Difference between revisions of "Keystone/multiple-datastores"

Latest revision as of 21:18, 23 April 2013

Problem Description

Currently, Keystone supports one RDBMS and one LDAP server for all backends.

In the case of LDAP, we have a request to support one back-end per domain.

For RDBMS, we may want to user a different user, or even a different server, for a high volume back-end like tokens versus the Identity or other back-ends which are more read-heavy.

Design

Each Data store becomes a named object in the Python global namespace. It is created based on a configuration file.

Create a subdirectory /etc/keystone/data for each data store, have a key value pairing to configure it, based on the values from the current config file:

example: token.conf

name = token-sql

type = sql

url = postgresql://keystone:keystone@localhost/keystone?client_encoding=utf8

example identity.conf For Simple Bind

name = identity-simple

type = ldap

url = ldap://localhost

user = dc=Manager,dc=openstack,dc=org

password = test

example identity.conf for GSSAPI

name = identity-gss

type = ldap

url = ldaps://ldap.openstack.org

user = dc=Manager,dc=openstack,dc=org

sasl = mech=GSSAPI

Then, the keystone config file, the name from above would be bound to the backend. For example.

[identity]

driver = keystone.identity.backends.ldap.Identity

source = data.identity-gss

or

[identity]

driver = keystone.identity.backends.sql.Identity

source = data.token-sql

@@ Line 1: / Line 1: @@
-Currenlt, Keystone supports on RDBMS and one LDAP server for all backends.  IN the case of LDAP, we often need to support one backend per domain.  FOr RDBMS,. we may want to user adifferent user, or even a different server, for a high volume backend like tokens versus the Identity or other backends which are more read-heavy.
+=== Problem Description ===
-Create a subdirectory /etc/keystone/data
+Currently, Keystone supports one RDBMS and one LDAP server for all backends.
-for each data store, have a key value pairing to configure it, based on the values from the current config file:
+In the case of LDAP, we have a request to support  one back-end per domain.
+For RDBMS,  we may want to user a different user, or even a different server, for a high volume back-end like tokens versus the Identity or other back-ends which are more read-heavy.
+=== Design ===
+Each Data store becomes a named object in the Python global namespace.  It is created based on a configuration file.
+Create a subdirectory /etc/keystone/data  for each data store, have a key value pairing to configure it, based on the values from the current config file:
 example:  token.conf
-name = token-sql
+:name = token-sql
-type = sql
+:type = sql
-url =  postgresql://keystone:keystone@localhost/keystone?client_encoding=utf8
+:url =  postgresql://keystone:keystone@localhost/keystone?client_encoding=utf8
 example identity.conf For Simple Bind
+:name = identity-simple
-name = identity-simple
+:type = ldap
-type = ldap
+:url = ldap://localhost
-url = ldap://localhost
+:user = dc=Manager,dc=openstack,dc=org
-user = dc=Manager,dc=openstack,dc=org
+:password = test
-password = test
 example identity.conf for GSSAPI
-name = identity-gss
+:name = identity-gss
-type = ldap
+:type = ldap
-url = ldaps://ldap.openstack.org
+:url = ldaps://ldap.openstack.org
-user = dc=Manager,dc=openstack,dc=org
+:user = dc=Manager,dc=openstack,dc=org
-sasl = mech=GSSAPI
+:sasl = mech=GSSAPI
 Then, the  keystone config file, the name from above would be bound to the backend.  For example.
-[identity]
+:[identity]
-driver = keystone.identity.backends.ldap.Identity
+:driver = keystone.identity.backends.ldap.Identity
-source = data.identity-gss
+:source = data.identity-gss
 or
-[identity]
+:[identity]
-driver = keystone.identity.backends.sql.Identity
+:driver = keystone.identity.backends.sql.Identity
-source = data.token-sql
+:source = data.token-sql