Difference between revisions of "Keystone/multiple-datastores"
(Created page with "Currenlt, Keystone supports on RDBMS and one LDAP server for all backends. IN the case of LDAP, we often need to support one backend per domain. FOr RDBMS,. we may want to u...") |
|||
Line 1: | Line 1: | ||
− | + | === Problem Description === | |
− | Create a subdirectory /etc/keystone/data | + | Currently, Keystone supports one RDBMS and one LDAP server for all backends. |
− | for each data store, have a key value pairing to configure it, based on the values from the current config file: | + | |
+ | In the case of LDAP, we have a request to support one back-end per domain. | ||
+ | |||
+ | For RDBMS, we may want to user a different user, or even a different server, for a high volume back-end like tokens versus the Identity or other back-ends which are more read-heavy. | ||
+ | |||
+ | === Design: === | ||
+ | |||
+ | Each Data store becomes a named object in the Python global namespace. It is created based on a configuration file. | ||
+ | |||
+ | Create a subdirectory /etc/keystone/data for each data store, have a key value pairing to configure it, based on the values from the current config file: | ||
example: token.conf | example: token.conf | ||
− | name = token-sql | + | :name = token-sql |
− | type = sql | + | :type = sql |
− | url = postgresql://keystone:keystone@localhost/keystone?client_encoding=utf8 | + | :url = postgresql://keystone:keystone@localhost/keystone?client_encoding=utf8 |
example identity.conf For Simple Bind | example identity.conf For Simple Bind | ||
− | + | :name = identity-simple | |
− | name = identity-simple | + | :type = ldap |
− | type = ldap | + | :url = ldap://localhost |
− | url = ldap://localhost | + | :user = dc=Manager,dc=openstack,dc=org |
− | user = dc=Manager,dc=openstack,dc=org | + | :password = test |
− | password = test | ||
example identity.conf for GSSAPI | example identity.conf for GSSAPI | ||
− | name = identity-gss | + | :name = identity-gss |
− | type = ldap | + | :type = ldap |
− | url = ldaps://ldap.openstack.org | + | :url = ldaps://ldap.openstack.org |
− | user = dc=Manager,dc=openstack,dc=org | + | :user = dc=Manager,dc=openstack,dc=org |
− | sasl = mech=GSSAPI | + | :sasl = mech=GSSAPI |
Then, the keystone config file, the name from above would be bound to the backend. For example. | Then, the keystone config file, the name from above would be bound to the backend. For example. | ||
− | [identity] | + | :[identity] |
− | driver = keystone.identity.backends.ldap.Identity | + | :driver = keystone.identity.backends.ldap.Identity |
− | source = data.identity-gss | + | :source = data.identity-gss |
or | or | ||
− | [identity] | + | :[identity] |
− | driver = keystone.identity.backends.sql.Identity | + | :driver = keystone.identity.backends.sql.Identity |
− | source = data.token-sql | + | :source = data.token-sql |
Revision as of 21:18, 23 April 2013
Problem Description
Currently, Keystone supports one RDBMS and one LDAP server for all backends.
In the case of LDAP, we have a request to support one back-end per domain.
For RDBMS, we may want to user a different user, or even a different server, for a high volume back-end like tokens versus the Identity or other back-ends which are more read-heavy.
Design:
Each Data store becomes a named object in the Python global namespace. It is created based on a configuration file.
Create a subdirectory /etc/keystone/data for each data store, have a key value pairing to configure it, based on the values from the current config file:
example: token.conf
- name = token-sql
- type = sql
- url = postgresql://keystone:keystone@localhost/keystone?client_encoding=utf8
example identity.conf For Simple Bind
- name = identity-simple
- type = ldap
- url = ldap://localhost
- user = dc=Manager,dc=openstack,dc=org
- password = test
example identity.conf for GSSAPI
- name = identity-gss
- type = ldap
- url = ldaps://ldap.openstack.org
- user = dc=Manager,dc=openstack,dc=org
- sasl = mech=GSSAPI
Then, the keystone config file, the name from above would be bound to the backend. For example.
- [identity]
- driver = keystone.identity.backends.ldap.Identity
- source = data.identity-gss
or
- [identity]
- driver = keystone.identity.backends.sql.Identity
- source = data.token-sql