[Openstack-operators] Keystone backed by LDAP: What's still stored locally?

Adam Young ayoung at redhat.com
Tue Feb 11 01:53:32 UTC 2014

On 02/10/2014 03:27 PM, Fischer, Matt wrote:
> If we use LDAP to provide Assignment and Identity for Keystone, what 
> things is keystone still managing locally? The reason I'm asking is 
> that we're setting up Openstack in a couple data centers and would 
> like to centrally manage users/tenants/roles without replicating 
> keystone databases (if that's possible). It looks like Tokens, 
> Catalogs, and Policy are the remaining services. I don't think we'd 
> ever want to replicate Tokens, and the data in Catalogs might differ 
> across DCs anyway, but "Policy" is what I'm not sure about. Is Policy 
> the same as Assignment?
No, policy is the flat file that has the rules for RBAC.

Assignment is what you want to replicate:  the assignment of roles to 
users and groups within projects or domains.

> Finally, has anyone else set this up and if so do you have any 
> caveats/must-dos? I think I have all the connection to LDAP stuff 
> figured out but have not tried with multiple keystone instances.
LDAP can support assignment, but you lose multiple domain support. It 
might be your simplest replication strategy, though.

> ------------------------------------------------------------------------
> This E-mail and any of its attachments may contain Time Warner Cable 
> proprietary information, which is privileged, confidential, or subject 
> to copyright belonging to Time Warner Cable. This E-mail is intended 
> solely for the use of the individual or entity to which it is 
> addressed. If you are not the intended recipient of this E-mail, you 
> are hereby notified that any dissemination, distribution, copying, or 
> action taken in relation to the contents of and attachments to this 
> E-mail is strictly prohibited and may be unlawful. If you have 
> received this E-mail in error, please notify the sender immediately 
> and permanently delete the original and any copy of this E-mail and 
> any printout.
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20140210/49041bd1/attachment.html>

More information about the OpenStack-operators mailing list