Allow admin to specify project id on creation
If a project or domain is deleted, this will allow the re-creation of
the domain, or at least a reasonable facimile of it. The new domain
or project can have the same ID as an existing one, an thus can be
enabled, and a user can get a token scoped to that domain or project.
Since Fernet tokens have been developed it becomes possible
to implement pure multi-region architecture.
It is necessary to have same role IDs, same Project IDs and same
User IDs in all regions.
Fernet keys should be the same across the regions as well.
In this case a user may generate the token in one region and present it
to any service in any region, and tis token will be successfully validated
by any Keystone.
This approach allows to operate in different regions with much more flexibility
since the user doesn't have to communicate with different endpoints anymore.
Horizon will allow to operate in different regions within one session as well.
It would be pretty easy to pre-create projects and assignments based on
the remote groups (LDAP), but there is a key problem.
Main problem at the moment - it is impossible to create same IDs of the projects
if Keystone v3 API is used since Project ID is always been generated
(in v2 though it was possible to set project ID upon creation).
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- Alexander Makarov
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by
- Lance Bragstad
Related branches
Related bugs
Sprints
Whiteboard
Gerrit topic: https:/
Addressed by: https:/
Allow admin to specify project id on creation
(lbragstad) 19-02-13: Marking this as obsolete based on the last few comments of the specification up for review [0]. If you'd like to continue the discussion, please reopen the specification.