[Openstack-operators] Migration to LDAP / default domain questions
Adam Young
ayoung at redhat.com
Fri Jul 29 03:14:16 UTC 2016
On 07/06/2016 10:23 AM, Ben Morrice wrote:
> Hello,
>
> We have a small private OpenStack deployment with 300 VMs across 2
> regions.
> We currently use the Keystone v2.0 API and all accounts are currently
> stored in SQL.
>
> We would like to move keystone to authenticate users from LDAP
> (identity), whilst still having the service accounts stored in SQL
> (migrating to Keystone v3 in the process).
>
> In our testing environment we have configured domain-specific drivers
> to support the above configuration, with the 'default' domain being
> SQL and a separate domain 'ldap' for credentials from LDAP.
>
> Usernames are the same for accounts in both 'default' and 'ldap'.
> Assignments would still reside in SQL.
>
> This setup works for the creation of new resources, however any
> resources defined in the old domain ('default') is obviously not
> available in the 'ldap' domain.
>
> Has anyone migrated resources between domains? There doesn't appear to
> be any OpenStack tooling to support this (?).
>
> Or is the solution to simply configure the ldap domain named as
> 'default' and the SQL domain named as something like 'services' ?
>
You can do cross domain resource assignments. Assuming the usernames
are the same from sql to LDAP, you could script a role assignment
migration that lists users, lists roles for each user, and creates that
same role assignment for a user defined in LDAP with a matching username.
Or, if you can setup a name to name mapping manually, you could do the
same thing.
something like
for default_user in `openstack user list --domain default --format json
| jq ' <insert magic here>'`
do
for os_role in `openstack role list --user $default_user --format
json | jq '<more majik>' `
do
openstack role add --user $default_user --domain <new
domain id> --role $os_role
done
done
I have to admit, I'd probably code it in python using the Keystone API,
but then, I work in Python a lot.
More information about the OpenStack-operators
mailing list