OpenStack-Ansible

Bug #1908703
Comment #4

Comment 4 for bug 1908703

Revision history for this message

Georgina Shippey (gshippey) wrote on 2021-02-02:

You are taking me down memory lane!

So I raised this bug with keystone awhile back:
https://bugs.launchpad.net/keystone/+bug/1883247
From what I found with playing around there aren't any operational issues with having an IDP with a generated domain. Which is why I imagine we do not have any bug reports around this.

I added the functionality to specify the domain id of the IDP as I felt it was right to have the ability to keep things consistent.
- https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/735654
- https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/735655
As people already have installations where the IDP has a randomly generated domain I wanted to keep things backwards compatible as to not cause any issues, and therefore made setting the domain_id on the IDP optional.

Furthermore not everyone makes use of the federated_identities section. For example in the deployment I maintain the local portion of my mapping looks like:
              - local:
                - user:
                    domain:
                      id: default
                    name: "{0}"
                    email: "{1}"
                  projects:
                    - name: "{0}_project"
                      roles:
                        - name: _member_

The project is autogenerated in this case, and I have no need to assign the user a group. Therefore there is nothing I need federated_identities to create / ensure in advance. Assuming the default domain always exists. Hence I do not believe the domain id for the IDP should come from the federated_identities.

In the keystone_sp of https://docs.openstack.org/openstack-ansible-os_keystone/latest/ there is a reference to domain_id, however I can see your point, this may be easy to miss. I also concur that knowing when to use the Default/default domain name or domain_id did cause me issues when I was deploying as well. Unfortunately this is from having old code that is not standardised. I will try to spend sometime (when I can find it) updating documentation to make things clearer.

Hopefully with the new ansible 2.10 keystone modules some of this code can be simplified. But again finding the time...

Thanks for all your feedback! Please keep us updated :)

You are taking me down memory lane!

I added the functionality to specify the domain id of the IDP as I felt it was right to have the ability to keep things consistent. 
- https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/735654
- https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/735655
As people already have installations where the IDP has a randomly generated domain I wanted to keep things backwards compatible as to not cause any issues, and therefore made setting the domain_id on the IDP optional.

Hopefully with the new ansible 2.10 keystone modules some of this code can be simplified. But again finding the time...

Thanks for all your feedback! Please keep us updated :)