[openstack-dev] [keystone] Tenants and Roles and De;legation
David Chadwick
d.w.chadwick at kent.ac.uk
Wed Nov 14 17:34:17 UTC 2012
Hi everyone
continuing on from our discussions yesterday evening I have been trying
to follow through on precisely what are tenants and roles and how this
might effect our subsequent delegation work.
Tenants are the owners of cloud service resources: images, volumes, VM
instances, etc. There is a many to many mapping between users and
tenants. We say a user is a tenant
Roles are attributes of users which give them permission to access cloud
service resources. There is a many to many mapping between users and
roles. We say a user possesses or has roles. Roles are unrelated to
tenants, in that users can be made tenants and given roles independently
of each other.
Q. Can users access cloud resources for which they are not the tenant
(i.e. owner) but for which they have a role?
A. Today they cannot. A user must be a tenant to be able to access a
cloud service.
But in the future they should be able to, via the process of delegation.
A user, who possesses a set of roles, should be able to delegate one or
more of these roles to another user who is not the same tenant. In other
words, delegation of roles is not only between users who are the same
tenants, but also between different tenants. Otherwise users would also
need to be able to delegate being tenants to each other, and this should
not be allowed.
Comments?
David
More information about the OpenStack-dev
mailing list