keystone/releasenotes/notes/bug-1794527-866b1caff67977f3.yaml
Adam Young 4cd99e7197 Allow an explicit_domain_id parameter when creating a domain
This allows domain_ids to match across distinct Keystone
deployments The domain_id is used to create unique
identifiers with the mapping backend.  When this
option is used, mapped user identifiers can be
consistant across different Keystone servers.

closes-bug: 1794527

Change-Id: I100bca162e71a9d394ed5787b976b13b1e57987f
2019-04-09 16:29:52 +00:00

21 lines
1.0 KiB
YAML

---
features:
- |
Allow the creating of a domain with the additional, optional
parameter of `explicit_domain_id` instead of auto-creating a
domain_id from a uuid.
When keeping two Keystone servers in sync, but avoiding Database
replication, it was often necessary to hack the database to update
the Domain ID so that entries match. Domain ID is then used for
LDAP mapped IDs, and if they don't match, the user IDs are
different. It should be possible to add a domain with an explicit
ID, so that the two servers can match User IDs.
The reason that the variable name is not simple `domain_id` is
twofold: First to keep people from thinking that this is a required, or
at least suggested field. Second, to prevent copy errors when
creating a new domain, where the domain_id would be copied in from
the old one, and having spurious failures, or undesirecd domain_id
matching.
https://specs.openstack.org/openstack/keystone-specs/specs/keystone/stein/explicit-domains-ids.html