<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jun 13, 2016 at 3:30 PM, Henry Nash <span dir="ltr"><<a href="mailto:henrynash9@mac.com" target="_blank">henrynash9@mac.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div style="word-wrap:break-word">So, I think it depends what level of compatibility we are aiming at. Let me articulate them, and we can agree which we want:<div><br></div><div>C1) In all version of the our APIs today (v2 and v3.0 to v3.6), you have been able to issue an auth request which used project/tenant name as the scoping directive (with v3 you need a domain component as well, but that’s not relevant for this discussion). In these APIs, we absolutely expect that if you could issue an auth request to. say project “test”, in, say, v3.X, then you could absolutely issue the exact same command at V3.(X+1). This has remained true, even when we introduced project hierarchies, i.e.: if I create:</div><div><br></div><div>/development/myproject/test</div><div><br></div><div>...then I can still scope directly to the test project by simply specifying “test” as the project name (since, of course, all project names must still be unique in the domain). We never want to break this for so long as we formally support any APIs that once allowed this.</div><div><br></div><div>C2) To aid you issuing an auth request scoped by project (either name or id), we support a special API as part of the auth url (GET/auth/projects) that lists the projects the caller *could* scope to (i.e. those they have any kind of role on). You can take the “name” or “id” returned by this API and plug it directly into the auth request. Again for any API we currently support, we can’t break this.</div><div><br></div><div>C3) The name attribute of a project is its node-name in the hierarchy. If we decide to change this in a future API, we would not want a client using the existing API to get surprised and suddenly receive a path instead of the just the node-name (e.g. what if this was a UI of some type). </div><div><br></div><div>Given all the above, there is no solution that can keep the above all true and allow more than one project of the same name in, say, v3.7 of the API. Even if we relaxed C2 and C2 - C1 can never be guaranteed to be still supported. Neither of the original proposed solutions can address this (since it is a data modelling problem, not an API problem).</div><div><br></div><div>However, given that we will have, for the first time, the ability to microversion the Identity API starting with 3.7, there are things we can do to start us down this path. Let me re-articulate the options I am proposing:</div><div><br></div><div>Option 1A) In v3.7 we add a ‘path_name' attribute to a project entity, which is hence returned by any API that returns a project entity. The ‘path_name' attribute will contain the full path name, including the project itself. (Note that clients speaking 3.6 and earlier will not see this new attribute). Further, for clients speaking 3.7 and later, we add support to allow a ‘path_name' (as an alternative to ‘name' or ‘id') to be used in auth scoping. We do not (yet) relax any uniqueness constraints, but mark API 3.6 and earlier as deprecated, as well as using the ‘name’ attribute in the auth request. (we still support all these, we just mark them as deprecated). At some time in the future (e.g. 3.8), we remove support for using ‘name’ for auth, insisting on the use of ‘path_name’ instead. Sometime later (e.g. 3.10) we remove support for 3.8 and earlier. Then and only then, do we relax the uniqueness constraint allowing projects with duplicate node-names (but with different parents).</div><div><br></div></div></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div style="word-wrap:break-word"><div></div><div>Option 1B) The same as 1A, but we insist on path_name use in auth in v3.7 (i.e. no grace-period for still using just ’name', instead relying on the fact that 3.6 clients will still work just fine). Then later (e.g. perhaps v3.9), we remove support for v3.6 and before…and relax the uniqueness constraint.</div><div><br></div></div></blockquote><div><br></div><div>Let say the assumption that we are "removing" 3.6 should be stopped right now. I don't want to embark on the "when we remove this" as an option or discuss how we remove previous versions. Please lets assume for the sake of this conversation unless we have a major API version increase (API v4 and do not expose v4 projects via v3 API) this is unlikely happen. Deprecated or not, planning the removal of current supported API auth functionality is not on the table. In v3 we are not going to "relax" the uniqueness constraint in the foreseeable future. Just assume v3.6 is going to live forever for now and we can revisit when/if limits on microversion lower bounds is addressed in OpenStack with TC direction/guidance.