[Openstack-operators] Keystone and Active Directory

Jay Pipes jaypipes at gmail.com
Mon Jul 16 16:33:36 UTC 2012


On 07/14/2012 02:55 PM, Joseph Heck wrote:
> 1) no explicit mapping to active directory groups, projects and roles managed externally to active directory, with a users in active directory getting assigned to those projects and roles, but using the credentials (userid/password) from active directory.
>
> 2) using active directory groups to assign roles to users, regardless of tenant. This would be storing "projects" and links of users to projects external to active directory, but using active directory groups to define what "roles" a user should have within their project(s).
> 
> 3) using active directory groups to represent projects, with membership in the group simply implying a "membership" style role with broad capabilities in the project.

Make it a configurable option in Keystone. Something like:

# What entity is the Active Directory group?
# Options: 'project' (default), 'role', '' (ignore groups)
ad_group_entity = 'project'

We do a similar thing in Glance with the:

owner_is_tenant = True

option, where setting to False indicates that the *X-Auth-User* value
and not the X-Auth-Tenant is the owner of an image...

Also, I will bring up that Keystone changing its semantics from "tenant"
to "project" affects a lot more than Keystone... Is the Keystone v3 API
-- the API which changes to use the term project instead of tenant --
going to be backwards-compatible with the term "tenant"?

Best,
-jay



More information about the Openstack-operators mailing list