[openstack-dev] [Keystone]ON DELETE RESTRICT VS ON DELETE CASCADE
ayoung at redhat.com
Tue Mar 10 02:22:27 UTC 2015
On 03/09/2015 01:26 PM, Mike Bayer wrote:
> Im about -1000 on disabling foreign key constraints.
So was I. We didn't do it out of performance.
Since I am responsible for tipping over this particular cow, let me explain.
No, is too much. Let me sum up.
In the murky past, Keystone was primarily the identity back end. I
start with users, then tenant, and then it grew to have roles.
If this has stayed all in a SQL back end, you bet your sweet bippy I'd
have left the integrity constraints in place. THere is a big reason it
My first hack in Keystone was putting LDAP support back in, after the
Keysteon Light rewrite pulled it out. Back then, I waws warned that
LDAP was different, and I kind of knew that it was, but I tried to do
everything in LDAP we were doing in SQl, and, while the solution was
bogus, it kindof worked if you squinted and were able to accept putting
service users in your active directory.
Oh, and didn't want to write to it. I mean, sure, there was writable
LDAP. BUt people don't use L:DAP that way. LDAP is maintained by
corporate IT...which really means HR. Bottom line is that the OpenStack
lab people are not going to be writing projects into their LDAP servers.
At the same time, the abstractions were growing. We added groups,
domains, and role assignments. Federation was in the distance, and
mapping had to go somewhere.
At the Protland summit, a few conversation made it clear that we needed
to split the Identity backend into a read only LDAP portion and a SQL
writable portion. Oh, sure, you could still keep users in SQL, and many
people wanted to, but LDAP was the larger concern, and, again, we knew
federation was coming with similar constraints. So, a FK from the
role-assignments table into the proejct table would be OK, but now to
either users or groups: if thiose were in LDAP, there would be nothing
there, and the constraint could not be met.
We've gone even further this release. The assignments backend itself is
being split up. TBGH, I don't know if this is an essential split, but
some of the main Keystone developers have worked really hard to make it
work, and to show how Keystone specific data (role assignments) can be
kept separate from the projects and domains.
So, no, we are not talking performance. We are talking architecture and
functionality. Keystone, with few exceptions, does not own the user
database. Keystone consumes it. As time goes on, Keystone will do a
better job of consume pre-existing data, and minimizing the amount of
custom data it manages.
Does that make more sense?
More information about the OpenStack-dev