[Openstack] [keystone] Multi-tenants per user, authentication tokens and global roles
Ryan Lane
rlane at wikimedia.org
Fri Jul 27 18:20:54 UTC 2012
> You can use a token to get a token. Look at the authenticate code in
> keystone/service.py
>
> Have the user initially get a non-tenant specific token. Pass that in the
> x-auth header to POST /tokens/ along with a tenantid and you will get a new
> one scoped to the tenant
>
Ah. This is perfect, thanks!
>> I'm using the LDAP backend. I'm assuming I'm going to have to modify
>> the authenticate method to handle this. Would doing this be enough to
>> make this work, or will I need to patch more extensively for this
>> solution?
>
>
> Tokens are not stored in LDAP. There are separate back ends for: identity,
> tokens, and service catalog. LDAP is only wired up for Identity. For
> Token, the default is KVS, which is in memory only. You probably want to use
> memcached or SQL for the token back end, otherwise a reboot of the keystone
> server will lose you all the tokens.
>
I was planning on hacking in a method of pulling a long-lived token
from LDAP, but your previous comment makes that unneeded.
- Ryan
More information about the Openstack
mailing list