Comment 16 for bug 1475091
Revision history for this message
| Gilles Dubreuil (gdubreui) wrote Re: Missing name field for trusts | #16 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
Puppet Openstack cannot use trusts unless something is done.
Because when Puppet runs as a daemon, which is mostly the case in production, then every time the puppet catalog would be executed, all the trusts declared in the catalog will created (added), an infinity of trusts is going to be there very quickly, this is not acceptable for puppet users. This is basically breaking idem-potency rules where the same state is guaranteed.
BTW, Puppet initial need for trusts is to configure heat properly.
A Puppet manifest example:
keystone_trust {'adminv3 trust for user1':
trustor => 'adminv3:
trustee => 'user1:
project => 'openstackv3:
roles => ['admin'],
impersonate => true,
ensure => present
}
Because a trust is unique only by its ID, everytime the latter is executed, a new trust to be created.
Effectively, several trusts with the same properties can exists:
$ trust create adminv3 user1 --role admin --project openstackv3 -f shell
deleted_at="None"
expires_at="None"
id="00cf1f149
impersonation
project_
redelegation_
remaining_
roles="admin"
trustee_
trustor_
$ trust create adminv3 user1 --role admin --project openstackv3 -f shell
deleted_at="None"
expires_at="None"
id="0ae2d2004
impersonation
project_
redelegation_
remaining_
roles="admin"
trustee_
trustor_
$ openstack trust list -f csv
"ID","Expires At","Impersonat
"00cf1f149fd0
"0ae2d20042d6
$ openstack trust show 00cf1f149fd0463
deleted_at="None"
expires_at="None"
id="00cf1f149fd
impersonation=
project_
redelegation_
remaining_
roles="admin"
trustee_
trustor_
$ openstack trust show 0ae2d20042d6418
deleted_at="None"
expires_at="None"
id="0ae2d20042d
impersonation=
project_
redelegation_
remaining_
roles="admin"
trustee_
trustor_