Reviewed: https://review.openstack.org/239114
Committed:
https://git.openstack.org/cgit/openstack/keystone/commit/?id=59b09b50ff15df9975832dbfba42e0c984591e48
Submitter: Jenkins
Branch: master
commit 59b09b50ff15df9975832dbfba42e0c984591e48
Author: Kent Wang <kent.w...@intel.com>
Date: Fri Oct 23 05:58:13 2015 -0700
Add Trusts unique constraint to remove duplicates
For now, effectively there could be multiple trusts with the same
project, trustor, trustee, expiry date, impersonation. The same
combination can have multiple trusts assigned with different roles
or not.
Patch fixes this issue by adding unique constraint to the trusts
database model. If two requests create trusts with the same
trustor, trustee, project, expiry, impersonation, then the second
request would bring up an exception saying there's a conflict.
This can help to improve specific trusts identification and
improve user experience.
Change-Id: I1a681b13cfbef40bf6c21271fb80966517fb1ec5
Closes-Bug: #1475091
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1475091
Title:
It's possible to create duplicate trusts
Status in OpenStack Identity (keystone):
Fix Released
Bug description:
A name field in Keystone DB is needed for helping identifying trusts.
Effectively , there could be multiple trusts for a same
project/trustor/trustee including the same expiry date and same
impersonate flag. And the same combination could have multiple trusts
assigned with different roles or not.
Having a name would help for implementing trust usage.
A use case scenario is currently with Puppet Keystone module while
creating the trust provider:
When creating a resource, Puppet uses a name as a title for the
resource, that name is unique in order to provide idem-potency. The
trust ID (Keystone DB) doesn't exist until its creation and therefore
cannot be used as a title for a Puppet resource. Without a name,
puppet provider has to make up a name from the different fields, which
doesn't guarantee uniqueness anyway. Worse when fetching resources,
the provider would have to fetch all the fields to identify the
resource and take the first one if many available.
So far, most other Keystone DBMS objects (tables) have a name, which Puppet
has been able to use to identify resources.
The latter is why it made more sense to create this request as a bug instead
of a blueprint, basically saying a name has been missing upfront rather than
being a request for enhancement.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1475091/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
