[openstack-dev] [keystone] A default domain

Vishvananda Ishaya vishvananda at gmail.com
Wed Jan 16 17:29:17 UTC 2013

On Jan 16, 2013, at 8:07 AM, Dolph Mathews <dolph.mathews at gmail.com> wrote:

> Currently, the API user is allowed to not include a domain_id in a request to create new users or create new projects. The assumption is that the service will assign those resources to the creating user's domain.
> In a recent keystone meeting, I believe we did have a brief discussion about applying such a behavior to other calls. Currently, the two calls you listed are different (the first returns all users in the system regardless of domain). Further, if the second call was going to default to a domain, I would hope it would default to the requesting user's domain, not the default domain.
> That said, with the introduction of domain-specific role grants[1] and domain-scoped tokens[2], we have a third option: listing users in the domain for which your token token is authorized, regardless of whether you specify a domain in the query string. I don't think we would have a way to list all users in the system at that point.

If we are being pedantic about REST, this should not be allowed, because a given uri should corresspond to one set of data. I guess the "right" way to do it would be to redirect to ?domain_id=<users_domain>. That said, I've always felt that REST breaks down with lists and authz so some cheating may be warranted.


More information about the OpenStack-dev mailing list