[openstack-dev] [Heat] [Keystone] [TripleO] Making use of domains by name - policy and API issues?
Clint Byrum
clint at fewbar.com
Wed May 7 19:29:04 UTC 2014
Excerpts from Robert Collins's message of 2014-04-28 23:25:02 -0700:
> On 29 April 2014 12:27, Dolph Mathews <dolph.mathews at gmail.com> wrote:
> >
>
> > Sure: domain names are unambiguous but user mutable, whereas Heat's approach
> > to using admin tenant "name" is at risk to both mutability and ambiguity (in
> > a multi-domain deployment).
>
> Isn't domainname/user unambiguous and unique? mutability is really not
> keystones choice.
>
> If keystone won't accept domainname/user then that will force us to
> either do two stack-updates for a single deploy (ugly) or write
> patches to heat (and neutron where the callback-to-nova support has
> the same issue) to manually try a lookup and work around this.
>
> Since its trivial to write such a thunk, what benefit is there to your
> users - e.g. TripleO/heat/nova not have it in keystone itself?
So it sounds like we can drive a change into Keystone. The short version
is something like this:
Anywhere that accepts a domain ID, should also be able to accept a
domain name. Anywhere that accepts a user ID, should also be able to
accept a domain name and user name.
This sounds like it has several facets and so is spec-worthy. Anyone
disagree?
More information about the OpenStack-dev
mailing list