<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div style="word-wrap:break-word"><div></div><div>Option 2A) In 3.7 the meaning of the ‘name' attribute of project entity is redefined to be the full path name (note that clients speaking 3.6 will continue to see ’name’ just be the node-name without a path). We do not (yet) relax any uniqueness constraints. For clients speaking 3.7 and later, we return the full path name where the project entity ‘name’ attribute is returned. For auth, we allow a full path name to specified in the ‘name’ scope attribute - but we also still support just a name without a path (which we can guarantee to honour, since, so far, we haven’t relaxed the uniqueness constraint - however we mark that support as deprecated). At some time in the future (e.g. 3.8), we remove support for using an un-pathed ‘name’ for auth. Sometime later (e..g. 3.10) we remove support for 3.8 and earlier. Then and only then, do we relax the uniqueness constraint allowing projects with duplicate node-names (but with different parents).</div><div><br></div><div>Option 2B) The same as 2A, but we insist on using ‘name’ with a full path use in auth in v3.7 (i.e. no grace-period for still using an un-pathed ’name', instead relying on the fact that 3.6 clients will still work just fine). Then later (e.g. perhaps v3.9), we remove support for v3.6 and before…and relax the uniqueness constraint.</div><div><br></div><div>The downside for option 2A and 2B is that a client must do work to not be “surprised” by 3.7 (since the ‘name’ attribute of a project entity may not contain what they expect). For 1A no changes are required at all for a client to work with 3.7 and maintain the current experience, although changes ARE of course required to start moving away from using the non-pathed ‘name’ attribute, but that doesn’t have to be done straight away, we give them a grace cycle. For 1B, you need to make changes to support 3.7 (since a path is required for auth).</div><div><br></div><div>As I have said before, my preference is Option 1, since I think it results in a more logical end position, and neither 1 or 2 get us there any more quickly. For option 1, I prefer the more gradual approach of 1A, just so that we give clients a grace period. Given we need multiple cycles to achieve any of the options, let’s decide the final conceptual model we want - and then move towards it. Options 1's conceptual mode is that ‘name’ remains the same, and we add separate ‘path’ attribute, Option 2’s other redefines ‘name’ to always be a full path.</div><span class=""><font color="#888888"><div><br></div><div>Henry</div></font></span><div><div class="h5"><div><br></div><div><br></div></div></div></div></blockquote><div><br></div><div>I gave an alternative to this whole mess that would work and get the non-unique requirements for a specific project. I'll go over the only viable option (see my comment above, uniqueness constraint cannot go away in the forseeable future; not in v3.10, not in v3.11, etc).</div><div><br></div><div>* For all projects created in v3.7 or later, the "name" is explicitly the full path. This keeps compatibility with v3.6 (you can auth, use the project's "name" which is now the full path).</div><div> </div><div>* All projects get a way to map the full path (full_path attr, as you said for option 2[A/B]). We can support authentication with *either* full path or name, the advantage of full_path is you never need to supply domain identification for the "user friendly" name -- keep in mind, this also will need to explore (at least documentation around) what occurs if a project name is "changed" as project names are mutable, it would change the path; should project names become immutable?</div><div><br></div><div>All of this means that current auth workflows *and* new "full_path" workflows play nicely and no compatibility is broken. We aren't re-defining anything here as redefining things will break current workflows.</div><div><br></div><div>In short, do not expect an api break/compat break is going to be possible in v3 for older API versions.</div><div><br></div><div>--Morgan</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div style="word-wrap:break-word"><div><div class="h5"><div><div><div><blockquote type="cite"><div>On 10 Jun 2016, at 18:48, Morgan Fainberg <<a href="mailto:morgan.fainberg@gmail.com" target="_blank">morgan.fainberg@gmail.com</a>> wrote:</div><br><div><div dir="ltr" style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Jun 10, 2016 at 6:37 AM, Henry Nash<span> </span><span dir="ltr"><<a href="mailto:henrynash9@mac.com" target="_blank">henrynash9@mac.com</a>></span><span> </span>wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div style="word-wrap:break-word">On further reflection, it seems to me that we can never simply enable either of these approaches in a single release. Even a v4.0 version of the API doesn’t help - since presumably a sever supporting v4 would want to be able to support v3.x for a signification time; and, already discussed, as soon as you allow multiple none-names to have the same name, you can no longer guarantee to support the current API.