Last modified: 2013-04-24 12:19:32 UTC
If a user tries to access a project before they are a member, they'll be stored in the negative nscd cache for group. When the user is added to the project, if they try to access the instance before the negative cache expires, they'll be rejected. Using salt, we should trigger an nscd group cache invalidation for all instances in a project when a user is added or removed from the project.
Where should the invalidation be triggered? Options: 1) the 'if ( $success ) { .. }' block in addMember(), deleteMember() and possibly setMembers() methods on OpenStackNovaProjectGroup.php 2) Some wrapper around LdapAuthenticationPlugin::ldap_modify Thoughts? Is there any existing integration between salt and OpenStackManager that I could check out?
There's no integration yet. Either you'd need to shell out, or get salt-api working.
salt-api is currently 'pre-alpha'. The code doesn't look like anything substantial yet. The Salt wire protocol is MessagePack on top of ZeroMQ. Both MessagePack and ZeroMQ have good PHP bindings, so perhaps writing a PHP-based salt client wouldn't be too hard. Alternately we could implement a simple MediaWiki-Salt bridge, perhaps using UDP / wfDebug. Both approaches would be overkill if this was an isolated need. If there was better Salt / MediaWiki integration, do you expect to have lots of uses for it?