yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1482330] [NEW] Creating a user/group/project without a domain should raise an exception

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Henry Nash <henryn@xxxxxxxxxxxxxxxxxx>
Date: Thu, 06 Aug 2015 18:25:53 -0000
Reply-to: Bug 1482330 <1482330@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

According to the API spec, you must supply a domain for a user, group or
project on create.  You can do this either by specifying it explicitly
in the object or by using a domain scoped token.  Although the spec
doesn't say this explicitly, one would expect an exception to be raised
if you don't do either the these (e.g. try using a project scoped
token).  However, due to a long fixed bug (1283539) in a heat tempest,
we actually fall back and try and use the default domain (which may
still fail of course if you don't have a role on the default domain).

This fall back is neither in the spec nor is it sensible in the long
run.  We should raise a ValidationError in the situation when no domain
is specified.

The only one concern I have is whether someone might have discovered
this fall back in the field....and so there is an argument as to whether
we should add deprecation warning if we detect this situation for a
cycle?

** Affects: keystone
     Importance: Undecided
     Assignee: Henry Nash (henry-nash)
         Status: In Progress

** Summary changed:

- Creating a user/group without a domain should raise an exception
+ Creating a user/group/project without a domain should raise an exception

** Changed in: keystone
     Assignee: (unassigned) => Henry Nash (henry-nash)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1482330

Title:
  Creating a user/group/project without a domain should raise an
  exception

Status in Keystone:
  In Progress

Bug description:
  According to the API spec, you must supply a domain for a user, group
  or project on create.  You can do this either by specifying it
  explicitly in the object or by using a domain scoped token.  Although
  the spec doesn't say this explicitly, one would expect an exception to
  be raised if you don't do either the these (e.g. try using a project
  scoped token).  However, due to a long fixed bug (1283539) in a heat
  tempest, we actually fall back and try and use the default domain
  (which may still fail of course if you don't have a role on the
  default domain).

  This fall back is neither in the spec nor is it sensible in the long
  run.  We should raise a ValidationError in the situation when no
  domain is specified.

  The only one concern I have is whether someone might have discovered
  this fall back in the field....and so there is an argument as to
  whether we should add deprecation warning if we detect this situation
  for a cycle?

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1482330/+subscriptions

Follow ups

[Bug 1482330] Re: Creating a user/group/project without a domain should be deprecated (or even raise an exception)
From: Thierry Carrez, 2015-09-22