[Openstack-operators] Keystone backed by LDAP: What's still stored locally?

gustavo panizzo <gfa> gfa at zumbi.com.ar
Tue Feb 11 18:21:13 UTC 2014


On 02/11/2014 03:14 PM, Fischer, Matt wrote:
> Sorry to follow-up my own question, but for anyone else who has backed
> Keystone with LDAP, did you store the service accounts (nova, glance,
> etc) in LDAP as well?
yes, i do
>  If so, how did you handle password management (the plaintext
> passwords in the config files)?
same as sql based account, i put the password in clear text on the
config files
i use salt to manage my config files, if that what you ask

>
> From: <Fischer>, Matt <matthew.fischer at twcable.com
> <mailto:matthew.fischer at twcable.com>>
> Date: Tuesday, February 11, 2014 9:45 AM
> To: Adam Young <ayoung at redhat.com <mailto:ayoung at redhat.com>>,
> "openstack-operators at lists.openstack.org
> <mailto:openstack-operators at lists.openstack.org>"
> <openstack-operators at lists.openstack.org
> <mailto:openstack-operators at lists.openstack.org>>
> Subject: Re: [Openstack-operators] Keystone backed by LDAP: What's
> still stored locally?
>
>
> Thanks Adam, I think we're willing to live without domain support. So
> if Policy is the policy.json file (which seems obvious to me now) then
> we should be good with no replication.
>
> From: Adam Young <ayoung at redhat.com <mailto:ayoung at redhat.com>>
> Date: Monday, February 10, 2014 6:53 PM
> To: "openstack-operators at lists.openstack.org
> <mailto:openstack-operators at lists.openstack.org>"
> <openstack-operators at lists.openstack.org
> <mailto:openstack-operators at lists.openstack.org>>
> Subject: Re: [Openstack-operators] Keystone backed by LDAP: What's
> still stored locally?
>
> On 02/10/2014 03:27 PM, Fischer, Matt wrote:
>>
>> If we use LDAP to provide Assignment and Identity for Keystone, what
>> things is keystone still managing locally? The reason I'm asking is
>> that we're setting up Openstack in a couple data centers and would
>> like to centrally manage users/tenants/roles without replicating
>> keystone databases (if that's possible). It looks like Tokens,
>> Catalogs, and Policy are the remaining services. I don't think we'd
>> ever want to replicate Tokens, and the data in Catalogs might differ
>> across DCs anyway, but "Policy" is what I'm not sure about. Is Policy
>> the same as Assignment?
> No, policy is the flat file that has the rules for RBAC.
>
> Assignment is what you want to replicate:  the assignment of roles to
> users and groups within projects or domains.
>
>>
>> Finally, has anyone else set this up and if so do you have any
>> caveats/must-dos? I think I have all the connection to LDAP stuff
>> figured out but have not tried with multiple keystone instances.
> LDAP can support assignment, but you lose multiple domain support.  It
> might be your simplest replication strategy, though.
>
>
>
>>
>> ------------------------------------------------------------------------
>> This E-mail and any of its attachments may contain Time Warner Cable
>> proprietary information, which is privileged, confidential, or
>> subject to copyright belonging to Time Warner Cable. This E-mail is
>> intended solely for the use of the individual or entity to which it
>> is addressed. If you are not the intended recipient of this E-mail,
>> you are hereby notified that any dissemination, distribution,
>> copying, or action taken in relation to the contents of and
>> attachments to this E-mail is strictly prohibited and may be
>> unlawful. If you have received this E-mail in error, please notify
>> the sender immediately and permanently delete the original and any
>> copy of this E-mail and any printout.
>>
>>
>> _______________________________________________
>> OpenStack-operators mailing list
>> OpenStack-operators at lists.openstack.orghttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators


-- 
1AE0 322E B8F7 4717 BDEA BF1D 44BB 1BA7 9F6C 6333

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20140211/90246a3f/attachment.html>


More information about the OpenStack-operators mailing list