On 07/01/2014 12:15 PM, Dolph Mathews wrote: > > On Tue, Jul 1, 2014 at 11:20 AM, Coles, Alistair <alistair.co...@hp.com > <mailto:alistair.co...@hp.com>> wrote: > > We have a change [1] under review in Swift to make access control > lists compatible with migration to keystone v3 domains. The change > makes two assumptions that I’d like to double-check with keystone > folks:____ > > __ __ > > __1. __That a project can never move from one domain to another. > > We're moving in this direction, at least. In Grizzly and Havana, we made > no such restriction. In Icehouse, we introduced such a restriction by > default, but it can be disabled. So far, we haven't gotten any > complaints about adding the restriction, so maybe we should just add > additional help text to the option in our config about why you would > never want to disable the restriction, citing how it would break swift? > > ____ > > __2. __That the underscore character cannot appear in a valid > domain id – more specifically, that the string ‘_unknown’ cannot be > confused with a domain id. > > That's fairly sound. All of our domain ID's are system-assigned as > UUIDs, except for the "default" domain which has an explicit > id='default'. We don't do anything to validate the assumption, though.
I don't like the idea of making this assumption without explicit validation. If there is a need for a blacklisted domain id space, we should enforce it to prevent problems down the road. -NGK > > ____ > > __ __ > > Are those safe assumptions?____ > > __ __ > > Thanks,____ > > Alistair____ > > __ __ > > [1] https://review.openstack.org/86430____ > > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > <mailto:OpenStack-dev@lists.openstack.org> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
