openstack/puppet-keystone
Code Issues Proposed changes
9f8d2341e4
puppet-keystone/releasenotes/notes/support_multi_domain-bd04f18aa7913eaa.yaml
Sofer Athlan-Guyot 64100bb284 Remove user/role prefetch to support multi-domain. 
In keystone when the multi-domain configuration is enable, listing all
the user is no longer supported.  You have to specify the domain.  The
rational is that some domain will have LDAP backend (possibly AD) with
tons of users.  Listing them all would not be reliable.

The prefetch feature in puppet needs to know all users and create an
associated object.  This is not a good idea when the number of user is
too high.  Thus the removal of this is necessary.  The rational for
using prefetch is that checking all items in one go "cost" less than
fetching individual information.  As the number of user defined in the
catalog is likely to be less than the number of user in the keystone db,
this seems dubious that this would be case here, hence the removal.

As a consequence the keystone_user_role needs prefetch removal as well.
It actually greatly simplify the code.  A cache is made for user and
project id to minimize the number of requests to the minimum.

Closes-Bug: 1554555
Closes-Bug: 1485508

Depends-On: I5b334e3ffd26df4ba8584d77a5e41b56e73536c8
Change-Id: I8e117a9ddbd2ed5b3df739a0b27a66ad07a33e29
2016-04-14 11:37:43 +02:00

22 lines
916 B
YAML
Raw Blame History

---
prelude: >
Support for multi-domain has been added. You can configure LDAP
identity drivers along with the sql, and have multi-domain
working.
features:
- Support for multi-domain;
- Remove prefetch in keystone_user/keystone_user_role
upgrade:
- The prefetch and associated instances class function removal
could impact users that somehow use the command `puppet resource
keystone_user` or `puppet resource keystone_user_role` in
production. Those commands won't work anymore. Directly use
the associated `openstack` commands to get the same effect.
fixes:
- Fixes `bug 1554555
<https://bugs.launchpad.net/puppet-keystone/+bug/1554555>`__ so
openstack cli provider needs to pass domain in v3 calls
- Fixes `bug 1485508
<https://bugs.launchpad.net/puppet-keystone/+bug/1485508>`__ so
when domain_specific_drivers_enabled=True keystone_user provider fails.
View Git Blame Copy Permalink