[openstack-dev] [Keystone] [Swift] Question re. keystone domains

Dolph Mathews dolph.mathews at gmail.com
Tue Jul 1 19:15:10 UTC 2014


On Tue, Jul 1, 2014 at 11:20 AM, Coles, Alistair <alistair.coles at hp.com>
wrote:

>  We have a change [1] under review in Swift to make access control lists
> compatible with migration to keystone v3 domains. The change makes two
> assumptions that I’d like to double-check with keystone folks:
>
>
>
> 1.      That a project can never move from one domain to another.
>
We're moving in this direction, at least. In Grizzly and Havana, we made no
such restriction. In Icehouse, we introduced such a restriction by default,
but it can be disabled. So far, we haven't gotten any complaints about
adding the restriction, so maybe we should just add additional help text to
the option in our config about why you would never want to disable the
restriction, citing how it would break swift?

>  2.      That the underscore character cannot appear in a valid domain id
> – more specifically, that the string ‘_unknown’ cannot be confused with a
> domain id.
>
That's fairly sound. All of our domain ID's are system-assigned as UUIDs,
except for the "default" domain which has an explicit id='default'. We
don't do anything to validate the assumption, though.

>
>
> Are those safe assumptions?
>
>
>
> Thanks,
>
> Alistair
>
>
>
> [1] https://review.openstack.org/86430
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140701/2ef5c102/attachment.html>


More information about the OpenStack-dev mailing list