Topic ocir user edit #350
Topic ocir user edit #350
Conversation
|
Thank you for your pull request and welcome to our community! To contribute, please sign the Oracle Contributor Agreement (OCA). To sign the OCA, please create an Oracle account and sign the OCA in Oracle's Contributor Agreement Application. When signing the OCA, please provide your GitHub username. After signing the OCA and getting an OCA approval from Oracle, this PR will be automatically updated. If you are an Oracle employee, please make sure that you are a member of the main Oracle GitHub organization, and your membership in this organization is public. |
oracle-contributor-agreement
bot
added
the
OCA Required
oracle-contributor-agreement
bot
added
OCA Verified
| ocir_namespace_with_slash = format("%s/", local.ocir_namespace) | ||
| ocir_user_starts_with = substr(var.ocir_user, 0, length(local.ocir_namespace_with_slash)) | ||
| ocir_user = local.ocir_user_starts_with == local.ocir_namespace_with_slash ? var.ocir_user : "${format("%s%s", local.ocir_namespace_with_slash, var.ocir_user)}" | ||
| ocir_user = length(regexall("/", var.ocir_user)) > 0 ? var.ocir_user : "${format("%s%s", local.ocir_namespace_with_slash, var.ocir_user)}" |
There was a problem hiding this comment.
If we merge this change, I think we will likely modify the description in
oci-weblogic-server/terraform/schema.yaml
Line 2596 in 2a6c88c
I think we can make that change in a separate PR, because that description needs to change anyways, because this part is not correct:
If your tenancy is using Oracle Identity Cloud Service, use the format oracleidentitycloudservice/{username}.
Because the identity domain name can be different from oracleidentitycloudservice
But also, this could be a change in behavior. If a user is already specifying the ocir user as mydomain/myuser, and we introduce this change, then provisioning will fail,
There was a problem hiding this comment.
I have discussed with Adrian on this and had raised the same topic. This change is being done according to his proposal that if we the customer is entering anything with a '/', then he has to enter all the details including the tenancy_namespace, domain name and the username.
We will have to make changes to our documentation as well accordingly for which I will be filing a doc bug.
This was discussed in the standup and I did get consensus from Abhi on the same.
roberto-sanchez-herrera
left a comment
roberto-sanchez-herrera
left a comment
There was a problem hiding this comment.
I had a chat with Adrian and he explained to me that the scenario I described was discussed, and it was agreed to break that scenario, which should be less common, that the most common scenario of customers using only the user, without identity domain .
So I am approving it after Adrian explained all the details that were discussed previously
| type: string | ||
| title: "Registry User Name" | ||
| description: "The user name to access the Oracle Cloud Infrastructure Registry (OCIR) for deploying autoscaling OCI functions, which has the format {identity domain name}/{username}. If your tenancy is using Oracle Identity Cloud Service, use the format oracleidentitycloudservice/{username}." | ||
| description: "The user name to access the Oracle Cloud Infrastructure Registry (OCIR) for deploying autoscaling OCI functions, which has the format either {username} or {tenancy_namespace}/{identity domain name}/{username}. If your tenancy is using Oracle Identity Cloud Service, use the format {tenancy_namespace}/oracleidentitycloudservice/{username}." |
There was a problem hiding this comment.
I suggest something like this:
"The user name to access the Oracle Cloud Infrastructure Registry (OCIR) for deploying autoscaling OCI functions. If the user is in an identity domain, use the format {tenancy_namespace}/{identity domain name}/{username}, otherwise use the format {username}. If your tenancy is using Oracle Identity Cloud Service, use the format {tenancy_namespace}/oracleidentitycloudservice/{username}."
2 participants
When the OCIR user is specified for a BOAT user (e.g. bmc_operator_access/myuser) for autoscaling the tenancy namespace for the tenancy on which a WLS for OCI stack is applied is added to the user name (e.g. paasprodjcs/bmc_operator_access/myuser). Since the bmc_operator_access is the tenancy namespace the addition of the additional tenancy namespace causes OCIR requests to fail.
With agreement from the proposal suggested by Adrian, we are going with the following change -
If the ocir_username entered contains '/', then we assume that the customer has entered the complete info including the tenancy_namespace, identity domain and the username.
If the ocir_username doesn't have a '/', then we append the namespace to it.
Testing -
a.) Created a stack with the tenancy namespace added. - Podman login was successful and the namespace was not appended again.
b.) Created a stack without the namespace in the ocir_user variable - Stack provisioning did append the namespace and in our case it was the tenancy namespace where the stack is created