Keystone user ID case sensitivity issue

Sean Mooney smooney at redhat.com
Thu Nov 14 01:57:01 UTC 2019


On Wed, 2019-11-13 at 23:07 +0000, PARSONS, CLIFF wrote:
> Hello everyone!
> 
> My organization has a need to make the user name/ID retrieval from Heat template to be case insensitive.  For example:
> suppose we already have a user in keystone, "xyz123".  Then we have a client that creates a heat stack containing a
> UserRoleAssignment resource, in which the user was specified as "XYZ123".  The user would not be found in the Keystone
> database (due to Keystone user IDs being case sensitive) and the role assignment would not occur.
> 
> Either Keystone could be changed so that its users are treated case insensitive, or we could make the change to heat
> (Heat KeystoneClientPlugin class) like in https://review.opendev.org/#/c/694117/ so that it converts to lower case
> before querying keystone.
i honestly dont think we shoudl force everyone to use case insensitive user names so i dont think converting to lower
case is valid. however it might we worth exploring if you could change the encoding of the database so that it uses the
case insensitive by using the utf8_general_ci encodeing so that all db opertion are case insensitive on the user tabel.
>  Can I get some thoughts on this? Would something like this be acceptable at all? Would we need to make it
> configurable, and if we did, would that be acceptable?
i think chaing api behavior based on a config option is an interoperablity probelm

keystone has to interact with external identity systesm and so assuming all of those will be case inseitive would
proably break someone else who has the opisite requirement.

i honestly think that people should just use the correct case in the heat template.
if heat is not currently erroring out when the role assignment failts that feels like a heat bug but i would
personlly think its an error if i type my user name with the wrong case and my correct passwourd and was able
to get a keystone token.
> 
> Thanks in advance for your thoughts/concerns/suggestions.
> 
> Thank you,
> Cliff Parsons




More information about the openstack-discuss mailing list