On 06/08/15 10:16, Jamie Lennox wrote: > > > ----- Original Message ----- >> From: "Adam Young" <ayo...@redhat.com> >> To: openstack-dev@lists.openstack.org >> Sent: Thursday, August 6, 2015 1:03:55 AM >> Subject: Re: [openstack-dev] [puppet][keystone] To always use or not use >> domain name? >> >> On 08/05/2015 08:16 AM, Gilles Dubreuil wrote: >>> While working on trust provider for the Keystone (V3) puppet module, a >>> question about using domain names came up. >>> >>> Shall we allow or not to use names without specifying the domain name in >>> the resource call? >>> >>> I have this trust case involving a trustor user, a trustee user and a >>> project. >>> >>> For each user/project the domain can be explicit (mandatory): >>> >>> trustor_name::domain_name >>> >>> or implicit (optional): >>> >>> trustor_name[::domain_name] >>> >>> If a domain isn't specified the domain name can be assumed (intuited) >>> from either the default domain or the domain of the corresponding >>> object, if unique among all domains. >> If you are specifying project by name, you must specify domain either >> via name or id. If you specify proejct by ID, you run the risk of >> conflicting if you provide a domain speciffiedr (ID or name). >> >>> >>> Although allowing to not use the domain might seems easier at first, I >>> believe it could lead to confusion and errors. The latter being harder >>> for the user to detect. >>> >>> Therefore it might be better to always pass the domain information. >> >> Probably a good idea, as it will catch if you are making some >> assumption. IE, I say DomainX ProejctQ but I mean DomainQ ProjectQ. > > Agreed. Like it or not domains are a major part of using the v3 api and if > you want to use project names and user names we should enforce that domains > are provided. > Particularly at the puppet level (dealing with users who should understand > this stuff) anything that tries to guess what the user means is a bad idea > and going to lead to confusion when it breaks. >
I totally agree. Thanks for participating >>> >>> I believe using the full domain name approach is better. >>> But it's difficult to tell because in puppet-keystone and >>> puppet-openstacklib now rely on python-openstackclient (OSC) to >>> interface with Keystone. Because we can use OSC defaults >>> (OS_DEFAULT_DOMAIN or equivalent to set the default domain) doesn't >>> necessarily makes it the best approach. For example hard coded value [1] >>> makes it flaky. >>> >>> [1] >>> https://github.com/openstack/python-openstackclient/blob/master/openstackclient/shell.py#L40 >>> >>> To help determine the approach to use, any feedback will be appreciated. >>> >>> Thanks, >>> Gilles >>> >>>> > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
