On 30/01/15 05:20, Steven Hardy wrote:
On Thu, Jan 29, 2015 at 12:31:17PM -0500, Zane Bitter wrote:
On 29/01/15 12:03, Steven Hardy wrote:
On Thu, Jan 29, 2015 at 11:41:36AM -0500, Zane Bitter wrote:
IIUC keystone now allows you to add users to a domain that is otherwise
backed by a read-only backend (i.e. LDAP). If this means that it's now
possible to configure a cloud so that one need not be an admin to create
users then I think it would be a really useful thing to expose in Heat. Does
anyone know if that's the case?
I've not heard of that feature, but it's definitely now possible to
configure per-domain backends, so for example you could have the "heat"
domain backed by SQL and other domains containing real human users backed
by a read-only directory.
http://adam.younglogic.com/2014/08/getting-service-users-out-of-ldap/
Perhaps we need to seek clarification from Adam/Henry, but my understanding
of that feature is not that it enables you to add users to domains backed
by a read-only directory, but rather that multiple backends are possible,
such that one domain can be backed by a read-only backend, and another
(different) domain can be backed by a different read/write one.
E.g in the example above, you might have the "freeipa" domain backed by
read-only LDAP which contains your directory of human users, and you might
also have a different domain e.g "services" or "heat" backed by a
read/write backend e.g Sql.
Ah, you're right, I've been misinterpreting that post this whole time.
Thanks!
- ZB
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
