[openstack-dev] [puppet][keystone] Choose domain names with 'composite namevar' or 'meaningless name'?

Gilles Dubreuil gilles at redhat.com
Fri Sep 11 11:25:52 UTC 2015



On 11/09/15 20:17, David Chadwick wrote:
> Whichever approach is adopted you need to consider the future and the
> longer term objective of moving to fully hierarchical names. I believe
> the current Keystone approach is only an interim one, as it only
> supports partial hierarchies. Fully hierarchical names has been
> discussed in the Keystone group, but I believe that this has been
> shelved until later in order to get a quick fix released now.
> 
> regards
> 
> David
> 

Thanks David,

That's interesting.
So sub projects are pushing the issue further down.
And maybe one day sub domains and sub users?

keystone_role_user {
'user.subuser::domain1 at project.subproject.subsubproject::domain2':
roles => [...]
}

or

keystone_role_user {'user.subuser':
  user_domain => 'domain1',
  tenant => 'project.subproject',
  tenant_domain => 'domain2',
  roles => [...]
}

I tend to think the domain must stick with the name it's associated
with, otherwise we have to say 'here the domain for this and that, etc'.



> On 11/09/2015 08:03, Gilles Dubreuil wrote:
>> Hi,
>>
>> Today in the #openstack-puppet channel a discussion about the pro and
>> cons of using domain parameter for Keystone V3 has been left opened.
>>
>> The context
>> ------------
>> Domain names are needed in Openstack Keystone V3 for identifying users
>> or groups (of users) within different projects (tenant).
>> Users and groups are uniquely identified within a domain (or a realm as
>> opposed to project domains).
>> Then projects have their own domain so users or groups can be assigned
>> to them through roles.
>>
>> In Kilo, Keystone V3 have been introduced as an experimental feature.
>> Puppet providers such as keystone_tenant, keystone_user,
>> keystone_role_user have been adapted to support it.
>> Also new ones have appeared (keystone_domain) or are their way
>> (keystone_group, keystone_trust).
>> And to be backward compatible with V2, the default domain is used when
>> no domain is provided.
>>
>> In existing providers such as keystone_tenant, the domain can be either
>> part of the name or provided as a parameter:
>>
>> A. The 'composite namevar' approach:
>>
>>    keystone_tenant {'projectX::domainY': ... }
>>  B. The 'meaningless name' approach:
>>
>>   keystone_tenant {'myproject': name='projectX', domain=>'domainY', ...}
>>
>> Notes:
>>  - Actually using both combined should work too with the domain
>> supposedly overriding the name part of the domain.
>>  - Please look at [1] this for some background between the two approaches:
>>
>> The question
>> -------------
>> Decide between the two approaches, the one we would like to retain for
>> puppet-keystone.
>>
>> Why it matters?
>> ---------------
>> 1. Domain names are mandatory in every user, group or project. Besides
>> the backward compatibility period mentioned earlier, where no domain
>> means using the default one.
>> 2. Long term impact
>> 3. Both approaches are not completely equivalent which different
>> consequences on the future usage.
>> 4. Being consistent
>> 5. Therefore the community to decide
>>
>> The two approaches are not technically equivalent and it also depends
>> what a user might expect from a resource title.
>> See some of the examples below.
>>
>> Because OpenStack DB tables have IDs to uniquely identify objects, it
>> can have several objects of a same family with the same name.
>> This has made things difficult for Puppet resources to guarantee
>> idem-potency of having unique resources.
>> In the context of Keystone V3 domain, hopefully this is not the case for
>> the users, groups or projects but unfortunately this is still the case
>> for trusts.
>>
>> Pros/Cons
>> ----------
>> A.
>>   Pros
>>     - Easier names
>>   Cons
>>     - Titles have no meaning!
>>     - Cases where 2 or more resources could exists
>>     - More difficult to debug
>>     - Titles mismatch when listing the resources (self.instances)
>>
>> B.
>>   Pros
>>     - Unique titles guaranteed
>>     - No ambiguity between resource found and their title
>>   Cons
>>     - More complicated titles
>>
>> Examples
>> ----------
>> = Meaningless name example 1=
>> Puppet run:
>>   keystone_tenant {'myproject': name='project_A', domain=>'domain_1', ...}
>>
>> Second run:
>>   keystone_tenant {'myproject': name='project_A', domain=>'domain_2', ...}
>>
>> Result/Listing:
>>
>>   keystone_tenant { 'project_A::domain_1':
>>     ensure  => 'present',
>>     domain  => 'domain_1',
>>     enabled => 'true',
>>     id      => '7f0a2b670f48437ba1204b17b7e3e9e9',
>>   }
>>    keystone_tenant { 'project_A::domain_2':
>>     ensure  => 'present',
>>     domain  => 'domain_2',
>>     enabled => 'true',
>>     id      => '4b8255591949484781da5d86f2c47be7',
>>   }
>>
>> = Composite name example 1  =
>> Puppet run:
>>   keystone_tenant {'project_A::domain_1', ...}
>>
>> Second run:
>>   keystone_tenant {'project_A::domain_2', ...}
>>
>> # Result/Listing
>>   keystone_tenant { 'project_A::domain_1':
>>     ensure  => 'present',
>>     domain  => 'domain_1',
>>     enabled => 'true',
>>     id      => '7f0a2b670f48437ba1204b17b7e3e9e9',
>>    }
>>   keystone_tenant { 'project_A::domain_2':
>>     ensure  => 'present',
>>     domain  => 'domain_2',
>>     enabled => 'true',
>>     id      => '4b8255591949484781da5d86f2c47be7',
>>    }
>>
>> = Meaningless name example 2  =
>> Puppet run:
>>   keystone_tenant {'myproject1': name='project_A', domain=>'domain_1', ...}
>>   keystone_tenant {'myproject2': name='project_A', domain=>'domain_1',
>> description=>'blah'...}
>>
>> Result: project_A in domain_1 has a description
>>
>> = Composite name example 2  =
>> Puppet run:
>>   keystone_tenant {'project_A::domain_1', ...}
>>   keystone_tenant {'project_A::domain_1', description => 'blah', ...}
>>
>> Result: Error because the resource must be unique within a catalog
>>
>> My vote
>> --------
>> I would love to have the approach A for easier name.
>> But I've seen the challenge of maintaining the providers behind the
>> curtains and the confusion it creates with name/titles and when not sure
>> about the domain we're dealing with.
>> Also I believe that supporting self.instances consistently with
>> meaningful name is saner.
>> Therefore I vote B
>>
>> Finally
>> ------
>> Thanks for reading that far!
>> To choose, please provide feedback with more pros/cons, examples and
>> your vote.
>>
>> Thanks,
>> Gilles
>>
>>
>> PS:
>> [1] https://groups.google.com/forum/#!topic/puppet-dev/CVYwvHnPSMc
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
> 
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 



More information about the OpenStack-dev mailing list