It's possible to create duplicate trusts
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Kent Wang |
Bug Description
A name field in Keystone DB is needed for helping identifying trusts.
Effectively , there could be multiple trusts for a same project/
Having a name would help for implementing trust usage.
A use case scenario is currently with Puppet Keystone module while creating the trust provider:
When creating a resource, Puppet uses a name as a title for the resource, that name is unique in order to provide idem-potency. The trust ID (Keystone DB) doesn't exist until its creation and therefore cannot be used as a title for a Puppet resource. Without a name, puppet provider has to make up a name from the different fields, which doesn't guarantee uniqueness anyway. Worse when fetching resources, the provider would have to fetch all the fields to identify the resource and take the first one if many available.
So far, most other Keystone DBMS objects (tables) have a name, which Puppet has been able to use to identify resources.
The latter is why it made more sense to create this request as a bug instead of a blueprint, basically saying a name has been missing upfront rather than being a request for enhancement.
Changed in keystone: | |
assignee: | nobody → jiaxi (tjxiter) |
Changed in keystone: | |
importance: | Undecided → Wishlist |
status: | New → Triaged |
Changed in keystone: | |
assignee: | jiaxi (tjxiter) → nobody |
Changed in keystone: | |
assignee: | nobody → jiaxi (tjxiter) |
Changed in keystone: | |
assignee: | jiaxi (tjxiter) → nobody |
Changed in keystone: | |
assignee: | nobody → Kent Wang (k.wang) |
Changed in keystone: | |
milestone: | none → mitaka-2 |
> So far, most other Keystone DBMS objects (tables) have a name, which Puppet has been able to use to identify resources.
or, for example, keystone_user_role works like the following::
keystone_ user_role { 'username@ projectname' :
roles => ['admin', 'manager']
}
The name is easily constructed from the username and projectname, and provides a mapping back to the role assignment list where it uniquely identifies the role assignment.
I'm not sure how it is possible to do this with trusts.