[openstack-dev] [puppet][keystone] Keystone resource naming with domain support - no '::domain' if 'Default'

Gilles Dubreuil gilles at redhat.com
Thu Aug 27 13:00:24 UTC 2015



On 27/08/15 22:40, Gilles Dubreuil wrote:
> 
> 
> On 27/08/15 16:59, Gilles Dubreuil wrote:
>>
>>
>> On 26/08/15 06:30, Rich Megginson wrote:
>>> This concerns the support of the names of domain scoped Keystone
>>> resources (users, projects, etc.) in puppet.
>>>
>>> At the puppet-openstack meeting today [1] we decided that
>>> puppet-openstack will support Keystone domain scoped resource names
>>> without a '::domain' in the name, only if the 'default_domain_id'
>>> parameter in Keystone has _not_ been set.  That is, if the default
>>> domain is 'Default'.  In addition:
>>>
>>> * In the OpenStack L release, if 'default_domain_id' is set, puppet will
>>> issue a warning if a name is used without '::domain'.
> 
> The default domain is always set to 'default' unless overridden to
> something else.

Just to clarify, I don't see any logical difference between the
default_domain_id to be 'default' or something else.

Per keystone.conf comment (as seen below) the default_domain_id,
whatever its value, is created as a valid domain.

# This references the domain to use for all Identity API v2 requests
(which are not aware of domains). A domain with this ID will be created
for you by keystone-manage db_sync in migration 008. The domain
referenced by this ID cannot be deleted on the v3 API, to prevent
accidentally breaking the v2 API. There is nothing special about this
domain, other than the fact that it must exist to order to maintain
support for your v2 clients. (string value)
#default_domain_id = default

To be able to test if a 'default_domain_id' is set or not, actually
translates to checking if the id is 'default' or something else.
But I don't see the point here. If a user decides to change default' to
'This_is_the_domain_id_for_legacy_v2", how does this help?

If that makes sense then I would actually avoid the intermediate stage:

* In OpenStack L release:
Puppet will issue a warning if a name is used without '::domain'.

* From Openstack M release:
A name must be used with '::domain'.

> 
>>> * In the OpenStack M release, puppet will issue a warning if a name is
>>> used without '::domain', even if 'default_domain_id' is not set.
> 
> Therefore the 'default_domain_id' is never 'not set'.
> 
>>> * In N (or possibly, O), resource names will be required to have
>>> '::domain'.
>>>
> 
> I understand, from Openstack N release and ongoing, the domain would be
> mandatory.
> 
> So I would like to revisit the list:
> 
> * In OpenStack L release:
>   Puppet will issue a warning if a name is used without '::domain'.
> 
> * In OpenStack M release:
>   Puppet will issue a warning if a name is used without '::domain'.
> 
> * From Openstack N release:
>   A name must be used with '::domain'.
> 
> 
>>
>> +1
>>
>>> The current spec [2] and current code [3] try to support names without a
>>> '::domain' in the name, in non-default domains, provided the name is
>>> unique across _all_ domains.  This will have to be changed in the
>>> current code and spec.
>>>
>>
>> Ack
>>
>>>
>>> [1]
>>> http://eavesdrop.openstack.org/meetings/puppet_openstack/2015/puppet_openstack.2015-08-25-15.01.html
>>>
>>> [2]
>>> http://specs.openstack.org/openstack/puppet-openstack-specs/specs/kilo/api-v3-support.html
>>>
>>> [3]
>>> https://github.com/openstack/puppet-keystone/blob/master/lib/puppet/provider/keystone_user/openstack.rb#L217
>>>
>>>
>>>
>>> __________________________________________________________________________
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
> 
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 



More information about the OpenStack-dev mailing list