Currently the OpenStack environment deployed by Fuel only supports SQL for the Keystone identity backend. In some cases we already have our own LDAP (eg openLDAP, AD, etc.) authentication service and we prefer not to maintain two authentication services in the our environment. Therefore, it would be beneficial to support LDAP identity backend too. Given that the Keystone team considers SQL as the preferred assignment backend, the idea of LDAP assignment backend is against it and therefore we prefer using SQL as assignment backend with no switch option.
We could let Fuel to switch identity backend by adding setting options at cluster wizard page as a trigger which allowing deployers to choose their own identity backend with SQL, or pre-existing LDAP server which is read only. Since Openstack documentation discourages using LDAP with other connection mode beside read-only, I will keep it stick with read-only. We also need an aditional setting block inside cluster setting tab for fill up LDAP detail connection information include LDAP server administrator information, identity domain scope, connection info, etc. Inside the connection info, user can provide the user accounts from LDAP to Fuel after they decided which account inside LDAP should be administrator to which service in Openstack. An test connection button or link shloud be added inside cluster setting tab too, to validate the settings.
We can do nothing, but a deployer will not be able to use their pre-existed LDAP as a identity backend for Openstack.
We have to store following data in settings:
No REST API modifications needed.
I see no objections about upgrades. LDAP connection are based on LDAP identity driver which is a part of official set of identity drivers. So any upgrades should be done in a common way.
LDAP traffic exchanged in clear-text could be bad for some customers. It would be worth to add a section on LDAP over SSL.
Some modifications of the Cluster Creation Wizard needed. Add setting options for switching identity backend purpose. Need an aditional setting block inside cluster setting tab for fill up LDAP detail connection information and a services administrator assigning forms for fill up administrator assignment form LDAP account to Openstack environment.
Deployer will be able to switch to their own pre-existed LDAP with Cluster Creation Wizard in Fuel deployment. As an operation requirement, if pre-existed LDAP selected, Deployer must fill up more detail information in cluster setting tab.
The Configuration pattern of Keystone with LDAP backend will be different from original sql backend. We change identity backend and assign administrator for each services and default project. This should be care for while developing relatived patterns. Developers would also be impacted by the code diverge between upstream manifests for puppet openstack modules and the forked copies we maintain in sync.
wrapped up as a separate Jenkins thread job.