OpenStack Identity (keystone)

Bug #1475091
Comment #18

Comment 18 for bug 1475091

Revision history for this message

Richard Megginson (rmeggins) wrote on 2015-09-30: Re: Missing name field for trusts

#18

According to the work done by Sofer: http://lists.openstack.org/pipermail/openstack-dev/2015-September/075873.html

We don't need to worry about the actual 'name' of the keystone trust resource in puppet, as long as it is unique.

What we really need to know is some combination of keystone trust properties that, taken together, uniquely identify a trust.

Dolph: https://bugs.launchpad.net/keystone/+bug/1475091/comments/6

Are you saying that if we have specified in puppet:

  keystone_trust {'some trust for some user':
    trustor => trustor_user_id,
    trustee => trustee_user_id,
    project => project_id,
    impersonation => impersonationvalue,
    expires_at => expires_at_timestamp,
  }

And we do an `openstack trusts list`, and we find a trust that exactly matches the values of trustor_user_id, trustee_user_id, project_id, impersonationvalue, and expires_at_timestamp, can we be 100% certain that these trusts are the same, that the values of trustor_user_id, trustee_user_id, project_id, impersonationvalue, and expires_at_timestamp taken together uniquely identify a trust?

Or, is it possible for there to be two different trusts in keystone that have the same values for trustor_user_id, trustee_user_id, project_id, impersonationvalue, and expires_at_timestamp?

If trustor_user_id, trustee_user_id, project_id, impersonationvalue, and expires_at_timestamp do not uniquely identify a trust, is there some other combination of fields that, taken together, will uniquely identify a trust?

If there is no such combination, then we are just going to have to create some artificial limitations in puppet. For example, we will just have to pick some combination of fields and say that these identify a trust. Then, if puppet detects two different trusts with the same values for these fields, puppet will just have to pick one, and issue a warning that there may be duplicate trusts in keystone.

Worst case, if the user is doing something really bizarre, she/he may not be able to use puppet to manage trusts.

According to the work done by Sofer: http://lists.openstack.org/pipermail/openstack-dev/2015-September/075873.html

We don't need to worry about the actual 'name' of the keystone trust resource in puppet, as long as it is unique.

What we really need to know is some combination of keystone trust properties that, taken together, uniquely identify a trust.

Dolph: https://bugs.launchpad.net/keystone/+bug/1475091/comments/6

Are you saying that if we have specified in puppet:
 
  keystone_trust {'some trust for some user':
    trustor => trustor_user_id,
    trustee => trustee_user_id,
    project => project_id,
    impersonation => impersonationvalue,
    expires_at => expires_at_timestamp,
  }

Or, is it possible for there to be two different trusts in keystone that have the same values for trustor_user_id, trustee_user_id, project_id, impersonationvalue, and expires_at_timestamp?

If there is no such combination, then we are just going to have to create some artificial limitations in puppet.  For example, we will just have to pick some combination of fields and say that these identify a trust.  Then, if puppet detects two different trusts with the same values for these fields, puppet will just have to pick one, and issue a warning that there may be duplicate trusts in keystone.

Worst case, if the user is doing something really bizarre, she/he may not be able to use puppet to manage trusts.