yahoo-eng-team team mailing list archive

[Morgan Fainberg <morgan.fainberg@xxxxxxxxx>]

I disagree with this needing to be in bootstrap. The main reason is that
bootstrap is intended to simply get a deployment to a place where it can
be setup. Since this is only some 3rd party plugins for NFV, this is
something the deployment can choose to do.

Bootstrap is and always will be intended to be minimal functioning
Keystone. it is not intended for it to work out of the box for other
services. The point is to allow interaction with keystone and not
require steps such as "stand up keystone with a shared secret, setup
keystone via the api, restart keystone without shared secret".

Since "domain scoped" tokens are limited in use for setting up keystone,
it is not the direction to add more roles supplied by bootstrap.

In the future when system-scope is fully realized, bootstrap will likely
not even create a role on a project, but instead create a system-scoped
role for the admin user.

I am marking this as opinion. It's not something that fits within
bootstrap.

** Changed in: keystone
       Status: New => Opinion

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1808059

Title:
  admin user should have admin role in the Default domain

Status in OpenStack Identity (keystone):
  Opinion

Bug description:
  
  * Some 3rd party (NFV) require the admin user to have the admin role in the Default domain. 

  * Some deployers automatically add the admin user to the Default
  domain post deployment but it could probably be better to have
  keystone-manage bootstrap a domain with --bootstrap-domain-name.

  * We already assign user to project and create the Default domain in
  the bootstrapping procedure.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1808059/+subscriptions