blueprint: fuel-with-existed-ldap
This spec describes fuel-plugin-ldap design. Plugin allows to use existed LDAP as identity backend for keystone. Change-Id: I40fe84b21152c570ff924a39a615e2d165c25a07
This commit is contained in:
vsaienko
parent
f0e1f6cbfd
commit
6812d55184
|
|
@ -0,0 +1,177 @@
|
|||
======================================================================
|
||||
Fuel plugin that allows to use existing LDAP as authentication backend
|
||||
======================================================================
|
||||
|
||||
https://blueprints.launchpad.net/fuel/+spec/fuel-with-existed-ldap
|
||||
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
Currently the OpenStack environment deployed by Fuel only supports SQL for
|
||||
the Keystone identity backend. In some cases we already have our own LDAP
|
||||
(eg openLDAP, AD, etc.) authentication service and we prefer not to maintain
|
||||
two authentication services in our environment. Therefore, it would be
|
||||
beneficial to support LDAP identity backend too.
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
Implement Fuel plugin that will allow to switch identity backend by adding
|
||||
Setting options at Fuel UI wizard as a trigger which allows to choose the
|
||||
pre-existing LDAP as identity backend.
|
||||
|
||||
* Keystone domain_specific_drivers will be enabled once LDAP backend is
|
||||
choosen.
|
||||
|
||||
* Default keystone domain will be used to store OpenStack service users.
|
||||
SQL will be used as identity backed for default domain.
|
||||
|
||||
* New keystone domain will be created. Name of keystone domain is specified
|
||||
in LDAP settings. Identity backend driver will be changed to LDAP for this
|
||||
domain.
|
||||
|
||||
* All Horizon users will use LDAP as authentication backend.
|
||||
Horizon identity API will be switched to V3.
|
||||
|
||||
Plugin will also add an extra block of settings inside the Settings tab of
|
||||
the Fuel Web UI to fill in detailed information on LDAP connection
|
||||
(including LDAP server administration).
|
||||
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
* Use ReadWrite LDAP connection, which is not recommended due to security
|
||||
reasons.
|
||||
|
||||
* Use ReadOnly LDAP connection. Enabling keystone domains is needed, since
|
||||
Heat requires ReadWrite access to authentication backend.
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
The following data will be added to Fuel Web UI Settings tab:
|
||||
|
||||
* The LDAP connection URL and login information.
|
||||
|
||||
* Customized LDAP configuration for user and group, include tree DNs, filter,
|
||||
object class, CRUD permissions.
|
||||
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
No REST API modifications needed.
|
||||
|
||||
|
||||
Upgrade impact
|
||||
--------------
|
||||
|
||||
I see no objections about upgrades. LDAP connection is based on LDAP
|
||||
identity driver which is a part of official set of identity drivers. So any
|
||||
upgrades should be done in a common way.
|
||||
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
LDAP traffic exchanged in clear-text could be bad for some customers. It
|
||||
would be worth to add a section on LDAP over SSL to Fuel Web UI Settings tab.
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
None.
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
Deployer will be able to install Fuel LDAP plugin, which allows to configure
|
||||
LDAP as identity backend for Keystone.
|
||||
|
||||
|
||||
Performance Impact
|
||||
------------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
The Configuration pattern of Keystone with LDAP backend will be different
|
||||
from original sql backend.
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
Vasyl Saienko
|
||||
Dmitry Ilyin
|
||||
Ivan Berezovskiy
|
||||
|
||||
QA engineers:
|
||||
Kyrylo Romanenko
|
||||
|
||||
Mandatory design reviewers:
|
||||
Stephan Fabel
|
||||
Artem Andreev
|
||||
|
||||
Work Items
|
||||
----------
|
||||
|
||||
* Implement Fuel Plugin
|
||||
|
||||
* Implement Puppet manifests
|
||||
|
||||
* Testing
|
||||
|
||||
* Write documentation (plugin guide)
|
||||
|
||||
* Test plan, report
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
None
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
* Additional functional tests for UI.
|
||||
|
||||
* Additional functional tests for puppet script.
|
||||
|
||||
* Additional System tests against a stand alone test environment(with ldap).
|
||||
|
||||
|
||||
Documentation Impact
|
||||
====================
|
||||
|
||||
* The documentation should describe how to set up LDAP for a simple test
|
||||
environment.
|
||||
|
||||
* The documentation should warn about password expiration for service
|
||||
accounts(eg their passwords should nerver expire).
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
http://docs.openstack.org/admin-guide-cloud/content/configuring-keystone-for-
|
||||
ldap-backend.html
|
||||
|
||||
https://wiki.openstack.org/wiki/OpenLDAP
|
||||
Loading…
Reference in New Issue