<div><br></div><div>Hence the only thing I think we can do (if we really do want to change the current functionality) is to do this over several releases with a typical deprecation cycle, e.g.</div><div><br></div><div>1) At release 3.7 we allow you to (optionally) specify path names for auth….but make no changes to the uniqueness constraints. We also change the GET /auth/projects to return a path name. However, you can still auth exactly the way we do today (since there will always only be a single project of a given node-name). If however, you do auth without a path (to a project that isn’t a top level project), we log a warning to say this is deprecated (2 cycles, 4 cycles?)</div><div>2) If you connect with a 3.6 client, then you get the same as today for GET /auth/projects and cannot use a path name to auth.</div><div>3) At sometime in the future, we deprecate the “auth without a path” capability. We can debate as to whether this has to be a major release.</div><div><br></div><div>If we take this gradual approach, I would be pushing for the “relax project name constraints” approach…since I believe this leads to a cleaner eventual solution (and there is no particular advantage with the hierarchical naming approach) - and (until the end of the deprecation) there is no break to the existing API.</div><span><font color="#888888"><div><br></div></font></span><div><span><font color="#888888">Henry</font></span><div><div><br></div></div></div></div></blockquote><div><br></div><div>How do you handle relaxed project name constraints without completely breaking 3.6 auth - regardless of future microversion that requires the full path. This is a major api change and will result in very complex matrix of project name mapping (old projects that can be accessed without the full path, new that must always have the path)?</div><div><br></div><div>Simply put, I do not see relaxing project name constraints as viable without a major API change and projects that simply are unavailable for scoping a token to under the base api version (pre-microversions) of 3.6</div><div><br></div><div>I am certain that if all projects post API version 3.6 are created with the full-path name only and that is how they are represented to the user for auth, we get both things for free. Old projects pre-full-path would need optional compatibility for deconstructing a full-path for them. Basically you end up with "path" and "name", in old projects these differ, in new projects they are the same. No conflicts, not breaking "currently working auth", no "major API version" needed.</div><div><br></div><div>--Morgan</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div style="word-wrap:break-word"><div><div><div><div><blockquote type="cite"><div>On 7 Jun 2016, at 09:47, Henry Nash <<a href="mailto:henrynash9@mac.com" target="_blank">henrynash9@mac.com</a>> wrote:</div><br><div><div style="word-wrap:break-word">OK, so thanks for the feedback - understand the message.<div><br></div><div>However, in terms of compatibility, the one thing that concerns me about the hierarchical naming approach is that even with microversioing, we might still surprise a client. An unmodified client (i.e. doesn’t understand 3.7) would still see a change in the data being returned (the project names have suddenly become full path names). We have to return this even if they don’t ask for 3.7, since otherwise there is no difference between this approach and relaxing the project naming in terms of trying to prevent auth breakages.</div><div><br></div><div>In more detail:</div><div><br></div><div>1) Both approaches were planned to return the path name (instead of the node name) in GET /auth/projects - i.e. the API you are meant to use to find out what you can scope to</div><div>2) Both approaches were planned to accept the path name in the auth request block</div><div>3) The difference in hierarchical naming is the if I do a regular GET /project(s) I also see the full path name as the “project name”</div><div><br></div><div>if we don’t do 3), then code that somehow authenticates, and then uses the regular GET /project(s) calls to find a project name and then re-scopes (or re-auths) to that name, will fail if the project they want is not a top level project. However, the flip side is that if there is code that uses these same calls to, say, display projects to the user (e.g. a home grown UI) - then it might get confused until it supports 3.7 (i.e. asking for the old microversion won’t help it) since all the names include the hierarchical path.</div><div><br></div><div>Just want to make sure we understand the implications….