[openstack-dev] [Keystone] [Swift] Question re. keystone domains
Nathan Kinder
nkinder at redhat.com
Wed Jul 2 15:25:53 UTC 2014
On 07/01/2014 12:15 PM, Dolph Mathews wrote:
>
> On Tue, Jul 1, 2014 at 11:20 AM, Coles, Alistair <alistair.coles at hp.com
> <mailto:alistair.coles at hp.com>> wrote:
>
> We have a change [1] under review in Swift to make access control
> lists compatible with migration to keystone v3 domains. The change
> makes two assumptions that I’d like to double-check with keystone
> folks:____
>
> __ __
>
> __1. __That a project can never move from one domain to another.
>
> We're moving in this direction, at least. In Grizzly and Havana, we made
> no such restriction. In Icehouse, we introduced such a restriction by
> default, but it can be disabled. So far, we haven't gotten any
> complaints about adding the restriction, so maybe we should just add
> additional help text to the option in our config about why you would
> never want to disable the restriction, citing how it would break swift?
>
> ____
>
> __2. __That the underscore character cannot appear in a valid
> domain id – more specifically, that the string ‘_unknown’ cannot be
> confused with a domain id.
>
> That's fairly sound. All of our domain ID's are system-assigned as
> UUIDs, except for the "default" domain which has an explicit
> id='default'. We don't do anything to validate the assumption, though.
I don't like the idea of making this assumption without explicit
validation. If there is a need for a blacklisted domain id space, we
should enforce it to prevent problems down the road.
-NGK
>
> ____
>
> __ __
>
> Are those safe assumptions?____
>
> __ __
>
> Thanks,____
>
> Alistair____
>
> __ __
>
> [1] https://review.openstack.org/86430____
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> <mailto:OpenStack-dev at lists.openstack.org>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
More information about the OpenStack-dev
mailing list