yahoo-eng-team team mailing list archive

[Dolph Mathews <1453769@xxxxxxxxxxxxxxxxxx>]

I completely agree, the current design directly results in the fragility
you described (I pushed for naming domain-specific configuration files
using their immutable, system-defined domain IDs instead, but lost that
argument... I think on the basis of deployer experience? I'll let Henry
Nash comment further).

As a workaround, you could set the "identity:update_domain" to be more
restrictive (to users that understand the impact of such a change), or
disallow it completely.

I'm leaving this as Won't Fix, as the only alternative solution I can
think of is introducing a new configuration option that determines
whether configuration files are named using domain names or IDs, which
doesn't quite seem worth it (just to provide backwards compatibility...
unless someone has a better idea? if so, please change the status
accordingly).

** Changed in: keystone
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1453769

Title:
  Domain name update breaks IDP configuration

Status in OpenStack Identity (Keystone):
  Won't Fix

Bug description:
  The configuration file for an identity provider eg. LDAP is generally named as keystone.<domain_name>.conf. 
  Since Keystone allows a user to update a domain name, any domain name update makes this file for that domain name irrelevant. This file is not automatically renamed via Keystone and I tried to look around in the documentation and this seems to be the only way to configure an LDAP IDP. Manual renaming of all such config files for domains seems like an overhead.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1453769/+subscriptions