http://adam.younglogic.com/2014/08/getting-service-users-out-of-ldap/
> Perhaps we need to seek clarification from Adam/Henry, but my understanding
> of that feature is not that it enables you to add users to domains backed
> by a read-only directory, but rather that multiple backends are possible,
> such that one domain can be backed by a read-only backend, and another
> (different) domain can be backed by a different read/write one.
> E.g in the example above, you might have the "freeipa" domain backed by
> read-only LDAP which contains your directory of human users, and you might
> also have a different domain e.g "services" or "heat" backed by a
> read/write backend e.g Sql.
> Steve
You might want to think about what can be done using federation. Federation
allows keystone to talk to external identity providers, where these
identity providers have the users. What if heat was an identity provider?
Then heat would have a record of the users and they could be used with
keystone to get a token.

On a similar note, while keystone isn't going to let you create users in a
read-only LDAP backend, heat could talk directly to the LDAP server to
create users.

- Brant
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150130/7a3b64ac/attachment.html>

More information about the OpenStack-dev mailing list