<div dir="ltr"><font face="arial, helvetica, sans-serif">Hi,</font><div><font face="arial, helvetica, sans-serif">I was trying to make sense of the new keystone models looking at the code @ <a href="https://github.com/openstack/keystone/blob/master/keystone/identity/backends/sql.py">https://github.com/openstack/keystone/blob/master/keystone/identity/backends/sql.py</a></font></div>
<div><font face="arial, helvetica, sans-serif"><br></font></div><div style><font face="arial, helvetica, sans-serif">I liked the fact that we have a notion of domains as a global container for user, group and projects.</font></div>
<div style><font face="arial, helvetica, sans-serif">I believe since its added as a foreignkey to all these tables, we are ensuring uniqueness of user, group and projects per domain.</font></div><div style><font face="arial, helvetica, sans-serif"><br>
</font></div><div style><font face="arial, helvetica, sans-serif">On the same line, I think we are missing a check on the user-group, user-project relationship also to be unique per domain. Is this a bug or implementation? If implementation, why?</font></div>
<div style><font face="arial, helvetica, sans-serif"><br></font></div><div style><p class="" style="line-height:12pt"></p><pre style="margin-top:0px;margin-bottom:0px;padding:0px;border:0px;font-size:12px;color:rgb(51,51,51)">
<div class="" id="LC705" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="courier new, monospace">    <span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">def</span> <span class="" style="margin:0px;padding:0px;border:0px;color:rgb(153,0,0);font-weight:bold">add_user_to_group</span><span class="" style="margin:0px;padding:0px;border:0px">(</span><span class="" style="margin:0px;padding:0px;border:0px;color:rgb(153,153,153)">self</span><span class="" style="margin:0px;padding:0px;border:0px">,</span> <span class="" style="margin:0px;padding:0px;border:0px">user_id</span><span class="" style="margin:0px;padding:0px;border:0px">,</span> <span class="" style="margin:0px;padding:0px;border:0px">group_id</span><span class="" style="margin:0px;padding:0px;border:0px">):</span></font></div>
<div class="" id="LC706" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="courier new, monospace">        <span class="" style="margin:0px;padding:0px;border:0px">session</span> <span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">=</span> <span class="" style="margin:0px;padding:0px;border:0px;color:rgb(153,153,153)">self</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">.</span><span class="" style="margin:0px;padding:0px;border:0px">get_session</span><span class="" style="margin:0px;padding:0px;border:0px">()</span></font></div>
<div class="" id="LC707" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="courier new, monospace">        <span class="" style="margin:0px;padding:0px;border:0px;color:rgb(153,153,153)">self</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">.</span><span class="" style="margin:0px;padding:0px;border:0px">get_group</span><span class="" style="margin:0px;padding:0px;border:0px">(</span><span class="" style="margin:0px;padding:0px;border:0px">group_id</span><span class="" style="margin:0px;padding:0px;border:0px">)</span></font></div>
<div class="" id="LC708" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="courier new, monospace">        <span class="" style="margin:0px;padding:0px;border:0px;color:rgb(153,153,153)">self</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">.</span><span class="" style="margin:0px;padding:0px;border:0px">get_user</span><span class="" style="margin:0px;padding:0px;border:0px">(</span><span class="" style="margin:0px;padding:0px;border:0px">user_id</span><span class="" style="margin:0px;padding:0px;border:0px">)</span></font></div>
<div class="" id="LC709" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="courier new, monospace">        <span class="" style="margin:0px;padding:0px;border:0px">query</span> <span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">=</span> <span class="" style="margin:0px;padding:0px;border:0px">session</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">.</span><span class="" style="margin:0px;padding:0px;border:0px">query</span><span class="" style="margin:0px;padding:0px;border:0px">(</span><span class="" style="margin:0px;padding:0px;border:0px">UserGroupMembership</span><span class="" style="margin:0px;padding:0px;border:0px">)</span></font></div>
<div class="" id="LC710" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="courier new, monospace">        <span class="" style="margin:0px;padding:0px;border:0px">query</span> <span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">=</span> <span class="" style="margin:0px;padding:0px;border:0px">query</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">.</span><span class="" style="margin:0px;padding:0px;border:0px">filter_by</span><span class="" style="margin:0px;padding:0px;border:0px">(</span><span class="" style="margin:0px;padding:0px;border:0px">user_id</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">=</span><span class="" style="margin:0px;padding:0px;border:0px">user_id</span><span class="" style="margin:0px;padding:0px;border:0px">)</span></font></div>
