<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>We don't utilize email address for anything. It is not meant to be a top-level column. We've had a lot of discussions on this. The main result is we decided that Keystone should be getting out of the PII game as much as possible. </div><div><br></div><div>I am against making email a top level attribute. Instead we should be de-emphasizing adding in email (for PII reasons, as keystone does not have a way to securely store them - even as a top-level column) unless email is used as a username. As I recall "email address" was meant to be removed from most/all of our API examples for these reasons. Unless OpenStack or Keystone starts making real use of the email address and needs that PII in the keystone store, it doesn't make sense to treat it as a first class attribute. Keystone is not a CRM tool. </div><div><br></div><div>As a side note, I have proposed a way (it needs further work and would be a Mitaka target) to add validation to the extra attributes on a case-by-case basis for a given deployment. [1]</div><div><br></div><div>[1] <a href="https://review.openstack.org/#/c/190532/">https://review.openstack.org/#/c/190532/</a></div><div><br><div>Sent via mobile</div></div><div><br>On Sep 11, 2015, at 06:55, Lance Bragstad <<a href="mailto:lbragstad@gmail.com">lbragstad@gmail.com</a>> wrote:<br><br></div><blockquote type="cite"><div><div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 11, 2015 at 8:04 AM, David Stanek <span dir="ltr"><<a href="mailto:dstanek@dstanek.com" target="_blank">dstanek@dstanek.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><span class=""><div class="gmail_quote">On Fri, Sep 11, 2015 at 8:26 AM, Christian Berendt <span dir="ltr"><<a href="mailto:christian@berendt.io" target="_blank">christian@berendt.io</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">At the moment it is possible to create new users with invalid mail addresses. I pasted the output of my test at <a href="http://paste.openstack.org/show/456642/" rel="noreferrer" target="_blank">http://paste.openstack.org/show/456642/</a>. (the listing of invalid mail addresses is available at <a href="http://codefool.tumblr.com/post/15288874550/list-of-valid-and-invalid-email-addresses" rel="noreferrer" target="_blank">http://codefool.tumblr.com/post/15288874550/list-of-valid-and-invalid-email-addresses</a>).<br>
<br>
Is it intended that addresses are not be validated?<br>
<br>
Does it makes sense to validate addresses (e.g. with <a href="https://github.com/mailgun/flanker" rel="noreferrer" target="_blank">https://github.com/mailgun/flanker</a>)?<br>
</blockquote></div><div class="gmail_extra"><br></div></span>I don't know the complete history of this (I'm sure others can chime in later), but since Keystone doesn't use the email address for anything it was never really considered a first class attribute. It is just something we accept and return through the API. It doesn't even have its own column in the database.</div></div></blockquote><div><br></div><div>Correct, I believe this is the reason why we don't actually tie the email address attribute validation into jsonschema [0]. The email address attribute is just something that is grouped into the 'extra' attributes of a create user request, so it's treated similarly with jsonschema [1]. I remember having a few discussions around this with various people, probably in code review somewhere [2]. </div><div><br></div><div>I think jsonschema has built-in support that would allow us to validate email addresses [3]. I think that would plug in pretty naturally to what's already in keystone.</div><div><br></div><div>[0] <a href="https://github.com/openstack/keystone/blob/aa8dc5c9c529c2678933c9b211b4640600e55e3a/keystone/identity/schema.py#L24-L33">https://github.com/openstack/keystone/blob/aa8dc5c9c529c2678933c9b211b4640600e55e3a/keystone/identity/schema.py#L24-L33</a></div><div>[1] <a href="https://github.com/openstack/keystone/blob/aa8dc5c9c529c2678933c9b211b4640600e55e3a/keystone/identity/schema.py#L39">https://github.com/openstack/keystone/blob/aa8dc5c9c529c2678933c9b211b4640600e55e3a/keystone/identity/schema.py#L39</a> </div><div>[2] <a href="https://review.openstack.org/#/c/132122/6/keystone/identity/schema.py">https://review.openstack.org/#/c/132122/6/keystone/identity/schema.py</a></div><div>[3] <a href="http://python-jsonschema.readthedocs.org/en/latest/validate/#validating-formats">http://python-jsonschema.readthedocs.org/en/latest/validate/#validating-formats</a></div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><br></div><div class="gmail_extra">I don't like this for a variety of reasons and we do have a bug[1] for fixing this. Last Thursday several of us were discussing making a database column for the email address as part of the fix for that bug.<br><br>1. <a href="https://bugs.launchpad.net/keystone/+bug/1218682" target="_blank">https://bugs.launchpad.net/keystone/+bug/1218682</a></div><span class=""><font color="#888888"><div class="gmail_extra"><div><br></div>-- <br><div>David<br>blog: <a href="http://www.traceback.org" target="_blank">http://www.traceback.org</a><br>twitter: <a href="http://twitter.com/dstanek" target="_blank">http://twitter.com/dstanek</a><div>www: <a href="http://dstanek.com" target="_blank">http://dstanek.com</a></div></div>
</div></font></span></div>
<br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div></div>
</div></blockquote><blockquote type="cite"><div><span>__________________________________________________________________________</span><br><span>OpenStack Development Mailing List (not for usage questions)</span><br><span>Unsubscribe: <a href="mailto:OpenStack-dev-request@lists.openstack.org">OpenStack-dev-request@lists.openstack.org</a>?subject:unsubscribe</span><br><span><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a></span><br></div></blockquote></body></html>