[openstack-dev] [keystone] A default domain

Dolph Mathews dolph.mathews at gmail.com
Wed Jan 16 18:02:13 UTC 2013


I'm a little more pedantic about decent HTTP than REST; on that note, we're
already returning a Vary: X-Auth-Token in our responses, which covers us in
this scenario (the token provided in the request dictates the content of
the response). However, I'm totally fine with the idea of issuing a
redirect if we go down this path.


-Dolph


On Wed, Jan 16, 2013 at 11:29 AM, Vishvananda Ishaya
<vishvananda at gmail.com>wrote:

>
> On Jan 16, 2013, at 8:07 AM, Dolph Mathews <dolph.mathews at gmail.com>
> wrote:
>
> > Currently, the API user is allowed to not include a domain_id in a
> request to create new users or create new projects. The assumption is that
> the service will assign those resources to the creating user's domain.
> >
> > In a recent keystone meeting, I believe we did have a brief discussion
> about applying such a behavior to other calls. Currently, the two calls you
> listed are different (the first returns all users in the system regardless
> of domain). Further, if the second call was going to default to a domain, I
> would hope it would default to the requesting user's domain, not the
> default domain.
> >
> > That said, with the introduction of domain-specific role grants[1] and
> domain-scoped tokens[2], we have a third option: listing users in the
> domain for which your token token is authorized, regardless of whether you
> specify a domain in the query string. I don't think we would have a way to
> list all users in the system at that point.
>
> If we are being pedantic about REST, this should not be allowed, because a
> given uri should corresspond to one set of data. I guess the "right" way to
> do it would be to redirect to ?domain_id=<users_domain>. That said, I've
> always felt that REST breaks down with lists and authz so some cheating may
> be warranted.
>
> Vish
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130116/c6a17c6a/attachment.html>


More information about the OpenStack-dev mailing list