[openstack-dev] [keystone] A default domain

Dolph Mathews dolph.mathews at gmail.com
Wed Jan 16 16:07:22 UTC 2013

Currently, the API user is allowed to not include a domain_id in a request
to create new users or create new projects. The assumption is that the
service will assign those resources to the creating user's domain.

In a recent keystone meeting, I believe we did have a brief discussion
about applying such a behavior to other calls. Currently, the two calls you
listed are different (the first returns all users in the system regardless
of domain). Further, if the second call was going to default to a domain, I
would hope it would default to the requesting user's domain, not the
default domain.

That said, with the introduction of domain-specific role grants[1] and
domain-scoped tokens[2], we have a third option: listing users in the
domain for which your token token is authorized, regardless of whether you
specify a domain in the query string. I don't think we would have a way to
list all users in the system at that point.

All of this could/should equally apply to projects as well.

[1]: https://review.openstack.org/#/c/18706/
[2]: https://review.openstack.org/#/c/18770/


On Wed, Jan 16, 2013 at 9:47 AM, Jay Pipes <jaypipes at gmail.com> wrote:

> On 01/15/2013 03:42 PM, Dolph Mathews wrote:
> > Per today's keystone meeting, I wrote a blueprint for the default domain
> > solution, in order to provide an assumed scope for v2 API operations
> > (which is not domain-aware), including authentication and validation, in
> > the context of a deployment with v3 API users (which are domain-aware).
> >
> >   https://blueprints.launchpad.net/keystone/+spec/default-domain
> Hi Dolph. In the blueprint I see this:
> The following pairs of calls would then be equivalent:
>   GET /v2.0/users
>   GET /v3/users?domain_id={default_domain_id}
>   GET /v2.0/tenants
>   GET /v3/projects?domain_id={default_domain_id}
>   POST /v2.0/tokens {'auth': {'projectName': 'foobar'}}
>   POST /v3/auth {'auth': {'projects': [{'name': 'foobar', 'domain_id':
> 'default'}]}
> In the v3 API, can the user also leave off the domain_id? In other
> words, are these two equivalent?
>   GET /v3/users
>   GET /v3/users?domain_id={default_domain_id}
> Cheers,
> -jay
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130116/e1031690/attachment.html>

More information about the OpenStack-dev mailing list