Implement domain specific Identity backends

A common scenario in shared clouds will be that a cloud provider will
want to be able to offer larger customers the ability to interface to
their chosen identity provider. In the base case, this might well be
their own corporate LDAP/AD directory.  A cloud provider might also
want smaller customers to have their identity managed solely
within the OpenStack cloud, perhaps in a shared SQL database.

This patch allows domain specific backends for identity objects
(namely user and groups), which are specified by creation of a domain
configuration file for each domain that requires its own backend.

A side benefit of this change is that it clearly separates the
backends into those that are domain-aware and those that are not,
allowing, for example, the removal of domain validation from the
LDAP identity backend.

Implements bp multiple-ldap-servers

DocImpact

Change-Id: I489e8e50035f88eca4235908ae8b1a532645daab

1 files changed, 8 insertions, 0 deletions

diff --git a/etc/keystone.conf.sample b/etc/keystone.conf.sample
index 90efe5f6..922d90c6 100644
--- a/etc/keystone.conf.sample
+++ b/etc/keystone.conf.sample
@@ -99,6 +99,14 @@
 # There is nothing special about this domain, other than the fact that it must
 # exist to order to maintain support for your v2 clients.
 # default_domain_id = default
+#
+# A subset (or all) of domains can have their own identity driver, each with
+# their own partial configuration file in a domain configuration directory.
+# Only values specific to the domain need to be placed in the domain specific
+# configuration file. This feature is disabled by default; set
+# domain_specific_drivers_enabled to True to enable.
+# domain_specific_drivers_enabled = False
+# domain_config_dir = /etc/keystone/domains
 
 # Maximum supported length for user passwords; decrease to improve performance.
 # max_password_length = 4096