Open Stack

On 07/06/2016 10:23 AM, Ben Morrice wrote:
> Hello,
>
> We have a small private OpenStack deployment with 300 VMs across 2 
> regions.
> We currently use the Keystone v2.0 API and all accounts are currently 
> stored in SQL.
>
> We would like to move keystone to authenticate users from LDAP 
> (identity), whilst still having the service accounts stored in SQL 
> (migrating to Keystone v3 in the process).
>
> In our testing environment we have configured domain-specific drivers 
> to support the above configuration, with the 'default' domain being 
> SQL and a separate domain 'ldap' for credentials from LDAP.
>
> Usernames are the same for accounts in both 'default' and 'ldap'.
> Assignments would still reside in SQL.
>
> This setup works for the creation of new resources, however any 
> resources defined in the old domain ('default') is obviously not 
> available in the 'ldap' domain.
>
> Has anyone migrated resources between domains? There doesn't appear to 
> be any OpenStack tooling to support this (?).
>
> Or is the solution to simply configure the ldap domain named as 
> 'default' and the SQL domain named as something like 'services' ?
>
You can do cross domain resource assignments.  Assuming the usernames 
are the same from sql to LDAP, you could script a role assignment 
migration that lists users, lists roles for each user, and creates that 
same role assignment for a user defined in LDAP with a matching username.

Or, if you can setup a name to name mapping manually, you could do the 
same thing.

something like

for default_user in `openstack user list --domain default --format json 
| jq ' <insert magic here>'`

do

    for os_role in `openstack role list --user $default_user --format 
json | jq '<more majik>' `

    do

       openstack role add       --user $default_user  --domain <new 
domain id> --role $os_role

   done

done

I have to admit, I'd probably code it in python using the Keystone API, 
but then, I work in Python a lot.