[openstack-dev] [Openstack-operators] [keystone][nova][cinder][glance][neutron][horizon][policy] defining admin-ness

Sean Dague sean at dague.net
Fri May 26 15:21:40 UTC 2017

On 05/26/2017 10:44 AM, Lance Bragstad wrote:
> Interesting - I guess the way I was thinking about it was on a per-token
> basis, since today you can't have a single token represent multiple
> scopes. Would it be unreasonable to have oslo.context build this
> information based on multiple tokens from the same user, or is that a
> bad idea?

No service consumer is interacting with Tokens. That's all been
abstracted away. The code in the consumers consumer is interested in is
the context representation.

Which is good, because then the important parts are figuring out the
right context interface to consume. And the right Keystone front end to
be explicit about what was intended by the operator "make jane an admin
on compute in region 1".

And the middle can be whatever works best on the Keystone side. As long
as the details of that aren't leaked out, it can also be refactored in
the future by having keystonemiddleware+oslo.context translate to the
known interface.


Sean Dague

More information about the OpenStack-dev mailing list