Create a new database table and use it from OpenStack Keystone

For my research project, I came across a scenario where I need to store certain new policies  in Keystone and need to access it from Swift. I take the challenges for implementing this in OpenStack in two subproblems.

 

 

1. Create and store policies in a new table in OpenStack Keystone
2. Pass the policies as token data and receive them in OpenStack Swift.

 

For the 2nd part of the problem I had another blog post. Find it here. In this post, I tickle the first problem.

 

I visualize creating and storing policies as a OpenStack Keystone table into four small problems as

1. Create a new database table (lets name it labac. Yes, I am assuming keystone is using mysql as backend)
2. Create a python class (say LabacObj) to perform CRUD operations on the table.
3. Add methods to interact with the LabacObj objects
4. Recipe is ready. How to serve the dinner.

 

Create a new Database Table:

To have some basic idea on how OpenStack use mysql table in backend see this post. Nonetheless, where I am reiterating the steps.

 

 

mysql -u root # log into mysql databases for OpenStack

show databases; # it shows all OpenStack tables.

use keystone; # use specific Keystone database

show tables; # show all tables in keystone database

# Now I add a new table called labac.

create table labac (id varchar(64), project_id varchar(64), policy varchar(256))

# insert values in the newly created table.

insert into labac(project_id, policy) values(1,100,”first policy”);

insert into labac(project_id, policy) values(1,100,”second policy”);

insert into labac(project_id, policy) values(1,100,”third policy”);

 

 

lets see some screenshots. This completes our first part of our problem.

 

 

 

 

 

 

 

Create Python class to handle the new database:

Keystone (and all other OpenStack services) use wrapper python class to access a database table. So, we do this too. To manage User, Roles, Domain, Project and other resources (Trust, Token and so on)  keystone database has one (or more) table for each of them. These tables are managed by various internal APIs inside keystone.

 

 

 

 

For example, inside token controller (see figure above), we can see assignment_api, catalog_api, identity_api, resource_api and so on. Of them, identity_api handles “user” table and methods involving users (and some of project, domains and so on). On the other hand, resource_api handles domain table, project table. I choose my newly create labac table to be handled by resource_api. So, I add an interface object in the resource_api. I modified the following file in order to do it

 

 

/opt/stack/keystone/keystone/resource/backends/sql.py

 

 

 

 

As we can see LaBAC class in the above figure, is a python obj to handle to labac table. Data type and size of the columns in the table should be reflected in the python class.

Add interface methods for CRUD operations:

The interface methods for CRUD operation is added in the same file. Following screenshot show how to query all the policy from the table for a given project_id.

 

 

 

 

Additionally, we need to update a new method in the interface of the resource_api which is at the following file

 

 

/opt/stack/keystone/keystone/resource/core.py

 

Serve your recipe: 

By this time we have done enough for creating labac mysql table, python object and CRUD methods. In this case, I need to retrieve these policies and pass them  at the time of creating/verifying token. So, I add them in the following file

 

 

/opt/stack/keystone/keystone/token/providers/common.py

 

 

 

 

 

and this is the place where I can add new values to be passed to keystone token. In my case, I am passing “lebac_policy” and its value is coming from the labac table as you can see I call resouce_api and my CRUD method from here.

🙂