[openstack-dev] [Heat] [Keystone] [TripleO] Making use of domains by name - policy and API issues?

Clint Byrum clint at fewbar.com
Mon Apr 28 17:51:51 UTC 2014


So in the process of making Heat deploy itself, I've run into a bit of a
deadlock.

https://bugs.launchpad.net/tripleo/+bug/1287453
https://bugs.launchpad.net/heat/+bug/1313003

Currently, we deploy OpenStack like this:

* First we generate usernames/passwords for all service accounts
* Next we deploy Keystone and Heat (and.. the rest of OpenStack)
  - In this process, we feed in the usernames and passwords we
    generated.
* Then when everything is "deployed", we initialize Keystone with the
  generated usernames and passwords via the keystone API.
* Now we test to make sure what we deployed works.

However, in order to create isolated users for narrow access to Heat
from inside instances, Heat needs a domain to put these narrowly scoped
users in. Heat has a handy script for creating this domain and an admin
inside the domain which is needed to create the lesser users. So that
naturally fits into our initialization of keystone.

The problem is that because of bug 1313003, Heat can only use a domain
ID to specify this domain. We haven't created that domain yet at stack
creation time though, so we would have to add another step before
testing/using the cloud:

* Update stack with ID of heat stack user domain.

Steven Hardy has indicated that it was problematic to make use of names
instead of id's for domains, and that to me signals a problem with the
API and/or policy model in Keystone around domains.

Everything else in TripleO makes use of names except this, so I think
we need to solve this. This isn't just a TripleO or Heat problem though,
anybody using domains will run into the same trouble Steven hit, and
that is not something we should ignore.

Can somebody more familiar with domains explain what would be needed to
be able to have Heat able to lookup domains by name and use them like
most other things in OpenStack, where we can use names or IDs
interchangeably?

Thanks!



More information about the OpenStack-dev mailing list