Comment 9 for bug 1475091

Revision history for this message
Jamie Lennox (jamielennox) wrote : Re: Missing name field for trusts

So i was in favour of this on first hearing it but i've been thinking about the problems of a name.

In keystone things with a name are only unique within a domain. That's why we have to specify user_domain_[id|name] and project_domain_[id|name] when using username or project_name. I'm concerned that after adding a name field to a trust we are going to want to be able to specify a trust_name as a scope. To include that we are also going to need to include trust_domain_[id|name] on authentication. I'm not sure if it makes sense for a trust to be owned by a domain (especially with the hierarchical projects/project=domain stuff we're starting now) as a trust is a relationship between two objects which are each owned by a (possibly different) domain.

Trusts are difficult and i'm keen to help out the deployment tools, but a name field has larger repercussions.