Re: [openstack-dev] [puppet][keystone] To always use or not use domain name?
On 08/07/2015 01:58 PM, Rich Megginson wrote: Would someone who actually has to deploy/maintain puppet manifests and supporting code chime in here? How do you feel about having to ensure that every domain scoped Keystone resource name must end in ::domain? At the very least, if not using domains, and not changing the default domain, you would have to ensure something::Default _everywhere_ - and I do mean everywhere - every user and tenant name use, including in keystone_user_role, and in other, higher level classes/defines that refer to keystone users and tenants. Anyone? I also wonder how the Ansible folks are handling this, as they move to support domains and other Keystone v3 features in openstack-ansible code? As an operator, I like the ::$domain notation. I think the benefits it brings in terms of clarity outweigh any downsides. signature.asc Description: OpenPGP digital signature __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [puppet][keystone] To always use or not use domain name?
On 08/10/2015 10:45 AM, Richard Raseley wrote: On 08/07/2015 01:58 PM, Rich Megginson wrote: Would someone who actually has to deploy/maintain puppet manifests and supporting code chime in here? How do you feel about having to ensure that every domain scoped Keystone resource name must end in ::domain? At the very least, if not using domains, and not changing the default domain, you would have to ensure something::Default _everywhere_ - and I do mean everywhere - every user and tenant name use, including in keystone_user_role, and in other, higher level classes/defines that refer to keystone users and tenants. Anyone? I also wonder how the Ansible folks are handling this, as they move to support domains and other Keystone v3 features in openstack-ansible code? As an operator, I like the ::$domain notation. I think the benefits it brings in terms of clarity outweigh any downsides. If you have to add ::$domain to all of your manifests and supporting code, what impact does that have? __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [puppet][keystone] To always use or not use domain name?
On 08/10/2015 10:24 AM, Rich Megginson wrote: As an operator, I like the ::$domain notation. I think the benefits it brings in terms of clarity outweigh any downsides. If you have to add ::$domain to all of your manifests and supporting code, what impact does that have? Practically speaking, as I know ahead of time where all the relevant bits live, it just means I have to find all the instances of resources which require the new notation, parse them and make the changes, and then do some manual review. Save for the review, it could be easily scripted. signature.asc Description: OpenPGP digital signature __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [puppet][keystone] To always use or not use domain name?
On 08/05/2015 07:48 PM, Gilles Dubreuil wrote: On 06/08/15 10:16, Jamie Lennox wrote: - Original Message - From: Adam Young ayo...@redhat.com To: openstack-dev@lists.openstack.org Sent: Thursday, August 6, 2015 1:03:55 AM Subject: Re: [openstack-dev] [puppet][keystone] To always use or not use domain name? On 08/05/2015 08:16 AM, Gilles Dubreuil wrote: While working on trust provider for the Keystone (V3) puppet module, a question about using domain names came up. Shall we allow or not to use names without specifying the domain name in the resource call? I have this trust case involving a trustor user, a trustee user and a project. For each user/project the domain can be explicit (mandatory): trustor_name::domain_name or implicit (optional): trustor_name[::domain_name] If a domain isn't specified the domain name can be assumed (intuited) from either the default domain or the domain of the corresponding object, if unique among all domains. If you are specifying project by name, you must specify domain either via name or id. If you specify proejct by ID, you run the risk of conflicting if you provide a domain speciffiedr (ID or name). Although allowing to not use the domain might seems easier at first, I believe it could lead to confusion and errors. The latter being harder for the user to detect. Therefore it might be better to always pass the domain information. Probably a good idea, as it will catch if you are making some assumption. IE, I say DomainX ProejctQ but I mean DomainQ ProjectQ. Agreed. Like it or not domains are a major part of using the v3 api and if you want to use project names and user names we should enforce that domains are provided. Particularly at the puppet level (dealing with users who should understand this stuff) anything that tries to guess what the user means is a bad idea and going to lead to confusion when it breaks. I totally agree. Thanks for participating Would someone who actually has to deploy/maintain puppet manifests and supporting code chime in here? How do you feel about having to ensure that every domain scoped Keystone resource name must end in ::domain? At the very least, if not using domains, and not changing the default domain, you would have to ensure something::Default _everywhere_ - and I do mean everywhere - every user and tenant name use, including in keystone_user_role, and in other, higher level classes/defines that refer to keystone users and tenants. Anyone? I also wonder how the Ansible folks are handling this, as they move to support domains and other Keystone v3 features in openstack-ansible code? I believe using the full domain name approach is better. But it's difficult to tell because in puppet-keystone and puppet-openstacklib now rely on python-openstackclient (OSC) to interface with Keystone. Because we can use OSC defaults (OS_DEFAULT_DOMAIN or equivalent to set the default domain) doesn't necessarily makes it the best approach. For example hard coded value [1] makes it flaky. [1] https://github.com/openstack/python-openstackclient/blob/master/openstackclient/shell.py#L40 To help determine the approach to use, any feedback will be appreciated. Thanks, Gilles __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [puppet][keystone] To always use or not use domain name?
