
<p>Domains are not equivalent to tenants.  Currently there is no domain equivalent in keystone.  That is my understanding.</p>

<div class="gmail_quote">On Aug 14, 2012 9:15 PM, "Naveen Joy (najoy)" <<a href="mailto:najoy@cisco.com">najoy@cisco.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">


<div lang="EN-US" link="blue" vlink="purple">

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I deeply desire tenant-uniqueness for usernames because it’s the natural way in which identity information is organized in a multi-tenant database, for instance

 LDAP uses DN\username or Domain\username convention and prevents name conflicts between tenants .  Can you elaborate on what the impact is to the NSS capacity referred below?.<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Cheers,<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Naveen<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Matt Joyce [mailto:<a href="mailto:matt.joyce@cloudscaling.com" target="_blank">matt.joyce@cloudscaling.com</a>]

<br>

<b>Sent:</b> Tuesday, August 14, 2012 5:13 PM<br>

<b>To:</b> OpenStack Development Mailing List<br>

<b>Subject:</b> Re: [openstack-dev] Keystone user creation question<u></u><u></u></span></p>

<p class="MsoNormal"><u></u> <u></u></p>

<p class="MsoNormal" style="margin-bottom:12.0pt">I deeply desire that we continue to require unique names across keystone.  I do not like the idea of tenant specific or domain specific names.  It may cost us down the road if we ever decide we want to provide

 NSS capacity based off of keystone.<br>

<br>

-Matt<u></u><u></u></p>

<div>

<p class="MsoNormal">On Tue, Aug 14, 2012 at 5:06 PM, Joseph Heck <<a href="mailto:heckj@me.com" target="_blank">heckj@me.com</a>> wrote:<u></u><u></u></p>

<div>

<p class="MsoNormal">Hey Naveen - <u></u><u></u></p>

<div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

<div>

<p class="MsoNormal">Although the spec is currently for keeping the usernames unique globally, domains (part of the V3 API setup) will allow us to have a boundary/barrier for uniqueness if that's desired.<u></u><u></u></p>


</div>

<div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

<div>

<p class="MsoNormal">The quirk that is keeping it in place is generally *not* mandating that the end user - when authenticating - know the "project/tenant" name to which they're authenticating. If we allowed tenant-uniqueness for usernames, then in order to

 log in and guarantee uniqueness so we could authZ someone, we would need to know the tenant up front as well. Current systems (like logging in to the horizon dashboard) *do not* require that.<u></u><u></u></p>

</div>

<div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

<div>

<p class="MsoNormal">-joe<u></u><u></u></p>

</div>

<div>

<p class="MsoNormal"><u></u> <u></u></p>

<div>

<div>

<div>

<div>

<p class="MsoNormal">On Aug 14, 2012, at 4:55 PM, Naveen Joy (najoy) <<a href="mailto:najoy@cisco.com" target="_blank">najoy@cisco.com</a>> wrote:<u></u><u></u></p>

</div>

</div>

</div>

<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">

<div>

<div>

<div>

<div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">It’s valid for the same username to exist across multiple tenants and should be only unique for a  tenant. Keystone today is enforcing uniqueness for a name  and prevents

 creation of the same user across tenants. Is there a plan to use (tenantID, name) as a composite key instead of just the name?.  <u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Conflict occurred attempting to store user. (IntegrityError) (1062, "Duplicate entry 'admin' for key 'name'") 'INSERT INTO user (id, name, extra) VALUES (%s, %s, %s)' ('697addf1c62a4eaea33d6c99076269d6',

 'admin', '{"password": "$6$rounds=40000$SGj4.DyRasD5jy7l$uZNGjWvUkgJkqrGb4B/4uXga.FjFy7VMCkHKcWHJkXVkHUgtF.D1SDz9RwO3aazvGhyGUQK/isK3jwNprSpVD.", "enabled": true, "email": null, "tenantId": "0f8423b5c8a74ffc91c0ccf1c7015aa3"}') (HTTP 409)<u></u><u></u></span></p>


</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">desc user;<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">+-------+-------------+------+-----+---------+-------+<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">| Field | Type        | Null | Key | Default | Extra |<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">+-------+-------------+------+-----+---------+-------+<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">| id    | varchar(64) | NO   | PRI | NULL    |       |<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">| name  | varchar(64) | NO   | UNI | NULL    |       |<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">| extra | text        | YES  |     | NULL    |       |<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">+-------+-------------+------+-----+---------+-------+<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">3 rows in set (0.00 sec)<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Cheers,<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Naveen<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <u></u><u></u></span></p>

</div>

</div>

</div>

</div>

<p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Helvetica","sans-serif"">_______________________________________________<br>

OpenStack-dev mailing list<br>

<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank"><span style="color:purple">OpenStack-dev@lists.openstack.org</span></a><br>

<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank"><span style="color:purple">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</span></a><u></u><u></u></span></p>


</div>

</blockquote>

</div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

</div>

<p class="MsoNormal" style="margin-bottom:12.0pt"><br>

_______________________________________________<br>

OpenStack-dev mailing list<br>

<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>

<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><u></u><u></u></p>

</div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

</div>


<br>_______________________________________________<br>

OpenStack-dev mailing list<br>

<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>

<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

<br></blockquote></div>