[Openstack-operators] Keystone backed by LDAP: What's still stored locally?

Fischer, Matt matthew.fischer at twcable.com
Tue Feb 11 16:45:04 UTC 2014

Thanks Adam, I think we're willing to live without domain support. So if Policy is the policy.json file (which seems obvious to me now) then we should be good with no replication.

From: Adam Young <ayoung at redhat.com<mailto:ayoung at redhat.com>>
Date: Monday, February 10, 2014 6:53 PM
To: "openstack-operators at lists.openstack.org<mailto:openstack-operators at lists.openstack.org>" <openstack-operators at lists.openstack.org<mailto:openstack-operators at lists.openstack.org>>
Subject: Re: [Openstack-operators] Keystone backed by LDAP: What's still stored locally?

On 02/10/2014 03:27 PM, Fischer, Matt wrote:

If we use LDAP to provide Assignment and Identity for Keystone, what things is keystone still managing locally? The reason I'm asking is that we're setting up Openstack in a couple data centers and would like to centrally manage users/tenants/roles without replicating keystone databases (if that's possible). It looks like Tokens, Catalogs, and Policy are the remaining services. I don't think we'd ever want to replicate Tokens, and the data in Catalogs might differ across DCs anyway, but "Policy" is what I'm not sure about. Is Policy the same as Assignment?
No, policy is the flat file that has the rules for RBAC.

Assignment is what you want to replicate:  the assignment of roles to users and groups within projects or domains.

Finally, has anyone else set this up and if so do you have any caveats/must-dos? I think I have all the connection to LDAP stuff figured out but have not tried with multiple keystone instances.
LDAP can support assignment, but you lose multiple domain support.  It might be your simplest replication strategy, though.

This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.

OpenStack-operators mailing list
OpenStack-operators at lists.openstack.org<mailto:OpenStack-operators at lists.openstack.org>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20140211/5ce3e520/attachment.html>

More information about the OpenStack-operators mailing list