[openstack-dev] [Keystone] Domains, Projects, and Groups are all collections
d.w.chadwick at kent.ac.uk
Wed Jan 23 20:32:47 UTC 2013
On 23/01/2013 20:23, Adam Young wrote:
> Selecting which attributes can be used for authorization purposes is
> part of what Keystone does,
This then is a critical defining aspect of an attribute is it not?
But how does Keystone control this? Presumably by only putting authz
attributes in tokens and only telling CSPs about these attributes and
not about other ones.
footnote. This is why attribute mapping is needed, in order to map from
an attribute that the CSP does not know about into one(s) that it does
know about, otherwise there is no point in the user having it.
More information about the OpenStack-dev