Allow Retrieval of Default Domain Configuration Options

bp domain-config-default

Provide the ability for the default values for domain-configurable options to be retrieved via the API.

Problem Description

Domain specific option configuration via the API was introduced in Kilo:

This provides the CRUD mechanism to manage domain specific options. However, it is hard to build a good user interface for this without being able to show what the defaults are for the various options that can be configured via this mechanism. While this could be achieved by loading in the config file and processing it, a REST API approach is far more suitable for such an interface.

Proposed Change

This proposal will extend the domain config API to allow the retrieval of the default values for options that can be configured on a domain basis, allowing an administrator to then decide whether to use the default values or to override them.

It is worth stating that this proposal does not provide an ability to set the default values themselves - these can still only be changed via the main keystone configuration file.


Rather than provide a specific API to retrieve the defaults, we could modify the current API (which is marked as experimental) to simply return the current value for any option, whether it is the default or whether it has been set explicitly by the API for this domain. While this is perhaps simpler for those just reading the option values, it would complicate the semantics of the APIs to modify such options. For instance, you would somehow need to represent in the API the fact that if you deleted an option that was set for a domain, and then read it back, you would still get a value…it would just be the default value.

Data Model Impact



The exact API specification will be defined as part of a review of changes to the Identity API.

Security Impact

This functionality exposes a new API to the backend configuration data for a domain. Like any other v3 API, it will be subject to the standard RBAC permissions model.

Notifications Impact


Other End User Impact


Performance Impact


Other Deployer Impact


Developer Impact




Primary assignee:


Work Items

  • Implement the domain configuration code

  • Add support to keystoneclient library

  • Add support to openstack client

The work for supporting this API in Horizon will be proposed separately.




None, above and beyond unit testing

Documentation Impact

Changes to the Identity API and configuration.rst.