Jump to: navigation, search

Keystone/multiple-datastores

< Keystone
Revision as of 21:18, 23 April 2013 by Ayoung (talk | contribs)

Problem Description

Currently, Keystone supports one RDBMS and one LDAP server for all backends.

In the case of LDAP, we have a request to support one back-end per domain.

For RDBMS, we may want to user a different user, or even a different server, for a high volume back-end like tokens versus the Identity or other back-ends which are more read-heavy.

Design:

Each Data store becomes a named object in the Python global namespace. It is created based on a configuration file.

Create a subdirectory /etc/keystone/data for each data store, have a key value pairing to configure it, based on the values from the current config file:

example: token.conf

name = token-sql
type = sql
url = postgresql://keystone:keystone@localhost/keystone?client_encoding=utf8

example identity.conf For Simple Bind

name = identity-simple
type = ldap
url = ldap://localhost
user = dc=Manager,dc=openstack,dc=org
password = test

example identity.conf for GSSAPI

name = identity-gss
type = ldap
url = ldaps://ldap.openstack.org
user = dc=Manager,dc=openstack,dc=org
sasl = mech=GSSAPI


Then, the keystone config file, the name from above would be bound to the backend. For example.

[identity]
driver = keystone.identity.backends.ldap.Identity
source = data.identity-gss

or

[identity]
driver = keystone.identity.backends.sql.Identity
source = data.token-sql
Retrieved from "https://wiki.openstack.org/w/index.php?title=Keystone/multiple-datastores&oldid=21029"