<div class="" id="LC711" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="courier new, monospace">        <span class="" style="margin:0px;padding:0px;border:0px">query</span> <span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">=</span> <span class="" style="margin:0px;padding:0px;border:0px">query</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">.</span><span class="" style="margin:0px;padding:0px;border:0px">filter_by</span><span class="" style="margin:0px;padding:0px;border:0px">(</span><span class="" style="margin:0px;padding:0px;border:0px">group_id</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">=</span><span class="" style="margin:0px;padding:0px;border:0px">group_id</span><span class="" style="margin:0px;padding:0px;border:0px">)</span></font></div>
<div class="" id="LC712" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="courier new, monospace">        <span class="" style="margin:0px;padding:0px;border:0px">rv</span> <span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">=</span> <span class="" style="margin:0px;padding:0px;border:0px">query</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">.</span><span class="" style="margin:0px;padding:0px;border:0px">first</span><span class="" style="margin:0px;padding:0px;border:0px">()</span></font></div>
<div class="" id="LC713" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="courier new, monospace">        <span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">if</span> <span class="" style="margin:0px;padding:0px;border:0px">rv</span><span class="" style="margin:0px;padding:0px;border:0px">:</span></font></div>
<div class="" id="LC714" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="courier new, monospace">            <span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">return</span></font></div>
<div class="" id="LC715" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="courier new, monospace"><br></font></div><div class="" id="LC716" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="courier new, monospace">        <span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">with</span> <span class="" style="margin:0px;padding:0px;border:0px">session</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">.</span><span class="" style="margin:0px;padding:0px;border:0px">begin</span><span class="" style="margin:0px;padding:0px;border:0px">():</span></font></div>
<div class="" id="LC717" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="courier new, monospace">            <span class="" style="margin:0px;padding:0px;border:0px">session</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">.</span><span class="" style="margin:0px;padding:0px;border:0px">add</span><span class="" style="margin:0px;padding:0px;border:0px">(</span><span class="" style="margin:0px;padding:0px;border:0px">UserGroupMembership</span><span class="" style="margin:0px;padding:0px;border:0px">(</span><span class="" style="margin:0px;padding:0px;border:0px">user_id</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">=</span><span class="" style="margin:0px;padding:0px;border:0px">user_id</span><span class="" style="margin:0px;padding:0px;border:0px">,</span></font></div>
<div class="" id="LC718" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="courier new, monospace">                                            <span class="" style="margin:0px;padding:0px;border:0px">group_id</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">=</span><span class="" style="margin:0px;padding:0px;border:0px">group_id</span><span class="" style="margin:0px;padding:0px;border:0px">))</span></font></div>
<div class="" id="LC719" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="courier new, monospace">            <span class="" style="margin:0px;padding:0px;border:0px">session</span><span class="" style="margin:0px;padding:0px;border:0px;font-weight:bold">.</span><span class="" style="margin:0px;padding:0px;border:0px">flush</span><span class="" style="margin:0px;padding:0px;border:0px">()</span></font></div>
<div class="" id="LC719" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><span class="" style="margin:0px;padding:0px;border:0px"><font face="arial, helvetica, sans-serif"><br></font></span></div><div class="" id="LC719" style="margin:0px;padding:0px 0px 0px 10px;border:0px">
<font face="arial, helvetica, sans-serif">Above code adds user to group without checking for the common domain. </font></div><div class="" id="LC719" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="arial, helvetica, sans-serif">This allow User A in Domain A associated with Group B in Domain B?</font></div>
<div class="" id="LC719" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="arial, helvetica, sans-serif">Ideally User A shouldnt be doing anything in Domain B. Isnt it?</font></div><div class="" id="LC719" style="margin:0px;padding:0px 0px 0px 10px;border:0px">
<font face="arial, helvetica, sans-serif"><br></font></div><div class="" id="LC719" style="margin:0px;padding:0px 0px 0px 10px;border:0px"><font face="arial, helvetica, sans-serif">Thanks,</font></div><div class="" id="LC719" style="margin:0px;padding:0px 0px 0px 10px;border:0px">
<font face="arial, helvetica, sans-serif">Ronak</font></div></pre><p></p></div><div style><br></div><div style><br></div></div>