While working on trust provider for the Keystone (V3) puppet module, a question about using domain names came up. Shall we allow or not to use names without specifying the domain name in the resource call? I have this trust case involving a trustor user, a trustee user and a project. For each user/project the domain can be explicit (mandatory): trustor_name::domain_name or implicit (optional): trustor_name[::domain_name] If a domain isn't specified the domain name can be assumed (intuited) from either the default domain or the domain of the corresponding object, if unique among all domains. Although allowing to not use the domain might seems easier at first, I believe it could lead to confusion and errors. The latter being harder for the user to detect. Therefore it might be better to always pass the domain information. I believe using the full domain name approach is better. But it's difficult to tell because in puppet-keystone and puppet-openstacklib now rely on python-openstackclient (OSC) to interface with Keystone. Because we can use OSC defaults (OS_DEFAULT_DOMAIN or equivalent to set the default domain) doesn't necessarily makes it the best approach. For example hard coded value [1] makes it flaky. [1] https://github.com/openstack/python-openstackclient/blob/master/openstackclient/shell.py#L40 To help determine the approach to use, any feedback will be appreciated. Thanks, Gilles __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [puppet][keystone] To always use or not use domain name?
On 08/05/2015 08:16 AM, Gilles Dubreuil wrote: While working on trust provider for the Keystone (V3) puppet module, a question about using domain names came up. Shall we allow or not to use names without specifying the domain name in the resource call? I have this trust case involving a trustor user, a trustee user and a project. For each user/project the domain can be explicit (mandatory): trustor_name::domain_name or implicit (optional): trustor_name[::domain_name] If a domain isn't specified the domain name can be assumed (intuited) from either the default domain or the domain of the corresponding object, if unique among all domains. If you are specifying project by name, you must specify domain either via name or id. If you specify proejct by ID, you run the risk of conflicting if you provide a domain speciffiedr (ID or name). Although allowing to not use the domain might seems easier at first, I believe it could lead to confusion and errors. The latter being harder for the user to detect. Therefore it might be better to always pass the domain information. Probably a good idea, as it will catch if you are making some assumption. IE, I say DomainX ProejctQ but I mean DomainQ ProjectQ. I believe using the full domain name approach is better. But it's difficult to tell because in puppet-keystone and puppet-openstacklib now rely on python-openstackclient (OSC) to interface with Keystone. Because we can use OSC defaults (OS_DEFAULT_DOMAIN or equivalent to set the default domain) doesn't necessarily makes it the best approach. For example hard coded value [1] makes it flaky. [1] https://github.com/openstack/python-openstackclient/blob/master/openstackclient/shell.py#L40 To help determine the approach to use, any feedback will be appreciated. Thanks, Gilles __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [puppet][keystone] To always use or not use domain name?
