On Fri, 2014-02-28 at 15:25 -0800, Mark Washenberger wrote: > I believe we have some agreement here. Other openstack services should > be able to use a strongly typed identifier for users. I just think if > we want to go that route, we probably need to create a new field to > act as the proper user uuid, rather than repurposing the existing > field. It sounds like many existing LDAP deployments would break if we > repurpose the existing field.
Hi Mark, Please see my earlier response on this thread. I am proposing putting external identifiers into a mapping table that would correlate a Keystone UUID user ID with external identifiers (of variable length). Once authentication has occurred (with any auth backend including LDAP), Keystone would only communicate to the other OpenStack services the UUID user ID from Keystone. This would indeed require a migration to each non-Keystone service that stores the user IDs as-is from Keystone currently (such as Glance or Nova). Once the migrations are run, then only UUID values would be stored, and further migrations could be run that would streamline the columns that stores these user IDs to a more efficient CHAR(32) or BINARY(16) internal storage format. Hope that clears things up. Best, -jay _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
