[openstack-dev] [keystone] Service scoped role definition

Tiwari, Arvind arvind.tiwari at hp.com
Tue Dec 10 16:42:49 UTC 2013


Hi David,

I am cool with the proposal, just wanted to grad you attention on may question which I asked in my last email (which is below)

Q. what if two (or more) endpoints want to have same role_name for a service (nova.east.admin, nova.west.admin, nova.north.admin .....)? 

(Can we think of adding an optional endpoint_id attribute in role data model to allow such role, which is also needed to envision endpoint scoped tokens for our use case)

{
     "role": {
      "id": "76e72a",
      "domain_id" = "--id--",    (optional, if present, role is named by specific domain)
      "project_id" = "--id--",    (optional, if present, role is named by project)
      "service_id" = "--id--",    (optional, if present, role is named by service)
      "endpoint_id" = "--id--",    (optional, if present, role is named by service)
      "name": "---role_name---",  (must be unique when combined with domain, project and service ids)
      "scope": {"id": "---id---", (resource_id)
         "type": "service | file | domain etc.",
         "endpoint":"---endpoint---"
       }
    }
 }

For Adam's question " We are not linking role names to service id." (email attached)
AT: These attributes are all optional and will not stop anyone how don't want to included service_id or (any other attribute) for role name uniqueness. So in particular deployment want to keep just the role name unique, this model will not restrict you.

Thoughts? 



Thanks,
Arvind



-----Original Message-----
From: David Chadwick [mailto:d.w.chadwick at kent.ac.uk] 
Sent: Tuesday, December 10, 2013 1:30 AM
To: Adam Young; Tiwari, Arvind; OpenStack Development Mailing List (not for usage questions)
Cc: Henry Nash; dolph.mathews at gmail.com; Yee, Guang
Subject: Re: [openstack-dev] [keystone] Service scoped role definition

How about the following which clearly separates naming and scoping
constraints

 {
     "role": {
      "id": "76e72a",
      "domain_id" = "--id--",    (optional, if present, role is named by specific domain)
      "project_id" = "--id--",    (optional, if present, role is named by project)
      "service_id" = "--id--",    (optional, if present, role is named by service)
      "name": "---role_name---",  (must be unique when combined with domain, project and service ids)
      "scope": {"id": "---id---", (resource_id)
         "type": "service | file | domain etc.",
         "endpoint":"---endpoint---"
       }
    }
 }

regards

David
-------------- next part --------------
An embedded message was scrubbed...
From: Adam Young <ayoung at redhat.com>
Subject: Re: [openstack-dev] [keystone] Service scoped role definition
Date: Tue, 10 Dec 2013 03:02:58 +0000
Size: 16632
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131210/047bf015/attachment.mht>


More information about the OpenStack-dev mailing list