</div><div><br></div><div>Henry</div><div><br></div><div><blockquote type="cite"><div>On 4 Jun 2016, at 08:34, Monty Taylor <<a href="mailto:mordred@inaugust.com" target="_blank">mordred@inaugust.com</a>> wrote:</div><br><div><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">On 06/04/2016 01:53 AM, Morgan Fainberg wrote:</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><blockquote type="cite" style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br>On Jun 3, 2016 12:42, "Lance Bragstad" <<a href="mailto:lbragstad@gmail.com" target="_blank">lbragstad@gmail.com</a><br><<a href="mailto:lbragstad@gmail.com" target="_blank">mailto:lbragstad@gmail.com</a>>> wrote:<br><blockquote type="cite"><br><br><br>On Fri, Jun 3, 2016 at 11:20 AM, Henry Nash <<a href="mailto:henrynash9@mac.com" target="_blank">henrynash9@mac.com</a><br></blockquote><<a href="mailto:henrynash9@mac.com" target="_blank">mailto:henrynash9@mac.com</a>>> wrote:<br><blockquote type="cite"><blockquote type="cite"><br><br><blockquote type="cite">On 3 Jun 2016, at 16:38, Lance Bragstad <<a href="mailto:lbragstad@gmail.com" target="_blank">lbragstad@gmail.com</a><br></blockquote></blockquote></blockquote><<a href="mailto:lbragstad@gmail.com" target="_blank">mailto:lbragstad@gmail.com</a>>> wrote:<br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br><br><br>On Fri, Jun 3, 2016 at 3:20 AM, Henry Nash <<a href="mailto:henrynash9@mac.com" target="_blank">henrynash9@mac.com</a><br></blockquote></blockquote></blockquote><<a href="mailto:henrynash9@mac.com" target="_blank">mailto:henrynash9@mac.com</a>>> wrote:<br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br><br><blockquote type="cite">On 3 Jun 2016, at 01:22, Adam Young <<a href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a><br></blockquote></blockquote></blockquote></blockquote></blockquote><<a href="mailto:ayoung@redhat.com" target="_blank">mailto:ayoung@redhat.com</a>>> wrote:<br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br>On 06/02/2016 07:22 PM, Henry Nash wrote:<br><blockquote type="cite"><br>Hi<br><br>As you know, I have been working on specs that change the way we<br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote>handle the uniqueness of project names in Newton. The goal of this is to<br>better support project hierarchies, which as they stand today are<br>restrictive in that all project names within a domain must be unique,<br>irrespective of where in the hierarchy that projects sits (unlike, say,<br>the unix directory structure where a node name only has to be unique<br>within its parent). Such a restriction is particularly problematic when<br>enterprise start modelling things like test, QA and production as<br>branches of a project hierarchy, e.g.:<br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br>/mydivsion/projectA/dev<br>/mydivsion/projectA/QA<br>/mydivsion/projectA/prod<br>/mydivsion/projectB/dev<br>/mydivsion/projectB/QA<br>/mydivsion/projectB/prod<br><br>Obviously the idea of a project name (née tenant) being unique<br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote>has been around since near the beginning of (OpenStack) time, so we must<br>be cautions. There are two alternative specs proposed:<br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br>1) Relax project name<br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote>constraints:<span> </span><a href="https://review.openstack.org/#/c/310048/" target="_blank">https://review.openstack.org/#/c/310048/</a><span> </span><br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">2) Hierarchical project<br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote>naming:<span> </span><a href="https://review.openstack.org/#/c/318605/" target="_blank">https://review.openstack.org/#/c/318605/</a><br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br>First, here’s what they have in common:<br><br>a) They both solve the above problem<br>b) They both allow an authorization scope to use a path rather<br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote>than just a simple name, hence allowing you to address a project<br>anywhere in the hierarchy<br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">c) Neither have any impact if you are NOT using a hierarchy -<br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote>i.e. if you just have a flat layer of projects in a domain, then they<br>have no API or semantic impact (since both ensure that a project’s name<br>must still be unique within a parent)<br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br>Here’s how the differ:<br><br>- Relax project name constraints (1), keeps the meaning of the<br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote>‘name’ attribute of a project to be its node-name in the hierarchy, but<br>formally relaxes the uniqueness constraint to say that it only has to be<br>unique within its parent. In other words, let’s really model this a bit<br>like a unix directory tree.<br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br>I think I lean towards relaxing the project name constraint. The<br></blockquote></blockquote></blockquote>reason is because we already expose `domain_id`, `parent_id`, and `name`<br>of a project. By relaxing the constraint we can give the user everything<br>the need to know about a project without really changing any of these.