[openstack-dev] [keystone] On multiple project & domain scoping

Henry Nash henryn at linux.vnet.ibm.com
Thu Nov 29 08:21:01 UTC 2012


Hi

One of the requests from the summit was for allowing the scoping of a token to multiple projects, and this is being worked on for Grizzly.  However, I would like us to re-visit (or maybe just re-clarify) this requirement - whilst also considering the option of scoping to a domain (see blueprint at : https://blueprints.launchpad.net/keystone/+spec/domain-scoping).

Now the whole point of scoping to anything, is to make it possible (and in some cases easier) to execute operations on the granularity that you have "scoped to". It seems to me that now we have a domain as the logical container for users and projects, clearly one of the common usages will be operations that want to look at all the projects (or some aspect of projects) in a domain - hence the idea of scoping to a domain.  This would provide a somewhat simpler, both request & response, than an appropriately scoped token than an arbitrary list of projects (where you end up returning a nested set of projects and their domains in the response, for example).  Further, if we had this, would we really need the ability to scope to multiple projects from different domains (which is technically the request on the table right now)?  Remember, scoping is defining the access rights - just allowing a suitable granularity of scope for upcoming operations - so you only really need a complex scope if the you have some operation that needs to carried out across that complex set of objects.  Are there such a set of operations that people have in mind?

I raise this so that we just look at whether there is some simplification to the expansion of ability to scoping, before we go too far.

Henry




More information about the OpenStack-dev mailing list