[openstack-dev] [puppet][keystone] To always use or not use domain name?

Adam Young ayoung at redhat.com
Wed Aug 5 15:03:55 UTC 2015


On 08/05/2015 08:16 AM, Gilles Dubreuil wrote:
> While working on trust provider for the Keystone (V3) puppet module, a
> question about using domain names came up.
>
> Shall we allow or not to use names without specifying the domain name in
> the resource call?
>
> I have this trust case involving a trustor user, a trustee user and a
> project.
>
> For each user/project the domain can be explicit (mandatory):
>
> trustor_name::domain_name
>
> or implicit (optional):
>
> trustor_name[::domain_name]
>
> If a domain isn't specified the domain name can be assumed (intuited)
> from either the default domain or the domain of the corresponding
> object, if unique among all domains.
If you are specifying project by name, you must specify domain either 
via name or id.  If you specify proejct by ID, you run the risk of 
conflicting if you provide a domain speciffiedr (ID or name).

>
> Although allowing to not use the domain might seems easier at first, I
> believe it could lead to confusion and errors. The latter being harder
> for the user to detect.
>
> Therefore it might be better to always pass the domain information.

Probably a good idea, as it will catch if you are making some 
assumption.  IE, I say  DomainX  ProejctQ  but I mean DomainQ ProjectQ.

>
> I believe using the full domain name approach is better.
> But it's difficult to tell because in puppet-keystone and
> puppet-openstacklib now rely on python-openstackclient (OSC) to
> interface with Keystone. Because we can use OSC defaults
> (OS_DEFAULT_DOMAIN or equivalent to set the default domain) doesn't
> necessarily makes it the best approach. For example hard coded value [1]
> makes it flaky.
>
> [1]
> https://github.com/openstack/python-openstackclient/blob/master/openstackclient/shell.py#L40
>
> To help determine the approach to use, any feedback will be appreciated.
>
> Thanks,
> Gilles
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




More information about the OpenStack-dev mailing list