Keystone/multiple-datastores
Problem Description
Currently, Keystone supports one RDBMS and one LDAP server for all backends.
In the case of LDAP, we have a request to support one back-end per domain.
For RDBMS, we may want to user a different user, or even a different server, for a high volume back-end like tokens versus the Identity or other back-ends which are more read-heavy.
Design
Each Data store becomes a named object in the Python global namespace. It is created based on a configuration file.
Create a subdirectory /etc/keystone/data for each data store, have a key value pairing to configure it, based on the values from the current config file:
example: token.conf
- name = token-sql
- type = sql
- url = postgresql://keystone:keystone@localhost/keystone?client_encoding=utf8
example identity.conf For Simple Bind
- name = identity-simple
- type = ldap
- url = ldap://localhost
- user = dc=Manager,dc=openstack,dc=org
- password = test
example identity.conf for GSSAPI
- name = identity-gss
- type = ldap
- url = ldaps://ldap.openstack.org
- user = dc=Manager,dc=openstack,dc=org
- sasl = mech=GSSAPI
Then, the keystone config file, the name from above would be bound to the backend. For example.
- [identity]
- driver = keystone.identity.backends.ldap.Identity
- source = data.identity-gss
or
- [identity]
- driver = keystone.identity.backends.sql.Identity
- source = data.token-sql