Bug 983345 - [RFE] Splitting assignments from the Identity Backend.
[RFE] Splitting assignments from the Identity Backend.
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-keystone (Show other bugs)
Unspecified Unspecified
medium Severity high
: Upstream M2
: 4.0
Assigned To: Adam Young
Jeremy Agee
: FutureFeature
Depends On: 986067 988937
Blocks: RHOS40RFE
  Show dependency treegraph
Reported: 2013-07-10 23:16 EDT by Adam Young
Modified: 2016-04-26 23:54 EDT (History)
4 users (show)

See Also:
Fixed In Version: openstack-keystone-2013.2-0.5.b2.el6ost
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-12-19 18:54:08 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
OpenStack gerrit 33745 None None None Never
OpenStack gerrit 34254 None None None Never
OpenStack gerrit 34967 None None None Never

  None (edit)
Description Adam Young 2013-07-10 23:16:25 EDT
Original bug report was: 

implement an LDAP backend for identity that:

* allows for mapping by a tenant to a group/search set in LDAP
* authenticates to LDAP
* manages tenants and tenant-user linkages in SQL external to LDAP

Better stated as:

Split the identity backend into an identity portion and an assignments portion.

This work is tracked by blueprint 

Comment 2 Dmitri Pal 2013-07-23 16:52:50 EDT
How to test:

Configure both the SQL and LDAP values for Keystone.

Set up Keystone to use the sql asignment backend, and the LDAP identity backend

driver = keystone.identity.backends.ldap.Identity

driver = keystone.identity.backends.sqlAssignment

Run the tempest test suite.

As a precondtion, make sure that there are no users or groups set up in the Sql Database, and no roles, role assignments, or projects in the LDAP database.

after running tempest,  that precondition should hold true as well.

Any users or groups created by tempest should only exist in the LDAP backend
Any role assignments etc should only exist in the sql backend.
Comment 3 Dmitri Pal 2013-07-23 16:54:00 EDT
Make sure that you have read only access to LDAP in the test above.
Comment 6 Jeremy Agee 2013-12-12 21:34:43 EST
verified, assignments and identity function separately
Comment 8 errata-xmlrpc 2013-12-19 18:54:08 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.