OpenStack Identity (keystone)

Adding Portable Identifiers to Entities

Registered by Ziad Sawalha on 2011-10-21

For entities like roles to be remain relevant across deployments, they need an identifier that remains the same in all deployments.

Use Case #1: the nova role of cloud_admin should have an identifier that can be referenced in all deployments of OpenStack. This will be needed for federation, where a query may be forwarded to a remote system; a query such as "Does this user have the cloud_admin role?"

Use Case #2: a bunch of VMs are moved from one cloud to another. The UUID may change, but there should be an identifier that get ported over with the VMs so they can still be uniquely identified.

For E2 it will be for users and tenants.

Blueprint information

Status:: Complete

Approver:: Ziad Sawalha

Priority:: High

Drafter:: Ziad Sawalha

Direction:: Approved

Assignee:: Dolph Mathews

Definition:: Approved

Series goal:: Accepted for essex

Implementation:: Implemented

Milestone target:: 2012.1

Started by: Joe Savak on 2011-12-06

Completed by: Ziad Sawalha on 2011-12-19

Related branches

Related bugs

Sprints

Whiteboard

Acceptance criteria:
    DB schema to add new UID columns as string to tenants, roles, users
    By default UID is set to UUID if not set.
    UID can be used in the restful services. UID returned back (integer not available through the API). Called ID in the API
    Manual SQLLite Migration script for Cactus Nova to Diablo Keystone created (dump and import)
    Manual SQLLite Migration script for Cactus Nova to Essex Keystone created (dump and import)
    Updates to the crud code to default the UID if a UID is not sent. UID = UUID by default.
    Tests created against null ids, and sending in UIDs
    Documentation on the difference between ID and UID.
    Update XSDs and WADLs if applicable.

Adding a 'uid' attribute (unique identifier) to the models listed below allows `name` attributes to become non-unique "display names" (if desired).

Entities:
- users
- tenants
- roles
- endpointtemplates

This attribute would then allow for multiple migrations paths to catch up to essex and to satisfy this blueprint:

- cactus deployments can populate their new 'uid' column with existing, unique 'name' values (strings).
- diablo deployments can populate their new 'uid' column with existing, unique 'id' values (auto-incremented integers).
- Going forward, essex deployments will populate the 'uid' column with uuid's, providing portability.

This `uid` attribute would be exposed through the API as the `id` attribute of the corresponding resource. Based on the rules above, existing users of either cactus or diablo deployments would remain unaffected.

Additionally, `uid` values should be guaranteed to be url-friendly (e.g. not require additional URL encoding/decoding). In other words, `uid == urlencode(uid)`. While the current backend-managed identifiers (integers) satisfy this issue, data imported from cactus deployments may not.

Gerrit topic: https://review.openstack.org/#q,topic:bp/portable-identifiers,n,z

Addressed by: https://review.openstack.org/2156
Implemented bp portable-identifiers for tenants

Addressed by: https://review.openstack.org/2157
Exposes tenant UID's (bp portable-identifiers)

Gerrit topic: https://review.openstack.org/#q,topic:bug/885426,n,z

Addressed by: https://review.openstack.org/3374
Migrated 'enabled' int columns to bool for postgres (bug 885426)

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information

Everyone can see this information.

Subscribers

Joe Savak