<br>When using 3.7, you know what domain your project is in, you know the<br>identifier of the parent project, and you know that your project name is<br>unique within the parent. <br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br>- Hierarchical project naming (2), formally changes the meaning<br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote>of the ‘name’ attribute to include the path to the node as well as the<br>node name, and hence ensures that the (new) value of the name attribute<br>remains unique.<br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br>Do we intend to *store* the full path as the name, or just build it<br></blockquote></blockquote></blockquote>out on demand? If we do store the full path, we will have to think about<br>our current data model since the depth of the organization or domain<br>would be limited by the max possible name length. Will performance be<br>something to think about building the full path on every request? <br><blockquote type="cite"><blockquote type="cite"><br>I now mention this issue in the spec for hierarchical project naming<br></blockquote></blockquote>(the relax naming approach does not suffer this issue). As you say,<br>we’ll have to change the DB (today it is only 64 chars) if we do store<br>the full path . This is slightly problematic since the maximum depth of<br>hierarchy is controlled by a config option, and hence could be changed.<br>We will absolutely have be able to build the path on-the-fly in order to<br>support legacy drivers (who won’t be able to store more than 64 chars).<br>We may need to do some performance tests to ascertain if we can get away<br>with building the path on-the-fly in all cases and avoid changing the<br>table. One additional point is that, of course, the API will return<br>this path whenever it returns a project - so clients will need to be<br>aware of this increase in size.<span> </span><br><blockquote type="cite"><br><br>These are all good points that continue to push me towards relaxing<br></blockquote>the project naming constraint :)<span> </span><br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br><br>While whichever approach we chose would only be included in a new<br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote>microversion (3.7) of the Identity API, although some relevant APIs can<br>remain unaffected for a client talking 3.6 to a Newton server, not all<br>can be. As pointed out be jamielennox, this is a data modelling problem<br>- if a Newton server has created multiple projects called “dev” in the<br>hierarchy, a 3.6 client trying to scope a token simply to “dev” cannot<br>be answered correctly (and it is proposed we would have to return an<br>HTTP 409 Conflict error if multiple nodes with the same name were<br>detected). This is true for both approaches.<br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br>Other comments on the approaches:<br><br>- Having a full path as the name seems duplicative with the<br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote>current project entity - since we already return the parent_id (hence<br>parent_id + name is, today, sufficient to place a project in the hierarchy).<br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br><br>The one thing I like is the ability to specify just the full path<br></blockquote></blockquote></blockquote></blockquote></blockquote>for the OS_PROJECT_NAME env var, but we could make that a separate<br>variable. Just as DOMAIN_ID + PROJECT_NAME is unique today,<br>OS_PROJECT_PATH should be able to fully specify a project<br>unambiguously. I'm not sure which would have a larger impact on users.<br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote>Agreed - and this could be done for both approaches (since this is<br></blockquote></blockquote></blockquote></blockquote>all part of the “auth data flow").<br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br><br><blockquote type="cite">- In the past, we have been concerned about the issue of what we<br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote>do if there is a project further up the tree that we do not have any<br>roles on. In such cases, APIs like list project parents will not display<br>anything other than the project ID for such projects. In the case of<br>making the name the full path, we would be effectively exposing the name<br>of all projects above us, irrespective of whether we had roles on them.<br>Maybe this is OK, maybe it isn’t.<br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br><br>I think it is OK. If this info needs to be hidden from a user,<br></blockquote></blockquote></blockquote></blockquote></blockquote>the project should probably be in a different domain.<br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br><blockquote type="cite">- While making the name the path keeps it unique, this is fine if<br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote>clients blindly use this attribute to plug back into another API to<br>call. However if, for example, you are Horizon and are displaying them<br>in a UI then you need to start breaking down the path into its<br>components, where you don’t today.