<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc="http://microsoft.com/officenet/conferencing" xmlns:D="DAV:" xmlns:Repl="http://schemas.microsoft.com/repl/" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda="http://www.passport.com/NameSpace.xsd" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="" xmlns="http://www.w3.org/TR/REC-html40">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">

<meta name="Generator" content="Microsoft Word 12 (filtered medium)">

<style><!--

/* Font Definitions */

@font-face

        {font-family:Wingdings;

        panose-1:5 0 0 0 0 0 0 0 0 0;}

@font-face

        {font-family:"Cambria Math";

        panose-1:2 4 5 3 5 4 6 3 2 4;}

@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}

@font-face

        {font-family:Tahoma;

        panose-1:2 11 6 4 3 5 4 4 2 4;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0in;

        margin-bottom:.0001pt;

        font-size:11.0pt;

        font-family:"Calibri","sans-serif";}

a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:blue;

        text-decoration:underline;}

a:visited, span.MsoHyperlinkFollowed

        {mso-style-priority:99;

        color:purple;

        text-decoration:underline;}

p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph

        {mso-style-priority:34;

        margin-top:0in;

        margin-right:0in;

        margin-bottom:0in;

        margin-left:.5in;

        margin-bottom:.0001pt;

        font-size:11.0pt;

        font-family:"Calibri","sans-serif";}

span.apple-style-span

        {mso-style-name:apple-style-span;}

span.EmailStyle19

        {mso-style-type:personal;

        font-family:"Calibri","sans-serif";

        color:windowtext;}

span.EmailStyle20

        {mso-style-type:personal-reply;

        font-family:"Calibri","sans-serif";

        color:#1F497D;}

.MsoChpDefault

        {mso-style-type:export-only;

        font-size:10.0pt;}

@page WordSection1

        {size:8.5in 11.0in;

        margin:1.0in 1.0in 1.0in 1.0in;}

div.WordSection1

        {page:WordSection1;}

/* List Definitions */

@list l0

        {mso-list-id:1171916525;

        mso-list-type:hybrid;

        mso-list-template-ids:-811695358 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}

@list l0:level1

        {mso-level-tab-stop:none;

        mso-level-number-position:left;

        text-indent:-.25in;}

@list l0:level2

        {mso-level-tab-stop:1.0in;

        mso-level-number-position:left;

        text-indent:-.25in;}

@list l0:level3

        {mso-level-tab-stop:1.5in;

        mso-level-number-position:left;

        text-indent:-.25in;}

@list l0:level4

        {mso-level-tab-stop:2.0in;

        mso-level-number-position:left;

        text-indent:-.25in;}

@list l0:level5

        {mso-level-tab-stop:2.5in;

        mso-level-number-position:left;

        text-indent:-.25in;}

@list l0:level6

        {mso-level-tab-stop:3.0in;

        mso-level-number-position:left;

        text-indent:-.25in;}

@list l0:level7

        {mso-level-tab-stop:3.5in;

        mso-level-number-position:left;

        text-indent:-.25in;}

@list l0:level8

        {mso-level-tab-stop:4.0in;

        mso-level-number-position:left;

        text-indent:-.25in;}

@list l0:level9

        {mso-level-tab-stop:4.5in;

        mso-level-number-position:left;

        text-indent:-.25in;}

ol

        {margin-bottom:0in;}

ul

        {margin-bottom:0in;}

--></style><!--[if gte mso 9]><xml>

<o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

<o:shapelayout v:ext="edit">

<o:idmap v:ext="edit" data="1" />

</o:shapelayout></xml><![endif]-->

</head>

<body lang="EN-US" link="blue" vlink="purple" style="word-wrap: break-word;-webkit-nbsp-mode: space;-webkit-line-break: after-white-space">

<div class="WordSection1">

<p class="MsoNormal"><span style="color:#1F497D">Hi Joe/Dolph,<o:p></o:p></span></p>

<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">>>We do need to come up with a suggested default implementation - given that users are not segmented into domains, what would you suggest?<o:p></o:p></span></p>

<p class="MsoNormal"><span style="color:#1F497D">I think it is good that we can encapsulate the concept of isolation (or lack thereof) within RBAC rather than via API (+1 for that 

</span><span style="font-family:Wingdings;color:#1F497D">J</span><span style="color:#1F497D">).  That said, I think it is worth-while to demonstrate (e.g.,  via a sample RBAC rule) how we can achieve isolation (for tenant, we do already; but also for users). 

 An isolation use-case would be where one would want a user created in one domain to be not modifiable (or readable)  by a domain-admin in another domain.

