[Openstack] [Openstack-operators] Keystone backed by LDAP: What's still stored locally?

gustavo panizzo <gfa> gfa at zumbi.com.ar
Thu Feb 13 11:57:28 UTC 2014


On 02/13/2014 05:28 AM, Nick Maslov wrote:
> Hi Gustavo,
> 
> Can you pls describe, how exactly are you using salt with your config files?
i'm using salt to populate my config files, like i could use
puppet/cheff/whatever

> 
> I`m a bit frustrated with plaintext passwords in them as well.
i'm not, a 0600 will make it private and it makes easier to troubleshot


> 
> Cheers,
> NM
> 
> 
> -- 
> Nick Maslov
> Sent with Airmail
> 
> On February 11, 2014 at 8:30:15 PM, gustavo panizzo (gfa at zumbi.com.ar
> <mailto://gfa@zumbi.com.ar>) wrote:
> 
>> On 02/11/2014 03:14 PM, Fischer, Matt wrote:
>>> Sorry to follow-up my own question, but for anyone else who has
>>> backed Keystone with LDAP, did you store the service accounts (nova,
>>> glance, etc) in LDAP as well?
>> yes, i do
>>>  If so, how did you handle password management (the plaintext
>>> passwords in the config files)?
>> same as sql based account, i put the password in clear text on the
>> config files
>> i use salt to manage my config files, if that what you ask
>>
>>>
>>> From: <Fischer>, Matt <matthew.fischer at twcable.com
>>> <mailto:matthew.fischer at twcable.com>>
>>> Date: Tuesday, February 11, 2014 9:45 AM
>>> To: Adam Young <ayoung at redhat.com <mailto:ayoung at redhat.com>>,
>>> "openstack-operators at lists.openstack.org
>>> <mailto:openstack-operators at lists.openstack.org>"
>>> <openstack-operators at lists.openstack.org
>>> <mailto:openstack-operators at lists.openstack.org>>
>>> Subject: Re: [Openstack-operators] Keystone backed by LDAP: What's
>>> still stored locally?
>>>
>>>
>>> Thanks Adam, I think we're willing to live without domain support. So
>>> if Policy is the policy.json file (which seems obvious to me now)
>>> then we should be good with no replication.
>>>
>>> From: Adam Young <ayoung at redhat.com <mailto:ayoung at redhat.com>>
>>> Date: Monday, February 10, 2014 6:53 PM
>>> To: "openstack-operators at lists.openstack.org
>>> <mailto:openstack-operators at lists.openstack.org>"
>>> <openstack-operators at lists.openstack.org
>>> <mailto:openstack-operators at lists.openstack.org>>
>>> Subject: Re: [Openstack-operators] Keystone backed by LDAP: What's
>>> still stored locally?
>>>
>>> On 02/10/2014 03:27 PM, Fischer, Matt wrote:
>>>>
>>>> If we use LDAP to provide Assignment and Identity for Keystone, what
>>>> things is keystone still managing locally? The reason I'm asking is
>>>> that we're setting up Openstack in a couple data centers and would
>>>> like to centrally manage users/tenants/roles without replicating
>>>> keystone databases (if that's possible). It looks like Tokens,
>>>> Catalogs, and Policy are the remaining services. I don't think we'd
>>>> ever want to replicate Tokens, and the data in Catalogs might differ
>>>> across DCs anyway, but "Policy" is what I'm not sure about. Is
>>>> Policy the same as Assignment?
>>> No, policy is the flat file that has the rules for RBAC.
>>>
>>> Assignment is what you want to replicate:  the assignment of roles to
>>> users and groups within projects or domains.
>>>
>>>>
>>>> Finally, has anyone else set this up and if so do you have any
>>>> caveats/must-dos? I think I have all the connection to LDAP stuff
>>>> figured out but have not tried with multiple keystone instances.
>>> LDAP can support assignment, but you lose multiple domain support. 
>>> It might be your simplest replication strategy, though.
>>>
>>>
>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>> This E-mail and any of its attachments may contain Time Warner Cable
>>>> proprietary information, which is privileged, confidential, or
>>>> subject to copyright belonging to Time Warner Cable. This E-mail is
>>>> intended solely for the use of the individual or entity to which it
>>>> is addressed. If you are not the intended recipient of this E-mail,
>>>> you are hereby notified that any dissemination, distribution,
>>>> copying, or action taken in relation to the contents of and
>>>> attachments to this E-mail is strictly prohibited and may be
>>>> unlawful. If you have received this E-mail in error, please notify
>>>> the sender immediately and permanently delete the original and any
>>>> copy of this E-mail and any printout.
>>>>
>>>>
>>>> _______________________________________________
>>>> OpenStack-operators mailing list
>>>> OpenStack-operators at lists.openstack.orghttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>>
>>>
>>>
>>> _______________________________________________
>>> OpenStack-operators mailing list
>>> OpenStack-operators at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>
>>
>> --  
>> 1AE0 322E B8F7 4717 BDEA BF1D 44BB 1BA7 9F6C 6333
>> _______________________________________________
>> OpenStack-operators mailing list
>> OpenStack-operators at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators


-- 
1AE0 322E B8F7 4717 BDEA BF1D 44BB 1BA7 9F6C 6333




More information about the Openstack mailing list