yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1475091] Re: It's possible to create duplicate trusts

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1475091@xxxxxxxxxxxxxxxxxx>
Date: Tue, 15 Dec 2015 07:26:23 -0000
Reply-to: Bug 1475091 <1475091@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/239114
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=59b09b50ff15df9975832dbfba42e0c984591e48
Submitter: Jenkins
Branch:    master

commit 59b09b50ff15df9975832dbfba42e0c984591e48
Author: Kent Wang <kent.wang@xxxxxxxxx>
Date:   Fri Oct 23 05:58:13 2015 -0700

    Add Trusts unique constraint to remove duplicates
    
    For now, effectively there could be multiple trusts with the same
    project, trustor, trustee, expiry date, impersonation. The same
    combination can have multiple trusts assigned with different roles
    or not.
    
    Patch fixes this issue by adding unique constraint to the trusts
    database model. If two requests create trusts with the same
    trustor, trustee, project, expiry, impersonation, then the second
    request would bring up an exception saying there's a conflict.
    
    This can help to improve specific trusts identification and
    improve user experience.
    
    Change-Id: I1a681b13cfbef40bf6c21271fb80966517fb1ec5
    Closes-Bug: #1475091


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1475091

Title:
  It's possible to create duplicate trusts

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  A name field in Keystone DB is needed for helping identifying trusts.

  Effectively , there could be multiple trusts for a same
  project/trustor/trustee including the same expiry date and same
  impersonate flag. And the same combination could have multiple trusts
  assigned with different roles or not.

  Having a name would help for implementing trust usage.

  A use case scenario is currently with Puppet Keystone module while
  creating the trust provider:

  When creating a resource, Puppet uses a name as a title for the
  resource, that name is unique in order to provide idem-potency. The
  trust ID (Keystone DB) doesn't exist until its creation and therefore
  cannot be used as a title for a Puppet resource. Without a name,
  puppet provider has to make up a name from the different fields, which
  doesn't guarantee uniqueness anyway. Worse when fetching resources,
  the provider would have to fetch all the fields to identify the
  resource and take the first one if many available.

  So far, most other Keystone DBMS objects (tables) have a name, which Puppet has been able to use to identify resources.
  The latter is why it made more sense to create this request as a bug instead of a blueprint, basically saying a name has been missing upfront rather than being a request for enhancement.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1475091/+subscriptions

References

[Bug 1475091] [NEW] Missing name field for trusts
From: Gilles Dubreuil, 2015-07-16