Creating a user/group/project without a domain should be deprecated (or even raise an exception)
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Henry Nash | ||
Bug Description
According to the API spec, you must supply a domain for a user, group or project on create. You can do this either by specifying it explicitly in the object or by using a domain scoped token. Although the spec doesn't say this explicitly, one would expect an exception to be raised if you don't do either the these (e.g. try using a project scoped token). However, due to a long fixed bug (1283539) in a heat tempest, we actually fall back and try and use the default domain (which may still fail of course if you don't have a role on the default domain).
This fall back is neither in the spec nor is it sensible in the long run. We should raise a ValidationError in the situation when no domain is specified.
The only one concern I have is whether someone might have discovered this fall back in the field....and so there is an argument as to whether we should add deprecation warning if we detect this situation for a cycle?
Whatever we decide, we should make the identity spec clearer as to what happens in this situation.
| summary: |
- Creating a user/group without a domain should raise an exception + Creating a user/group/project without a domain should raise an exception |
| Changed in keystone: | |
| assignee: | nobody → Henry Nash (henry-nash) |
| Changed in keystone: | |
| status: | New → In Progress |
| Changed in keystone: | |
| importance: | Undecided → Medium |
| tags: | added: user-experience |
| description: | updated |
| Henry Nash (henry-nash) wrote Re: Creating a user/group/project without a domain should raise an exception | #1 |
| summary: |
- Creating a user/group/project without a domain should raise an exception + Creating a user/group/project without a domain should be deprecated (or + even raise an exception) |
| Changed in keystone: | |
| assignee: | Henry Nash (henry-nash) → Brant Knudson (blk-u) |
| Changed in keystone: | |
| assignee: | Brant Knudson (blk-u) → Henry Nash (henry-nash) |
| OpenStack Infra (hudson-openstack) wrote Fix merged to keystone (master) | #2 |
| Changed in keystone: | |
| status: | In Progress → Fix Committed |
| Changed in keystone: | |
| milestone: | none → liberty-rc1 |
| status: | Fix Committed → Fix Released |
| Changed in keystone: | |
| milestone: | liberty-rc1 → 8.0.0 |
As discussed on IRC, we should probably deprecate this functionality first, in case someone has fallen into the trap of using it, before we explicitly remove it and raise an exception. We'll follow that up with a fix next cycle.