shadow users
Locally managed users are handled slightly differently than users backed by LDAP, which are handled significantly differently than users backed by federation. Available APIs, relevant APIs, and token validation responses all vary. For example, users receive different types of IDs, passwords may or may not be stored in keystone, and in the case of federation, may not be able to receive direct role assignments. Future additional authentication methods pose a risk of complicating things further.
Instead of continuing down this path, we can refactor our user persistence to separate identities from their locally-managed credentials, if any. The result will be a unified experience for both end users and operators.
Blueprint information
- Status:
- Complete
- Approver:
- Steve Martinelli
- Priority:
- High
- Drafter:
- Steve Martinelli
- Direction:
- Approved
- Assignee:
- Ron De Rose
- Definition:
- Approved
- Series goal:
- Accepted for mitaka
- Implementation:
-
Implemented
- Milestone target:
-
mitaka-3
- Started by
- Steve Martinelli
- Completed by
- Steve Martinelli
Related branches
Sprints
Whiteboard
Gerrit topic: https:/
Addressed by: https:/
Shadow users - Separate user identities
Addressed by: https:/
Shadow users - Shadow federated users
Gerrit topic: https:/
Addressed by: https:/
Shadow users - Allow concrete role assignments for federated users
Gerrit topic: https:/
Gerrit topic: https:/
Addressed by: https:/
Role assignment resolution for shadow users.
Gerrit topic: https:/
Addressed by: https:/
WIP - Drop EPHEMERAL user type
