<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Fri, May 26, 2017 at 10:21 AM, Sean Dague <span dir="ltr"><<a href="mailto:sean@dague.net" target="_blank">sean@dague.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 05/26/2017 10:44 AM, Lance Bragstad wrote:<br>
<snip><br>
<span class="gmail-">> Interesting - I guess the way I was thinking about it was on a per-token<br>
> basis, since today you can't have a single token represent multiple<br>
> scopes. Would it be unreasonable to have oslo.context build this<br>
> information based on multiple tokens from the same user, or is that a<br>
> bad idea?<br>
<br>
</span>No service consumer is interacting with Tokens. That's all been<br>
abstracted away. The code in the consumers consumer is interested in is<br>
the context representation.<br>
<br>
Which is good, because then the important parts are figuring out the<br>
right context interface to consume. And the right Keystone front end to<br>
be explicit about what was intended by the operator "make jane an admin<br>
on compute in region 1".<br>
<br>
And the middle can be whatever works best on the Keystone side. As long<br>
as the details of that aren't leaked out, it can also be refactored in<br>
the future by having keystonemiddleware+oslo.<wbr>context translate to the<br>
known interface.<br></blockquote><div><br></div><div>Ok - I think that makes sense. So if I copy/paste your example from earlier and modify it a bit ( s/is_admin/global/)::</div><div><br></div><div><span style="font-size:12.8px">{</span><br style="font-size:12.8px"><span style="font-size:12.8px"> "user": "me!",</span><br style="font-size:12.8px"><span style="font-size:12.8px"> "global": True,</span><br style="font-size:12.8px"><span style="font-size:12.8px"> "roles": ["admin", "auditor"],</span><br style="font-size:12.8px"><span style="font-size:12.8px"> ....</span><br style="font-size:12.8px"><span style="font-size:12.8px">}</span><br></div><div><br></div><div>Or</div><div><br></div><div><span style="font-size:12.8px">{</span><br style="font-size:12.8px"><span style="font-size:12.8px"> "user": "me!",</span><br style="font-size:12.8px"><span style="font-size:12.8px"> "global": True,</span><br style="font-size:12.8px"><span style="font-size:12.8px"> "roles": ["reader"],</span><br style="font-size:12.8px"><span style="font-size:12.8px"> ....</span><br style="font-size:12.8px"><span style="font-size:12.8px">}</span><br></div><div> </div><div>That might be one way we can represent global roles through oslo.context/keystonemiddleware. The library would be on the hook for maintaining the mapping of token scope to context scope, which makes sense:</div><div><br></div><div>if token['is_global'] == True:</div><div> context.global = True</div><div>elif token['domain_scoped']:</div><div> # domain scoping?</div><div>else:</div><div> # handle project scoping</div><div><br></div><div>I need to go dig into oslo.context a bit more to get familiar with how this works on the project level. Because if I understand correctly, oslo.context currently doesn't relay global scope and that will be a required thing to get done before this work is useful, regardless of going with option #1, #2, and especially #3.</div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div class="gmail-HOEnZb"><div class="gmail-h5"><br>
-Sean<br>
<br>
--<br>
Sean Dague<br>
<a href="http://dague.net" rel="noreferrer" target="_blank">http://dague.net</a><br>
<br>
______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a><br>
</div></div></blockquote></div><br></div></div>