<br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">- One area where names as the hierarchical path DOES look right<br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote>is calling the /auth/projects API - where what the caller wants is a<br>list of projects they can scope to - so you WANT this to be the path you<br>can put in an auth request.<br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br>Given that neither can fully protect a 3.6 client, my personal<br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote>preference is to go with the cleaner logical approach which I believe is<br>the Relax project name constraints (1), with the addition of changing<br>GET /auth/projects to return the path (since this is a specialised API<br>that happens before authentication) - but I am open to persuasion (as<br>the song goes).<br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br>There are those that might say that perhaps we just can’t change<br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote>this. I would argue that since this ONLY affects people who actually<br>create hierarchies and that today such hierarchical use is in its<br>infancy, then now IS the time to change this. If we leave it too long,<br>then it will become really hard to change what will by then have become<br>a tough restriction.<br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br>Henry<br><br><br><br><br><br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote>__________________________________________________________________________<br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">OpenStack Development Mailing List (not for usage questions)<br>Unsubscribe:<br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><a href="mailto:OpenStack-dev-request@lists.openstack.org" target="_blank">OpenStack-dev-request@lists.openstack.org</a>?subject:unsubscribe<br><<a href="http://OpenStack-dev-request@lists.openstack.org/?subject:unsubscribe" target="_blank">http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>><br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br></blockquote><br><br><br></blockquote></blockquote></blockquote></blockquote></blockquote>__________________________________________________________________________<br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">OpenStack Development Mailing List (not for usage questions)<br><br></blockquote></blockquote></blockquote></blockquote></blockquote>Unsubscribe:<span> </span><a href="mailto:OpenStack-dev-request@lists.openstack.org" target="_blank">OpenStack-dev-request@lists.openstack.org</a>?subject:unsubscribe<br><<a href="http://OpenStack-dev-request@lists.openstack.org/?subject:unsubscribe" target="_blank">http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>><br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br></blockquote><br><br><br><br></blockquote></blockquote></blockquote></blockquote>__________________________________________________________________________<br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">OpenStack Development Mailing List (not for usage questions)<br><br></blockquote></blockquote></blockquote></blockquote>Unsubscribe:<span> </span><a href="mailto:OpenStack-dev-request@lists.openstack.org" target="_blank">OpenStack-dev-request@lists.openstack.org</a>?subject:unsubscribe<br><<a href="http://OpenStack-dev-request@lists.openstack.org/?subject:unsubscribe" target="_blank">http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>><br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br><br></blockquote><br><br></blockquote></blockquote></blockquote>__________________________________________________________________________<br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">OpenStack Development Mailing List (not for usage questions)<br><br></blockquote></blockquote></blockquote>Unsubscribe:<span> </span><a href="mailto:OpenStack-dev-request@lists.openstack.org" target="_blank">OpenStack-dev-request@lists.openstack.org</a>?subject:unsubscribe<br><<a href="http://OpenStack-dev-request@lists.openstack.org/?subject:unsubscribe" target="_blank">http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>><br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br></blockquote><br><br><br><br></blockquote></blockquote>__________________________________________________________________________<br><blockquote type="cite"><blockquote type="cite">OpenStack Development Mailing List (not for usage questions)<br>Unsubscribe:<br></blockquote></blockquote><a href="mailto:OpenStack-dev-request@lists.openstack.org" target="_blank">OpenStack-dev-request@lists.openstack.org</a>?subject:unsubscribe<br><<a href="http://OpenStack-dev-request@lists.openstack.org/?subject:unsubscribe" target="_blank">http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>><br><blockquote type="cite"><blockquote type="cite"><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br><br></blockquote><br><br>__________________________________________________________________________<br>OpenStack Development Mailing List (not for usage questions)<br>Unsubscribe:<br></blockquote><a href="mailto:OpenStack-dev-request@lists.openstack.org" target="_blank">OpenStack-dev-request@lists.openstack.org</a>?subject:unsubscribe<br><<a href="http://OpenStack-dev-request@lists.openstack.org/?subject:unsubscribe" target="_blank">http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>><br><blockquote type="cite"><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br><br></blockquote><br>My main concern with relaxing the uniqueness is you now have a<br>significant issue with auth changing. Fundamentally you cannot scope to<br>a project under a domain by name and domain name alone. This will break<br>current auth paths and auth mechanisms.