Browse Source

blueprint: fuel-with-existed-ldap

This spec describes fuel-plugin-ldap design. Plugin
allows to use existed LDAP as identity backend for
keystone.

Change-Id: I40fe84b21152c570ff924a39a615e2d165c25a07
vsaienko 3 years ago
parent
commit
6812d55184
1 changed files with 177 additions and 0 deletions
  1. 177
    0
      specs/fuel-plugin-ldap.rst

+ 177
- 0
specs/fuel-plugin-ldap.rst View File

@@ -0,0 +1,177 @@
1
+======================================================================
2
+Fuel plugin that allows to use existing LDAP as authentication backend
3
+======================================================================
4
+
5
+https://blueprints.launchpad.net/fuel/+spec/fuel-with-existed-ldap
6
+
7
+
8
+Problem description
9
+===================
10
+
11
+Currently the OpenStack environment deployed by Fuel only supports SQL for
12
+the Keystone identity backend. In some cases we already have our own LDAP
13
+(eg openLDAP, AD, etc.) authentication service and we prefer not to maintain
14
+two authentication services in our environment. Therefore, it would be
15
+beneficial to support LDAP identity backend too.
16
+
17
+
18
+Proposed change
19
+===============
20
+
21
+Implement Fuel plugin that will allow to switch identity backend by adding
22
+Setting options at Fuel UI wizard as a trigger which  allows to choose the
23
+pre-existing LDAP as identity backend.
24
+
25
+* Keystone domain_specific_drivers will be enabled once LDAP backend is
26
+  choosen.
27
+
28
+* Default keystone domain will be used to store OpenStack service users.
29
+  SQL will be used as identity backed for default domain.
30
+
31
+* New keystone domain will be created. Name of keystone domain is specified
32
+  in LDAP settings. Identity backend driver will be changed to LDAP for this
33
+  domain.
34
+
35
+* All Horizon users will use LDAP as authentication backend.
36
+  Horizon identity API will be switched to V3.
37
+
38
+Plugin will also add an extra block of settings inside the Settings tab of
39
+the Fuel Web UI to fill in detailed information on LDAP  connection
40
+(including LDAP server administration).
41
+
42
+
43
+Alternatives
44
+------------
45
+
46
+* Use ReadWrite LDAP connection, which is not recommended due to security
47
+  reasons.
48
+
49
+* Use ReadOnly LDAP connection. Enabling keystone domains is needed, since
50
+  Heat requires ReadWrite access to authentication backend.
51
+
52
+Data model impact
53
+-----------------
54
+
55
+The following data will be added to Fuel Web UI Settings tab:
56
+
57
+* The LDAP connection URL and login information.
58
+
59
+* Customized LDAP configuration for user and group, include tree DNs, filter,
60
+  object class, CRUD permissions.
61
+
62
+
63
+REST API impact
64
+---------------
65
+
66
+No REST API modifications needed.
67
+
68
+
69
+Upgrade impact
70
+--------------
71
+
72
+I see no objections about upgrades. LDAP connection is based on LDAP
73
+identity driver which is a part of official set of identity drivers. So any
74
+upgrades should be done in a common way.
75
+
76
+
77
+Security impact
78
+---------------
79
+
80
+LDAP traffic exchanged in clear-text could be bad for some customers. It
81
+would be worth to add a section on LDAP over SSL to Fuel Web UI Settings tab.
82
+
83
+Notifications impact
84
+--------------------
85
+
86
+None.
87
+
88
+Other end user impact
89
+---------------------
90
+
91
+Deployer will be able to install Fuel LDAP plugin, which allows to configure
92
+LDAP as identity backend for Keystone.
93
+
94
+
95
+Performance Impact
96
+------------------
97
+
98
+None.
99
+
100
+
101
+Other deployer impact
102
+---------------------
103
+
104
+None.
105
+
106
+
107
+Developer impact
108
+----------------
109
+
110
+The Configuration pattern of Keystone with LDAP backend will be different
111
+from original sql backend.
112
+
113
+Implementation
114
+==============
115
+
116
+Assignee(s)
117
+-----------
118
+
119
+Primary assignee:
120
+  Vasyl Saienko
121
+  Dmitry Ilyin
122
+  Ivan Berezovskiy
123
+
124
+QA engineers:
125
+  Kyrylo Romanenko
126
+
127
+Mandatory design reviewers:
128
+  Stephan Fabel
129
+  Artem Andreev
130
+
131
+Work Items
132
+----------
133
+
134
+* Implement Fuel Plugin
135
+
136
+* Implement Puppet manifests
137
+
138
+* Testing
139
+
140
+* Write documentation (plugin guide)
141
+
142
+* Test plan, report
143
+
144
+
145
+Dependencies
146
+============
147
+
148
+None
149
+
150
+
151
+Testing
152
+=======
153
+
154
+* Additional functional tests for UI.
155
+
156
+* Additional functional tests for puppet script.
157
+
158
+* Additional System tests against a stand alone test environment(with ldap).
159
+
160
+
161
+Documentation Impact
162
+====================
163
+
164
+* The documentation should describe how to set up LDAP for a simple test
165
+  environment.
166
+
167
+* The documentation should warn about password expiration for service
168
+  accounts(eg their passwords should nerver expire).
169
+
170
+
171
+References
172
+==========
173
+
174
+http://docs.openstack.org/admin-guide-cloud/content/configuring-keystone-for-
175
+ldap-backend.html
176
+
177
+https://wiki.openstack.org/wiki/OpenLDAP

Loading…
Cancel
Save