LDAP backend should do filtered query instead of getting all data and then filtering
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Wishlist
|
Henry Nash |
Bug Description
When I want to find entity (group/user) by name (using /v3/users?
It should do filtering on query level in my opinion. It is very useful when having huge LDAP catalog.
How it works now:
If I want find user with name: MyUser...
1. Keystone queries LDAP in user_tree_dn for all user_filter matching entities
2. Filters out user (MyUser) I am looking for
How it should work:
If I want find user with name: MyUser...
1. Keystone queries LDAP in user_tree_dn for user matching both user_filter and ({user_
{user_name_
This approach reduces data downloaded from LDAP and allows to have very large users database without shrinking it down by user_filter (no always possible) or using paging (also not always possible).
I heard that there was some effort to move filtering into query level but status is unknown.
Changed in keystone: | |
status: | Confirmed → In Progress |
Changed in keystone: | |
milestone: | none → kilo-3 |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | kilo-3 → 2015.1.0 |
We have the scaffolding in place for this but haven't extended it to the drivers yet. We may have a bug on this already or at least a blueprint. I'm assigning it over to henrynash to followup.
This is marked as wishlist because it isn't so much a bug as an enhancement.