[openstack-dev] [puppet] Prefecting user and user_roles resources with domain-specific conf is failing.

Adam Young ayoung at redhat.com
Tue Mar 22 01:15:27 UTC 2016

On 03/21/2016 09:34 AM, Sofer Athlan-Guyot wrote:
> Hi,
> we have a big problem when using domain-specific configuration.  The
> listing of all users is not supported by keystone when it's used[1][2].
> What this means is that prefetch method in keystone_user won't work, or
> more specifically, instances method will fail.
> This poses a problem for the keystone_user_role, as the user instances
> method is called there too.
> The missing bit when domain-specific configuration is used is that the
> operator must precise the domain on the command line option.
> As I see it there are three ways to approach this:
>   - iterate over all domains and keep the same behavior as now;
>   - detect somehow that the domain-specific configuration is used and
>     hack, both instances methods to add domain options
>   - remove prefetch from keystone_user and keystone_user_role (kinda get
>     my preference, see below)

So, listing all users ism, in general a bad idea.  I assume the reason 
is to find a userid from a user name?

Would better support from Keystone server make a difference here?

> The problem I see with the first two methods depends on the usual use
> case of the domain specific configuration.
> For what I understand, this would be mainly used to connect to existing
> LDAP server, certainly large AD.  If that's the case then we will have
> the same problem that the keystone people have seen, ie very big list of
> poeple, most of them unrelated to what is happening.  We will then have
> the risk that:
>   - keystone fails;
>   - the puppet process would be slowed down significantly;
> So listing all users in this case seems like a very bad idea.  As I
> don't see a way to disable prefetching dynamically, when domain-specific
> is used (maybe have to be digged into ?), then I tend to favor the
> removal of this from kesytone_user and keystone_user_role.
> Keystone_user_role is the main problem here as it require a lot of call
> to be build and prefetching help here.
> So I don't see a best solution to this problem, so I'd like to have more
> inputs about the right course of action.
> Note: It was first noticed by Matthew J Black, which has open this bug
> report[3] and started to work on a fix here[4]
> [1] https://github.com/openstack/keystone/blob/master/doc/source/configuration.rst (look for domain-specific)
> [2] https://bugs.launchpad.net/keystone/+bug/1555629
> [3] https://bugs.launchpad.net/puppet-keystone/+bug/1554555
> [4] https://review.openstack.org/#/c/289995/

More information about the OpenStack-dev mailing list