In preparation for future support for hierarchical naming of projects and domains, deprecate non url-safe names as well as optionally enforce url-safe names.
Once upon a time, in a release far away, there were just tenants in a flat namespace. It was natural that tenant names had to be unique keystone-wide. Subsequently we have added domains (to hold tenants, now called projects), which meant that project names had only to be unique within that domain. We now support hierarchies of projects (within a domain) and potentially may support hierarchies of domains above projects. However, our name uniqueness rules have not changed, so a project name must (effectively) be unique within its hierarchy, and domain names must still be unique keystone-wide. One main reason our rules have not changed is that we support scoping to domain and project by name.
Given this new hierarchy support, our naming rules will become increasingly onerous on customers. Not only for customer with deep project hierarchies, but also will complicate any support for domain hierarchies for resellers. In the future it would be ideal if you could address a node in a hierarchy with a url-style addressing scheme, for example:
{
"auth": {
"identity": {
...
},
"scope": {
"project": {
"domain": {
"name": "acme.com"
},
"name": "development/sas/myproject"
}
}
}
}
The same addressing scheme could also be used for domains, if we require support for domain hierarchies.
However, our current project and domain names are not url-safe, so we could not guarantee to support any particular hierarchical naming scheme without risk of breaking access to strangely named projects/domains.
It is proposed that we lay the groundwork to move to url-safe naming for all projects and domains. A url-safe name is defined as one that does not contain any of the reserved characters as defined in section 2.2 of rfc3986 <http://tools.ietf.org/html/rfc3986>_.
In particular, we would:
Future keystone releases would harden the above, moving towards a situation when the configuration options are eventually deprecated and url-safe naming is permanently enabled.
New features we release, for example domain hierarchies for resellers, could insist that the appropriate url-safe configuration option was enabled before that feature was supported.
To be clear, this proposal does not enable the actual use of hierarchical naming, rather it lays the groundwork for us to do so in the future.
This proposal does not preclude the use of unicode for project and domain names (since all the reserved characters are coded the same in ascii and unicode). However, to utilize such an extended character set for auth or searching by name would require additional changes (for encoding and decoding) which is outside of the scope of this proposal. By allowing unicode within the strict naming option defined here, we allow customer using unicode to “go strict” as soon as they can (and hence avoiding a further road block to us being able to deprecate unsafe names).
None
None
None
None
None
None
None
None, by default, although would require them to potentially rename projects or domains if they want to start enforcing url-safe naming.
None
None
None, above and beyond unit testing
Changes to the Identity API to clarify naming.
None