Keystone user ID case sensitivity issue

Rabi Mishra ramishra at
Thu Nov 14 03:24:05 UTC 2019

On Thu, Nov 14, 2019 at 7:31 AM Sean Mooney <smooney at> wrote:

> On Wed, 2019-11-13 at 23:07 +0000, PARSONS, CLIFF wrote:
> > Hello everyone!
> >
> > My organization has a need to make the user name/ID retrieval from Heat
> template to be case insensitive.  For example:
> > suppose we already have a user in keystone, "xyz123".  Then we have a
> client that creates a heat stack containing a
> > UserRoleAssignment resource, in which the user was specified as
> "XYZ123".  The user would not be found in the Keystone
> > database (due to Keystone user IDs being case sensitive) and the role
> assignment would not occur.
> >
> > Either Keystone could be changed so that its users are treated case
> insensitive, or we could make the change to heat
> > (Heat KeystoneClientPlugin class) like in
> so that it converts to lower case
> > before querying keystone.
> i honestly dont think we shoudl force everyone to use case insensitive
> user names so i dont think converting to lower
> case is valid. however it might we worth exploring if you could change the
> encoding of the database so that it uses the
> case insensitive by using the utf8_general_ci encodeing so that all db
> opertion are case insensitive on the user tabel.
> >  Can I get some thoughts on this? Would something like this be
> acceptable at all? Would we need to make it
> > configurable, and if we did, would that be acceptable?
> i think chaing api behavior based on a config option is an interoperablity
> probelm
> keystone has to interact with external identity systesm and so assuming
> all of those will be case inseitive would
> proably break someone else who has the opisite requirement.
> i honestly think that people should just use the correct case in the heat
> template.
> if heat is not currently erroring out when the role assignment failts that
> feels like a heat bug

There is no heat bug. Heat would fail if the user does not exist and it
does not override any service behaviour in the default client plugins.
However, heat allows to write your own custom client plugin for keystone
(if that's what you want), which overrides the behavior and use it in place
of the default plugin.

> but i would
> personlly think its an error if i type my user name with the wrong case
> and my correct passwourd and was able
> to get a keystone token.
> >
> > Thanks in advance for your thoughts/concerns/suggestions.
> >
> > Thank you,
> > Cliff Parsons

Rabi Mishra
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openstack-discuss mailing list