Page MenuHomePhabricator
Create Task
Maniphest T274268

Wind down use of project ID and project name equivalency in OpenStack
Closed, ResolvedPublic
Actions

Description

Since we have a very old system that has continuously operated for some time and a variety of assumptions and existing policies around access, we have depended on diverging from the upstream OpenStack practice of using random hash IDs for projects instead of assigning a specific value as the project ID (we use the project name). Over time this ended up requiring us to patch the actual code files (with a very small change) to keep doing what was abandoned upstream.

It's about time we started to actually remove dependencies on this in our code and the setup in the environment to not require that. This should include trying to make it so that we can still use project names and not have to manually look up ids, hopefully. Most code that lists out things should be capable of doing this anyway. It may require us to look into setting up more implied roles/policies, TLS on keystone, etc.

The low hanging fruit should be tasks for reviewing openstack-focused scripts for dependency on the equivalency. Please update a list of these below:

  • nfs-exportd
  • wmcs-wikireplica-dns
  • wmfkeystonehooks
  • maintain-dbusers

Related Objects
Search...

Event Timeline

Bstorm created this task.Feb 9 2021, 4:20 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 9 2021, 4:20 PM
Bstorm moved this task from Inbox to Epics on the cloud-services-team (Kanban) board.Feb 9 2021, 4:21 PM
Bstorm added projects: Epic, Cloud-VPS.
Bstorm updated the task description. (Show Details)Feb 9 2021, 4:24 PM
Bstorm triaged this task as Medium priority.Feb 9 2021, 4:26 PM
dcaro subscribed.Feb 9 2021, 4:47 PM
Bstorm added a comment.EditedFeb 9 2021, 4:51 PM

One of the first things to understand here is why our CLI doesn't support names. Upstream docs suggest you can select one of --os-project-id OR --os-project-name. However, in our CLI, names just fail to select anything (you get empty results on list commands). That suggests to me that something in our policies prevent reading the name somehow.

dcaro awarded a token.Feb 10 2021, 2:58 PM
Andrew mentioned this in T274165: Keystone generates random ids for new projects, should use the name.Feb 10 2021, 4:23 PM
RhinosF1 subscribed.Feb 10 2021, 4:24 PM
taavi subscribed.Feb 23 2021, 1:09 PM
fnegri edited projects, added cloud-services-team; removed cloud-services-team (Kanban).Jan 18 2023, 6:45 PM
fnegri moved this task from Kanban to Epics on the cloud-services-team board.
Andrew subscribed.Jun 4 2024, 9:07 PM
In T274268#6815698, @Bstorm wrote:

One of the first things to understand here is why our CLI doesn't support names. Upstream docs suggest you can select one of --os-project-id OR --os-project-name. However, in our CLI, names just fail to select anything (you get empty results on list commands). That suggests to me that something in our policies prevent reading the name somehow.

I believe this is because the project id is already selected via the env, so overspecifying on the commandline is producing weird behavior. This should largely be sorted by further adoption of clouds.yaml https://phabricator.wikimedia.org/T337577

Andrew closed this task as Resolved.Jun 4 2024, 9:08 PM
Andrew claimed this task.

New projects will now be created with a uuid instead of an id == name. Existing projects will continue to have the same ID they've always had, which means all the scripts name-checked in the task description will keep working as before. If/when new projects are added to those scripts they will need to be added by ID rather than by name.

See for completed work on this topic.

taavi added a subtask: T366679: openstack-browser support for projects where id != name.Jun 5 2024, 11:48 AM
taavi edited subtasks, added: T343158: Support OpenStack projects where project name != project id; removed: T366679: openstack-browser support for projects where id != name.Jun 5 2024, 12:23 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits