openstack/keystone
Code Issues Proposed changes
keystone/doc/source/admin/case-insensitive.rst
Colleen Murphy ccb3d340e4 Rename admin guide pages 
Some of the admin guide pages were prefixed with "identity-" because
they came from the centralized install guide or operators guide or
security guide or somewhere else. We don't need the prefix, everything
in keystone is identity. Remove the prefix from the affected pages so
that everything is consistent.

Change-Id: Icd172a39fe720472f1fb15395178f90282696ac9
2018-12-11 11:43:50 +01:00

3.3 KiB
Raw Blame History

Case-Insensitivity in keystone

Keystone currently handles the case-sensitivity for the naming of each resource a bit differently, depending on the resource itself, and the backend used. For example, depending on whether a user is backed by local SQL or LDAP, the case-sensitivity can be different. When it is case-insensitive, the casing will be preserved. For instance, a project with the name "myProject" will not end up changing to either all lower or upper case.

Resources in keystone

Below are examples of case-insensitivity in keystone for users, projects, and roles.

Users

If a user with the name "MyUser" already exists, then the following call which creates a new user by the name of "myuser" will return a 409 Conflict:

POST /v3/users
{
    "user": {
        "name": "myuser"
    }
}

Projects

If a project with the name "Foobar" already exists, then the following call which creates a new project by the name of "foobar" will return a 409 Conflict:

POST /v3/projects
{
    "project": {
        "name": "foobar"
    }
}

Project Tags

While project names are case-insensitive, project tags are case-sensitive. A tag with the value of mytag is different than MyTag, and both values can be stored in the same project.

Roles

Role names are case-insensitive. for example, when keystone bootstraps default roles, it creates "admin", "member", and "reader". If another role, "Member" (note the upper case 'M') is created, keystone will return a 409 Conflict since it considers the name "Member" equivalent to "member". Note that case is preserved in this event.

Note

As of the Rocky release, keystone will create three default roles when keystone-manage bootstrap is run: (admin, member, reader). For existing deployments, this can cause issues if an existing role matches one of these roles. Even if the casing is not an exact match (member vs Member), it will report an error since roles are considered case-insensitive.

Backends

For each of these examples, we will refer to an existing project with the name "mYpRoJeCt" and user with the name "mYuSeR". The examples here are exaggerated to help display the case handling for each backend.

MySQL & SQLite

By default, MySQL/SQLite are case-insensitive but case-preserving for varchar. This means that setting a project name of "mYpRoJeCt" will cause attempting to create a new project named "myproject" to fail with keystone returning a 409 Conflict. However, the original value of "mYpRoJeCt" will still be returned since case is preserved.

Users will be treated the same, if another user is added with the name "myuser", keystone will respond with 409 Conflict since another user with the (same) name exists ("mYuSeR").

PostgreSQL

PostgreSQL is case-sensitive by default, so if a project by the name of "myproject" is created with the existing "mYpRoJeCt", it will be created successfully.

LDAP

By default, LDAP DNs are case-insensitive, so the example with users under MySQL will apply here as well.