change account_autocreate to default to true

Fix proposed to branch: master
Review: https://review.openstack.org/385946

I think this is a good idea. My only concern is about current deployments that may be tight on security and are currently depending on the default being not to auto create accounts. Would it be enough to simply point it out in the changelog?

maybe, probably, or not...

we could definately make it required? I do sorta doubt that anyone is using the default w/o calling it out explicitly - because stuff is so broken w/o it - most deployments probably have it explicitly set to true in their configs and wouldn't even notice if we required it.

but I'm not sure I wouldn't go for just changing it - it's not really a security thing - it's just a provisioning workflow - you can have a valid auth token but not use the service because a reselleradmin didn't put your account - nobodies auth systems work like that?

OTOH, just making it required is 100% safe, and give us the option to relax with a different default down the road.

Thanks for the perspective. I like your idea of making it required. Some systems are a little funny when it comes to security, and they judge the rules at every layer that would need to be breached when evaluating strength of security.

After talking with some people at work, and talking more with Clay and learning more about "account_autocreate" and "allow_account_management" in general, I no longer think this setting could be considered a security layer. If we did change to require the setting, then some deployments would have to add that - when they might not mind the change in behavior. And most likely if you specifically cared not to autocreate, then you'd prob have it set. Sounds like a very low chance we'd want to change the default down the road. Perhaps it is best to simply change the default.

Agree with you of simply changing the default. Not to my knowledge, many company check the changelog before upgrade.