[openstack-dev] Questions about token scopes
mriedemos at gmail.com
Wed May 30 13:47:50 UTC 2018
I know the keystone team has been doing a lot of work on scoped tokens
and Lance has been trying to roll that out to other projects (like nova).
In Rocky the nova team is adding granular policy rules to the placement
API  which is a good opportunity to set scope on those rules as well.
For now, we've just said everything is system scope since resources in
placement, for the most part, are managed by "the system". But we do
have some resources in placement which have project/user information in
them, so could theoretically also be scoped to a project, like GET
While going through this, I've been hammering Lance with questions but I
had some more this morning and wanted to send them to the list to help
spread the load and share the knowledge on working with scoped tokens in
the other projects.
So here goes with the random questions:
* devstack has the admin project/user - does that by default get system
scope tokens? I see the scope is part of the token create request 
but it's optional, so is there a default value if not specified?
* Why don't the token create and show APIs return the scope?
* It looks like python-openstackclient doesn't allow specifying a scope
when issuing a token, is that going to be added?
The reason I'm asking about OSC stuff is because we have the
osc-placement plugin  which allows users with the admin role to work
with resources in placement, which could be useful for things like
fixing up incorrect or leaked allocations, i.e. fixing the fallout of a
bug in nova. I'm wondering if we define all of the placement API rules
as system scope and we're enforcing scope, will admins, as we know them
today, continue to be able to use those APIs? Or will deployments just
need to grow a system-scope admin project/user and per-project admin
users, and then use the former for working with placement via the OSC
More information about the OpenStack-dev