Re: [Openstack-operators] Migrating keystone from MySQL to LDAP
On Tue, Mar 3, 2015 at 8:44 PM, Fox, Kevin M wrote: > See the id_mapping table. That's the first place I've looked into: mysql> select * from keystone.id_mapping; Empty set (0.00 sec) I think because of http://docs.openstack.org/developer/keystone/developing.html#identity-entity-id-management-between-controllers-and-drivers [...] To ensure that Keystone can determine to which backend it should route an API call, starting with Juno, the identity manager will, provided that domain-specific backends are enabled, build on-the-fly a persistent mapping table between Keystone Public IDs that are presented to the controller and the domain that holds the entity, along with whatever local ID is understood by the driver. To ensure backward compatibility, the default configuration of either a single SQL or LDAP backend for Identity will not use the mapping table [...] I guess Calus can either set the id on the LDAP server (if he has write access), or (probably the better solution) explicitly enable the id mapping feature in Juno and pre-populate the `id_mapping` table. .a. -- antonio.s.mess...@gmail.com antonio.mess...@uzh.ch +41 (0)44 635 42 22 S3IT: Service and Support for Science IT http://www.s3it.uzh.ch/ University of Zurich Winterthurerstrasse 190 CH-8057 Zurich Switzerland ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] Migrating keystone from MySQL to LDAP
See the id_mapping table. Thanks, Kevin From: Antonio Messina [antonio.s.mess...@gmail.com] Sent: Tuesday, March 03, 2015 11:28 AM To: Fox, Kevin M Cc: Caius Howcroft; openstack-operators@lists.openstack.org Subject: Re: [Openstack-operators] Migrating keystone from MySQL to LDAP On Mon, Mar 2, 2015 at 5:31 PM, Fox, Kevin M wrote: > That leaves identity mapping. There is a table of ldap users to > unique id's in the database. I'm not an expert, but I have a Juno testbed that is using LDAP for identity and SQL for assignment, and the 'id' of the user is, in my case, the uid attribute of the ldap object (cfr. `user_id_attribute` option in `keystone.conf`). $ keystone user-get antonio +--+-+ | Property | Value | +--+-+ |id| antonio | | name | antonio | | username | antonio | +--+-+ I don't have anything in the `user` table, and the `assignment` table is populated only when I actually assign a role to an user in a tenant. $ keystone user-list --tenant demo +-+-+-+---+ |id | name | enabled | email | +-+-+-+---+ | antonio | antonio | | | | sergio | sergio | | | +-+-+-+---+ and in the DB: mysql> select asgn.actor_id, proj.name as project, role.name as role from keystone.assignment as asgn left join keystone.project as proj on asgn.target_id=proj.id left join keystone.role on asgn.role_id=role.id where proj.name='demo'; +--+-+--+ | actor_id | project | role | +--+-+--+ | antonio | demo| Member | | sergio | demo| Member | +--+-+--+ .a. -- antonio.s.mess...@gmail.com antonio.mess...@uzh.ch +41 (0)44 635 42 22 S3IT: Service and Support for Science IT http://www.s3it.uzh.ch/ University of Zurich Winterthurerstrasse 190 CH-8057 Zurich Switzerland ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] Migrating keystone from MySQL to LDAP
On Mon, Mar 2, 2015 at 5:31 PM, Fox, Kevin M wrote: > That leaves identity mapping. There is a table of ldap users to > unique id's in the database. I'm not an expert, but I have a Juno testbed that is using LDAP for identity and SQL for assignment, and the 'id' of the user is, in my case, the uid attribute of the ldap object (cfr. `user_id_attribute` option in `keystone.conf`). $ keystone user-get antonio +--+-+ | Property | Value | +--+-+ |id| antonio | | name | antonio | | username | antonio | +--+-+ I don't have anything in the `user` table, and the `assignment` table is populated only when I actually assign a role to an user in a tenant. $ keystone user-list --tenant demo +-+-+-+---+ |id | name | enabled | email | +-+-+-+---+ | antonio | antonio | | | | sergio | sergio | | | +-+-+-+---+ and in the DB: mysql> select asgn.actor_id, proj.name as project, role.name as role from keystone.assignment as asgn left join keystone.project as proj on asgn.target_id=proj.id left join keystone.role on asgn.role_id=role.id where proj.name='demo'; +--+-+--+ | actor_id | project | role | +--+-+--+ | antonio | demo| Member | | sergio | demo| Member | +--+-+--+ .a. -- antonio.s.mess...@gmail.com antonio.mess...@uzh.ch +41 (0)44 635 42 22 S3IT: Service and Support for Science IT http://www.s3it.uzh.ch/ University of Zurich Winterthurerstrasse 190 CH-8057 Zurich Switzerland ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] Migrating keystone from MySQL to LDAP
You can leave the roles/projects outside of ldap by just using the LDAP identity plugin, leaving the rest in sql. It sounds like they will be deprecating putting roles/projects in LDAP in the future anyway. That leaves identity mapping. There is a table of ldap users to unique id's in the database. I haven't tried, but you might be able to import all your ldap users into the table, then before any usage, switch the id to the old id's. No idea if its safe to do that though. You will have to test it thoroughly. Thanks, Kevin From: Caius Howcroft [caius.howcr...@gmail.com] Sent: Monday, March 02, 2015 7:36 AM To: openstack-operators@lists.openstack.org Subject: [Openstack-operators] Migrating keystone from MySQL to LDAP Hi, We are in the process of migrating off MySQL backend for keystone and into LDAP. Just wondering if anyone ad any experience with this? I'm going to have to keep all the id's the same (or else go in and change project ids etc in things like cinder db). Looks like keystone API doesn't allow me to force a uuid at creation time for projects, roles and users. I can go in and create the projects etc in a python script directly, but thats a bit messy. Just wondered if anyone had a done this and had a neater solution? Caius -- ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] Migrating keystone from MySQL to LDAP
What are you going to use LDAP for? Identity/Assignment/both? Do you have unfettered write access into your LDAP? We use a hybrid driver that will auth against mySQL and LDAP so we can setup service accounts (like nova, neutron, etc). AFAIK LDAP Assignment is being deprecated because nobody uses it. On 3/2/15, 8:36 AM, "Caius Howcroft" wrote: >Hi, > >We are in the process of migrating off MySQL backend for keystone and >into LDAP. Just wondering if anyone ad any experience with this? I'm >going to have to keep all the id's the same (or else go in and change >project ids etc in things like cinder db). Looks like keystone API >doesn't allow me to force a uuid at creation time for projects, roles >and users. I can go in and create the projects etc in a python script >directly, but thats a bit messy. > >Just wondered if anyone had a done this and had a neater solution? > >Caius >-- > >___ >OpenStack-operators mailing list >OpenStack-operators@lists.openstack.org >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout. ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
[Openstack-operators] Migrating keystone from MySQL to LDAP
Hi, We are in the process of migrating off MySQL backend for keystone and into LDAP. Just wondering if anyone ad any experience with this? I'm going to have to keep all the id's the same (or else go in and change project ids etc in things like cinder db). Looks like keystone API doesn't allow me to force a uuid at creation time for projects, roles and users. I can go in and create the projects etc in a python script directly, but thats a bit messy. Just wondered if anyone had a done this and had a neater solution? Caius -- ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators