Multiple IDM
The primary goal of keystone is to act as a backend-agnostic hub for identity sourcing within OpenStack. This lofty goal means that not only we will need to have an extensible front-end (as capable by the core-extension architecture), but we'll need to allow the back-end to be extensible as well.
Today, Keystone allows one and only one identity management store to be active at any given time. Out of the "box", this is SQLite, but it can be configured for LDAP.
To be backend-agnostic, we need to support multiple identity management stores. The OpenStack services shouldn't care which IdM store the user is coming from - only that it's authenticated & authorized to perform requested actions. So this will need to live in Keystone.
The vision is that a keystone-admin role can perform an API call to add in IdM connections in a secure fashion (certs?). Once those were added in, SCIM can be used to perform synchronizations - allotting a centralized user-sourcing data store within Keystone.
An added benefit is to cross-backup identities across the various IdMs to ensure access to cloud services even if an IdM went down.
Blueprint information
- Status:
- Complete
- Approver:
- Ziad Sawalha
- Priority:
- Undefined
- Drafter:
- Joe Savak
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
- Deferred
- Milestone target:
- None
- Started by
- Completed by
- Joseph Heck