[openstack-dev] [Keystone] Domains, Projects, and Groups are all collections

David Chadwick d.w.chadwick at kent.ac.uk
Wed Jan 23 20:32:47 UTC 2013

On 23/01/2013 20:23, Adam Young wrote:
> Selecting which attributes can be used for authorization purposes is
> part of what Keystone does,

This then is a critical defining aspect of an attribute is it not?

But how does Keystone control this? Presumably by only putting authz 
attributes in tokens and only telling CSPs about these attributes and 
not about other ones.



footnote. This is why attribute mapping is needed, in order to map from 
an attribute that the CSP does not know about into one(s) that it does 
know about, otherwise there is no point in the user having it.

More information about the OpenStack-dev mailing list