[openstack-dev] [Keystone] [Swift] Question re. keystone domains

Nathan Kinder nkinder at redhat.com
Wed Jul 2 15:25:53 UTC 2014 


On 07/01/2014 12:15 PM, Dolph Mathews wrote:
> 
> On Tue, Jul 1, 2014 at 11:20 AM, Coles, Alistair <alistair.coles at hp.com
> <mailto:alistair.coles at hp.com>> wrote:
> 
>     We have a change [1] under review in Swift to make access control
>     lists compatible with migration to keystone v3 domains. The change
>     makes two assumptions that I’d like to double-check with keystone
>     folks:____
> 
>     __ __
> 
>     __1.      __That a project can never move from one domain to another.
> 
> We're moving in this direction, at least. In Grizzly and Havana, we made
> no such restriction. In Icehouse, we introduced such a restriction by
> default, but it can be disabled. So far, we haven't gotten any
> complaints about adding the restriction, so maybe we should just add
> additional help text to the option in our config about why you would
> never want to disable the restriction, citing how it would break swift?
> 
>     ____
> 
>     __2.      __That the underscore character cannot appear in a valid
>     domain id – more specifically, that the string ‘_unknown’ cannot be
>     confused with a domain id.
> 
> That's fairly sound. All of our domain ID's are system-assigned as
> UUIDs, except for the "default" domain which has an explicit
> id='default'. We don't do anything to validate the assumption, though.

I don't like the idea of making this assumption without explicit
validation.  If there is a need for a blacklisted domain id space, we
should enforce it to prevent problems down the road.

-NGK

> 
>     ____
> 
>     __ __
> 
>     Are those safe assumptions?____
> 
>     __ __
> 
>     Thanks,____
> 
>     Alistair____
> 
>     __ __
> 
>     [1] https://review.openstack.org/86430____
> 
> 
>     _______________________________________________
>     OpenStack-dev mailing list
>     OpenStack-dev at lists.openstack.org
>     <mailto:OpenStack-dev at lists.openstack.org>
>     http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 
> 
> 
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>

More information about the OpenStack-dev mailing list