<div dir="ltr"><br><div class="gmail_extra"><div class="gmail_quote">On Wed, Nov 13, 2013 at 11:00 AM, David Chadwick <span dir="ltr"><<a href="mailto:d.w.chadwick@kent.ac.uk" target="_blank">d.w.chadwick@kent.ac.uk</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Dolph<br>
<br>
I have one comment concerning Refactoring:<br>
role assignment tables in SQL backend should be unified into a SQL table which lacks referential integrity<br>
<br>
I am not quite sure what this means, but I did suggest creating an attribute definition table that would include the definitions of all Keystone authz attributes such as role, domain, project as well as identity attributes such as location, group, email address etc. Definitions would include such things as: delegatable or not, for keystone authz or not (see below). Once this table has been defined, then all user role assignments can be collapsed into one table (no need for separate role, domain tables etc) with the assigned attribute pointing to the entry in the definition table.<br>
<br>
Was this what your bullet point was referring to, or was it something different?<br></blockquote><div><br></div><div>I intended to leave the specific implementation details out of this document (they're already captured in the relevant etherpad), but yes -- that would be an improvement on the current table that fits the one liner in the gist. The additional features (such as "delegatable") would require a subsequent discussion / change.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Here is a strawman proposal<br>
<br>
Table name = Attribute<br>
id: the unique primary key<br>
Attribute name: (user friendly name e.g. role, domain, etc.)<br>
Attribute Ref: (global id of attribute such as OID or URL, as used by SAML and LDAP)<br>
Type: (authz or identity)<br>
Delegatable: [Yes|No]<br>
Values: [string|integer|Boolean]<br>
<br>
Now when you assign a role, domain, location, email address or any other attribute to a user a single assignment table can be used such as:<br>
<br>
Table name: Attribute Assignment<br>
id: the unique primary key of this assignment<br>
UserID: id of user this attribute is assigned to<br>
AttributeID: id of attribute from above table<br>
Value: the value of the assigned attribute<br>
<br>
you dont need to change the existing APIs and procedure calls, as they can be re-written to access the new tables.<br>
<br>
regards<br>
<br>
David<div><div class="h5"><br>
<br>
On 13/11/2013 16:04, Dolph Mathews wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5">
I guarantee there's a few things I'm forgetting, but this is my<br>
collection of things we discussed at the summit and determined to be<br>
good things to pursue during the icehouse timeframe. The contents<br>
represent a high level mix of etherpad conclusions and hallway meetings.<br>
<br>
<a href="https://gist.github.com/dolph/7366031" target="_blank">https://gist.github.com/dolph/<u></u>7366031</a><br>
<br>
Corrections and amendments appreciated - thanks!<br>
<br>
-Dolph<br>
<br>
<br></div></div>
______________________________<u></u>_________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.<u></u>org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/<u></u>cgi-bin/mailman/listinfo/<u></u>openstack-dev</a><br>
<br>
</blockquote>
<br>
______________________________<u></u>_________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.<u></u>org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/<u></u>cgi-bin/mailman/listinfo/<u></u>openstack-dev</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div><br></div>-Dolph
</div></div>