<br><br>I personally think we are a bit wedged even with microversions without<br>providing the full path as a name for projects created as such (and<br>current projects retaining the uniqueness or if created via the old api<br>maintaining the uniqueness constraint and new api projects not being<br>represented at all).<br><br>So in short, I am strongly against relaxing uniqueness.<br></blockquote><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">I agree.</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">This would break code that exists currently. A microversion is fine for</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">creating a new api call. A microversion is not ok for fundamentally</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">breaking the semantics of an existing API. This would be a major API</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">version bump. It would break existing users with existing code, and</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">since there _is_ another option on the table that does not break</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">existing users with existing code, I believe that it is imperative to</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">select the non-breaking option.</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><blockquote type="cite" style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">New (microversion) would make projects that are only represented by full<br>path. Old projects could be represented either way. (For auth/crud that<br>uses project names).<br><br>Old microversion api (today) would require uniqueness constraint and not<br>show/allow full pathname projects.<br><br>This way we do not break auth that works today.<br><br>Most everyone consumes and stores by id (nova, cinder, etc) so we likely<br>won't break much with extended project names.<br></blockquote><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">End users work by name - but yes, I agree the impact cross-openstack is</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">unlikely.</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">__________________________________________________________________________</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">OpenStack Development Mailing List (not for usage questions)</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">Unsubscribe:<span> </span></span><a href="mailto:OpenStack-dev-request@lists.openstack.org" style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank">OpenStack-dev-request@lists.openstack.org</a><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">?subject:unsubscribe</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a></div></blockquote></div><br></div>__________________________________________________________________________<br>OpenStack Development Mailing List (not for usage questions)<br>Unsubscribe:<span> </span><a href="mailto:OpenStack-dev-request@lists.openstack.org" target="_blank">OpenStack-dev-request@lists.openstack.org</a>?subject:unsubscribe<br><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br></div></blockquote></div><br></div></div></div></div><br>__________________________________________________________________________<br>OpenStack Development Mailing List (not for usage questions)<br>Unsubscribe:<span> </span><a href="http://OpenStack-dev-request@lists.openstack.org/?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br><br></blockquote></div><br></div></div><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">__________________________________________________________________________</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">OpenStack Development Mailing List (not for usage questions)</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">Unsubscribe:<span> </span></span><a href="mailto:OpenStack-dev-request@lists.openstack.org" style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank">OpenStack-dev-request@lists.openstack.org</a><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">?subject:unsubscribe</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a></div></blockquote></div><br></div></div></div></div></div><br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div></div>