
<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jul 23, 2014 at 1:03 AM, Fei Long Wang <span dir="ltr"><<a href="mailto:feilong@catalyst.net.nz" target="_blank">feilong@catalyst.net.nz</a>></span> wrote:<br>


<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Greetings,<br>

<br>

I'm trying to figure out if Keystone can support more granular role<br>

management or if there is any plan to do that in the future. Currently,<br>

AWS can support adding a role and assigning the capability from 3<br>

different level/perspective: service, function and resource[1]. Keystone<br>

can support the service level for now, but I didn't find the<br>

function/resource level support from current code/blueprint. Am I<br>

missing anything? Any comment is appreciated. Cheers.<br></blockquote><div><br></div><div>Absolutely, but Keystone does not own the "definition" of the role (it's capabilities), which is distributed throughout the other services. So while you can create a role in Keystone and assign it to users however you'd like, you also have to give that role capabilities by defining policy rules in the other services. For example, in nova's policy.json:</div>


<div><br></div><div>  <a href="https://github.com/openstack/nova/blob/master/etc/nova/policy.json">https://github.com/openstack/nova/blob/master/etc/nova/policy.json</a></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">


<br>

[1] <a href="http://awspolicygen.s3.amazonaws.com/policygen.html" target="_blank">awspolicygen.s3.amazonaws.com/policygen.html</a><br>

<br>

--<br>

Cheers & Best regards,<br>

Fei Long Wang (王飞龙)<br>

--------------------------------------------------------------------------<br>

Senior Cloud Software Engineer<br>

Tel: <a href="tel:%2B64-48032246" value="+6448032246">+64-48032246</a><br>

Email: <a href="mailto:flwang@catalyst.net.nz">flwang@catalyst.net.nz</a><br>

Catalyst IT Limited<br>

Level 6, Catalyst House, 150 Willis Street, Wellington<br>

--------------------------------------------------------------------------<br>

<br>

<br>

_______________________________________________<br>

OpenStack-dev mailing list<br>

<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>

<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

</blockquote></div><br></div></div>