[Openstack] [Keystone] Quotas: LDAP Help

Adam Young ayoung at redhat.com
Wed Jul 25 15:32:34 UTC 2012 

On 07/25/2012 10:19 AM, Ionuț Arțăriși wrote:
> On 07/17/2012 11:33 PM, Joseph Heck wrote:
>> That's the general area I was going to head with the Active Directory 
>> backend I'm hacking on. Chris Hoge of UOregon presented today (@ 
>> OSCON) on a local keystone hack that they did to enable LDAP AuthN + 
>> a fail back to SQL based system for their scientific computing 
>> cluster - follows a very similar model.
>>
>> -joe
>>
>> On Jul 17, 2012, at 2:16 PM, Tim Bell <Tim.Bell at cern.ch> wrote:
>>> +1 The corporate LDAP should be read-only for a source of user, 
>>> roles and
>>> attributes. Updating the corporate LDAP is not an option in many
>>> environments which can significantly benefit from the structured 
>>> directory
>>> information available.
>>>
>>> Thus, at minimum, allow a r/o LDAP and local DB store for any openstack
>>> specific information that needs updating.
>>>
>>> Tim
>>>
>>>> -----Original Message-----
>>>> From: openstack-bounces+tim.bell=cern.ch at lists.launchpad.net
>>>> [mailto:openstack-bounces+tim.bell=cern.ch at lists.launchpad.net] On 
>>>> Behalf
>>>> Of Ryan Lane
>>>> Sent: 17 July 2012 20:43
>>>> To: Adam Young
>>>> Cc: Joseph Heck; openstack
>>>> Subject: Re: [Openstack] [Keystone] Quotas: LDAP Help
>>>>
>>>>> I haven't been thinking about quotas, so bear with me here. A few
>>>> thoughts:
>>>>> Certain deployments might not be able to touch the LDAP backend.  
>>>>> I am
>>>>> thinking specifically where there is a corporate AD/LDAP server.  I
>>>>> tried to keep the scheme dependency simple enough that it could be
>>>>> layered onto a read-only scenario.  If we put quotas into LDAP,  it
>>>>> might break on those deployments.
>>>>>
>>>> Many, many deployments won't be able to. Applications should generally
>>>> assume they are read-only in regards to LDAP.
>>>>
>>>>> I can see that we don't want to define them in the Nova database, as
>>>>> Swift might not have access to that, and swift is going to be one of
>>>>> the primary consumers of Quotas.  I am Assuming Quantum will have 
>>>>> them
>>>> as well.
>>>>> As you are aware, there is no metadata storage in the LDAP driver,
>>>>> instead it is generated from the tenant and role information on the
>>>>> fly.  There is no place to store metadata in "groupOfNames" which is
>>>>> the lowest( common
>>>>> denominator) grouping used for Tenants.  Probably the most correct
>>>>> thing to do would be to use a "seeAlso"  that points to where the
>>>>> quota data is stored.
>>>>>
>>>> Let's try not to force things into attributes if possible.
>>>>
>>>> When LDAP is used, is the SQL backend not used at all? Why not 
>>>> store quota
>>>> info in Keystone's SQL backend, but pull user info from LDAP, when
>>> enabled?
>>>> We should only consider storing something in LDAP if it's going to be
>>> reused
>>>> by other applications. LDAP has a strict schema for exactly this 
>>>> purpose.
>>> If the
>>>> quota information isn't directly usable by other applications we 
>>>> shouldn't
>>>> store it in LDAP.
>>>>
>>>> Many applications with an LDAP backend also have an SQL backend, 
>>>> and use
>>>> the SQL as primary storage for most things, and as a cache for 
>>>> LDAP, if
>>> it's
>>>> used. I think this is likely a sane approach here, as well.
>>>>
>>>> - Ryan
>>>>
>>>> _______________________________________________
>>>>
>
> Hi,
>
> I just wanted to add a bit to this thread. We're currently working on 
> a hybrid backend between LDAP and SQL. I have a working version for a 
> specific setup in which the user accounts are stored in LDAP, but 
> tenants and roles are all stored in SQL together with other openstack 
> user accounts such as the nova admin account.
>
> I basically just Frankensteined the two backends together for user 
> processing and left everything else to be handled by the SQL backend. 
> I'd like to hear other people's opinion on this or alternative 
> implementations.

Are tenants completely in the SQL DB?  If so, how to you list tenants 
for a given user?

Do you copy users from LDAP to SQL for anything?


>
> https://gist.github.com/3176390
>
> -Ionuț
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp

More information about the Openstack mailing list