Open Stack

Hi Adam

as I said in a previous post (to which Henry replied "but unfortunately 
that is not the way Keystone currently works" my paraphrase), we should 
not even be assigning roles to users to projects, as this is mixing up 
user-role assignments and permission-role assignments. We/keystone 
should simply be assigning roles to users. The service will then assign 
the permissions to the roles that it wants to, and I am sure that most 
of the complexity you are now trying to grapple with will go away, 
because there will be no limitations on where the roles can be used. Its 
up to the service to decide if a role has permissions or not.

I appreciate that this is not the way that Keystone currently works, and 
you may not have time to change it for Havana, but rather than trying to 
add more complexity to solve its current skewed model, why not try to 
advance down an alternative path that veers towards the classical clean 
RBAC model and simplification of the role assignment problem? And target 
on Ice for the introduction of the revised model

regards

David

On 19/06/2013 15:36, Adam Young wrote:
> So I'd like to redefine the problem definition here:
>
> "Provide a mechanism by which role assignments can be specified for more
> than one project."