[Openstack-operators] [puppet][keystone] To always use or not use domain name?
Rich Megginson
rmeggins at redhat.com
Tue Aug 11 15:54:52 UTC 2015
This is a continuation of a thread that started on openstack-dev:
http://lists.openstack.org/pipermail/openstack-dev/2015-August/071433.html
The thread is being continued here to reach more people who would be
affected by this change.
The initial email from Gilles Dubreuil <gilles at redhat.com> is as follows:
##############################################
While working on trust provider for the Keystone (V3) puppet module, a
question about using domain names came up.
Shall we allow or not to use names without specifying the domain name in
the resource call?
I have this trust case involving a trustor user, a trustee user and a
project.
For each user/project the domain can be explicit (mandatory):
trustor_name::domain_name
or implicit (optional):
trustor_name[::domain_name]
If a domain isn't specified the domain name can be assumed (intuited)
from either the default domain or the domain of the corresponding
object, if unique among all domains.
Although allowing to not use the domain might seems easier at first, I
believe it could lead to confusion and errors. The latter being harder
for the user to detect.
Therefore it might be better to always pass the domain information.
I believe using the full domain name approach is better.
But it's difficult to tell because in puppet-keystone and
puppet-openstacklib now rely on python-openstackclient (OSC) to
interface with Keystone. Because we can use OSC defaults
(OS_DEFAULT_DOMAIN or equivalent to set the default domain) doesn't
necessarily makes it the best approach. For example hard coded value [1]
makes it flaky.
[1]
https://github.com/openstack/python-openstackclient/blob/master/openstackclient/shell.py#L40
To help determine the approach to use, any feedback will be appreciated.
Thanks,
Gilles
More information about the OpenStack-operators
mailing list