Missing domain for federated users

Could we create the domain based on the IdP if it is not explicitly provided?

I'm currently working on a patch that would require the domain_id when registering an IdP. If not explicitly provided (existing code), the current plan is to map the IdP to a default 'Federated' domain. Which is what is currently happening (sort of), except the Federated domain is not a real domain. Now it will be.

The problem with automatically creating a new domain for every IdP is that it would likely be unexpected for the admin. Imagine you were creating and deleting IdPs and you now had a bunch of new domains and no idea where they belong or why they were created.

Patch: https://review.openstack.org/#/c/408332/

Better yet, see https://review.openstack.org/#/q/topic:bug/1642687

Reviewed: https://review.openstack.org/399684
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8c190a1a29dbb17fee044827fc9b651918dfc51e
Submitter: Jenkins
Branch: master

commit 8c190a1a29dbb17fee044827fc9b651918dfc51e
Author: Ronald De Rose <email address hidden>
Date: Fri Nov 18 16:41:08 2016 +0000

    Require domain_id when registering Identity Providers

    An Identity Provider (IdP) should be related (1:1) to a domain so that
    federated users properly belong to a domain and can be uniquely
    identified by their domain + unique_id. This patch makes it so that a
    domain_id is required when registering a new IdP. If not explicitly set
    via the API, the IdP will be mapped to a newly created domain. The docs
    and release notes will be added in a subsequent patch.

    Partial-Bug: #1642687
    Partially-Implements: bp support-federated-attr
    Change-Id: Id18b8b2fe853b97631bc990df8188ed64a6e1275

Reviewed: https://review.openstack.org/399157
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=74af1364783efe7a8f68badc9cdb55f623f00424
Submitter: Jenkins
Branch: master

commit 74af1364783efe7a8f68badc9cdb55f623f00424
Author: Ronald De Rose <email address hidden>
Date: Thu Nov 17 18:01:08 2016 +0000

    Update docs to require domain_id when registering Identity Providers

    An Identity Provider (IdP) should be mapped to a domain. This patch
    updates the documentation and creates a release note recommending the
    domain_id parameter.

    Depends-On: Id18b8b2fe853b97631bc990df8188ed64a6e1275
    Partial-Bug: #1642687
    Change-Id: I1cb749371175169662dbb5fa8feafe403fb1c39b

Change abandoned by Ron De Rose (<email address hidden>) on branch: master
Review: https://review.openstack.org/408332
Reason: Concerned about the timeout, going to break this up into smaller patches to see if I can isolate and resolve the issue.

Reviewed: https://review.openstack.org/409874
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2bd88d30e1d2873470af7f40db45a99e07e12ce6
Submitter: Jenkins
Branch: master

commit 2bd88d30e1d2873470af7f40db45a99e07e12ce6
Author: Ronald De Rose <email address hidden>
Date: Mon Dec 12 17:49:13 2016 +0000

    Add domain_id to the user table

    All users (including federated) should belong to a domain. Currently,
    the domain_id is being populated in the local_user and nonlocal_user
    (ldap) tables. However, it isn't being set for federated users. This
    patch moves the domain_id up to the user table, and creates composite
    foreign key (fk) relationships to the local_user and nonlocal_user
    tables, as the domain_id is still needed in those tables to enforce
    user name uniqueness:

    +-----------+
    | user |
    | (pk) id |
    | domain_id |
    +-----------+
    1:1
    +----------------+
    | local_user | (and nonlocal_user)
    | (pk) id |
    | (fk) user_id |
    | (fk) domain_id |
    +----------------+

    Likewise, creating a unique constraint on user (id, domain_id) to
    support the new composite fk.

    This will allow us to set the domain_id in the user table and ensure
    that it is in sync with the local_user and nonlocal_user tables, such
    that a user belongs to a domain.

    Partial-Bug: #1642687
    Partially-Implements: bp support-federated-attr
    Change-Id: I08a8f3cb59150c8e9a2f90c5ea6b0aa197a03572

Reviewed: https://review.openstack.org/423705
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=6e0faa96eda7901b2e64aaf7d255c52527392b59
Submitter: Jenkins
Branch: master

commit 6e0faa96eda7901b2e64aaf7d255c52527392b59
Author: Ronald De Rose <email address hidden>
Date: Sat Jan 21 20:47:04 2017 +0000

    Refactor shadow users tests

    The main reason for this change is to create real Identity Provider data
    for the shadow users (backend and core) tests related to federated
    users. This is needed in a subsequent patch where we set the domain for
    federated users.

    I ended up moving the shadow user tests out of the identity tests, as my
    changes were conflicting with some of those tests and it provided a
    simpler implementation.

    Partial-Bug: #1642687
    Partially-Implements: bp support-federated-attr
    Depends-On: I08a8f3cb59150c8e9a2f90c5ea6b0aa197a03572
    Change-Id: If8c8ad39c4c55a2d800bf4432411db59799e84e6

Reviewed: https://review.openstack.org/423708
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c19f2431524be224b4c027b2a56398d7c3e5e18b
Submitter: Jenkins
Branch: master

commit c19f2431524be224b4c027b2a56398d7c3e5e18b
Author: Ronald De Rose <email address hidden>
Date: Sat Jan 21 21:10:56 2017 +0000

    Set the domain for federated users

    This patch updates the domain for federated users to be the domain of
    the Identity Provider (IdP).

    Closes-Bug: #1642687
    Partially-Implements: bp support-federated-attr
    Depends-On: If8c8ad39c4c55a2d800bf4432411db59799e84e6
    Change-Id: Iccfad6f39dc339ca054bedf3c6882c3701dcf0ec

This issue was fixed in the openstack/keystone 11.0.0.0b3 development milestone.