<o:p></o:p></span></p>

<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="color:#1F497D">Thanks,<o:p></o:p></span></p>

<p class="MsoNormal"><span style="color:#1F497D">Liem<o:p></o:p></span></p>

<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>

<div>

<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">

<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Joseph Heck [mailto:heckj@me.com]

<br>

<b>Sent:</b> Sunday, June 10, 2012 1:37 PM<br>

<b>To:</b> Nguyen, Liem Manh<br>

<b>Cc:</b> openstack@lists.launchpad.net (openstack@lists.launchpad.net); Dolph Mathews<br>

<b>Subject:</b> Re: [Openstack] [openstack][keystone] v3 API question<o:p></o:p></span></p>

</div>

</div>

<p class="MsoNormal"><o:p> </o:p></p>

<div>

<p class="MsoNormal"><o:p> </o:p></p>

<div>

<div>

<p class="MsoNormal">On Jun 8, 2012, at 8:38 PM, Dolph Mathews wrote:<o:p></o:p></p>

</div>

<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">

<div>

<div>

<p class="MsoNormal"><span class="apple-style-span">On Jun 8, 2012, at 6:47 PM, "Nguyen, Liem Manh" <<a href="mailto:liem_m_nguyen@hp.com">liem_m_nguyen@hp.com</a>> wrote:</span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal"><o:p> </o:p></p>

</div>

<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">

<div>

<p class="MsoNormal">Hi Joe/Dolph,<o:p></o:p></p>

<p class="MsoNormal"> <o:p></o:p></p>

<p class="MsoNormal">I have a few questions on the v3 API’s create_user (sorry the comments section in the Google docs is getting pretty cluttered now):<o:p></o:p></p>

<p class="MsoNormal"> <o:p></o:p></p>

<p class="MsoNormal"><span style="color:#5F497A">(POST) /users ==> create_user</span><o:p></o:p></p>

<p class="MsoNormal"><span style="color:#5F497A">{</span><o:p></o:p></p>

<p class="MsoNormal"><span style="color:#5F497A">" tenant_id": ...</span><o:p></o:p></p>

<p class="MsoNormal"><span style="color:#5F497A">"name": ...</span><o:p></o:p></p>

<p class="MsoNormal"><span style="color:#5F497A">"password": ...</span><o:p></o:p></p>

<p class="MsoNormal"><span style="color:#5F497A">"enabled": ...</span><o:p></o:p></p>

<p class="MsoNormal"><span style="color:#5F497A">"email": ...</span><o:p></o:p></p>

<p class="MsoNormal"><span style="color:#5F497A">"description": ...</span><o:p></o:p></p>

<p class="MsoNormal"><span style="color:#5F497A">}</span><o:p></o:p></p>

<p class="MsoNormal"> <o:p></o:p></p>

<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo2"><![if !supportLists]><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">      

</span></span><![endif]>Does this tenant_id option establish the default tenancy of the created user?

<o:p></o:p></p>

</div>

</blockquote>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">Yes.<o:p></o:p></span></p>

</div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><br>

<br>

<o:p></o:p></span></p>

<div>

<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo2"><![if !supportLists]><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">      

</span></span><![endif]>If it does, is this default tenancy immutable or mutable?  If it is mutable, who (what role) can change it and via what API?<o:p></o:p></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">Should be mutable by admins, via the admin API, as it's just a regular attribute of the user and the keystone "admin" concept currently applies to the entire deployment.<o:p></o:p></span></p>

</div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><br>

<br>

<o:p></o:p></span></p>

<div>

<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo2"><![if !supportLists]><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman"">      

</span></span><![endif]>What is the intended purpose of a user’s default tenancy?  Is the default tenancy association intended to link a user to a given domain (rather than the normal user-tenant role association)?<o:p></o:p></p>

</div>

</div>

</blockquote>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>

</div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">To be a little more explicit about the "default tenant" thing - it's used so that the user can give a "username/password" pair to the POST to /token and get a token scoped

 to a tenant without the user asserting which tenant it wishes to use.<o:p></o:p></span></p>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>

</div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><br>

<br>

<o:p></o:p></span></p>

<div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">"Auto-scoping" the user's context, when a tenant is not explicitly specified during auth.<o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">I can't fairly answer the second question because the idea of domains wasn't around at the time. However, if you replace the term "domain" with "tenant", I'd say yes.<o:p></o:p></span></p>

</div>

</div>

<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><br>

<br>

<o:p></o:p></span></p>

<div>

<p class="MsoNormal"> <o:p></o:p></p>

<p class="MsoNormal">The reason I am asking this is that I would like to know what level of isolation (if any) we can establish for users that are homed to different domains…  So, for example, an isolation would be that a user A with a default tenancy in domain

 X may not be modified or deleted by a domain-admin in domain Y, even when user A has tenant membership in domain Y.<o:p></o:p></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">I think that's an issue best solved per-deployment by robust RBAC, rather than being hardcoded either way.<o:p></o:p></span></p>

</div>

</div>

</blockquote>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">I agree with Dolph - since domains don't segment users, only tenants - then the choice is really driven by RBAC, which can be encapsulated in rules. None of the API defined

 in the v1 draft currently even hints at what RBAC might be wrapped around each of the calls, but all of those calls can and should be wrapped as actions and defined in the policy.json file. <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">We do need to come up with a suggested default implementation - given that users are not segmented into domains, what would you suggest?<o:p></o:p></span></p>

</div>

</div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>

</div>

</div>

</body>

</html>