On 06/08/15 10:16, Jamie Lennox wrote: - Original Message - From: Adam Young ayo...@redhat.com To: openstack-dev@lists.openstack.org Sent: Thursday, August 6, 2015 1:03:55 AM Subject: Re: [openstack-dev] [puppet][keystone] To always use or not use domain name? On 08/05/2015 08:16 AM, Gilles Dubreuil wrote: While working on trust provider for the Keystone (V3) puppet module, a question about using domain names came up. Shall we allow or not to use names without specifying the domain name in the resource call? I have this trust case involving a trustor user, a trustee user and a project. For each user/project the domain can be explicit (mandatory): trustor_name::domain_name or implicit (optional): trustor_name[::domain_name] If a domain isn't specified the domain name can be assumed (intuited) from either the default domain or the domain of the corresponding object, if unique among all domains. If you are specifying project by name, you must specify domain either via name or id. If you specify proejct by ID, you run the risk of conflicting if you provide a domain speciffiedr (ID or name). Although allowing to not use the domain might seems easier at first, I believe it could lead to confusion and errors. The latter being harder for the user to detect. Therefore it might be better to always pass the domain information. Probably a good idea, as it will catch if you are making some assumption. IE, I say DomainX ProejctQ but I mean DomainQ ProjectQ. Agreed. Like it or not domains are a major part of using the v3 api and if you want to use project names and user names we should enforce that domains are provided. Particularly at the puppet level (dealing with users who should understand this stuff) anything that tries to guess what the user means is a bad idea and going to lead to confusion when it breaks. I totally agree. Thanks for participating I believe using the full domain name approach is better. But it's difficult to tell because in puppet-keystone and puppet-openstacklib now rely on python-openstackclient (OSC) to interface with Keystone. Because we can use OSC defaults (OS_DEFAULT_DOMAIN or equivalent to set the default domain) doesn't necessarily makes it the best approach. For example hard coded value [1] makes it flaky. [1] https://github.com/openstack/python-openstackclient/blob/master/openstackclient/shell.py#L40 To help determine the approach to use, any feedback will be appreciated. Thanks, Gilles __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [puppet][keystone] To always use or not use domain name?
- Original Message - From: Adam Young ayo...@redhat.com To: openstack-dev@lists.openstack.org Sent: Thursday, August 6, 2015 1:03:55 AM Subject: Re: [openstack-dev] [puppet][keystone] To always use or not use domain name? On 08/05/2015 08:16 AM, Gilles Dubreuil wrote: While working on trust provider for the Keystone (V3) puppet module, a question about using domain names came up. Shall we allow or not to use names without specifying the domain name in the resource call? I have this trust case involving a trustor user, a trustee user and a project. For each user/project the domain can be explicit (mandatory): trustor_name::domain_name or implicit (optional): trustor_name[::domain_name] If a domain isn't specified the domain name can be assumed (intuited) from either the default domain or the domain of the corresponding object, if unique among all domains. If you are specifying project by name, you must specify domain either via name or id. If you specify proejct by ID, you run the risk of conflicting if you provide a domain speciffiedr (ID or name). Although allowing to not use the domain might seems easier at first, I believe it could lead to confusion and errors. The latter being harder for the user to detect. Therefore it might be better to always pass the domain information. Probably a good idea, as it will catch if you are making some assumption. IE, I say DomainX ProejctQ but I mean DomainQ ProjectQ. Agreed. Like it or not domains are a major part of using the v3 api and if you want to use project names and user names we should enforce that domains are provided. Particularly at the puppet level (dealing with users who should understand this stuff) anything that tries to guess what the user means is a bad idea and going to lead to confusion when it breaks. I believe using the full domain name approach is better. But it's difficult to tell because in puppet-keystone and puppet-openstacklib now rely on python-openstackclient (OSC) to interface with Keystone. Because we can use OSC defaults (OS_DEFAULT_DOMAIN or equivalent to set the default domain) doesn't necessarily makes it the best approach. For example hard coded value [1] makes it flaky. [1] https://github.com/openstack/python-openstackclient/blob/master/openstackclient/shell.py#L40 To help determine the approach to use, any feedback will be appreciated. Thanks, Gilles __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
