[openstack-dev] [keystone] Service scoped role definition
Adam Young
ayoung at redhat.com
Wed Dec 4 01:51:53 UTC 2013
I've been thinking about your comment that "nested roles are confusing"
What if we backed off and said the following:
"Some role-definitions are owned by services. If a Role definition is
owned by a service, in role assignment lists in tokens, those roles we
be prefixd by the service name. / is a reserved cahracter and weill be
used as the divider between segments of the role definition "
That drops arbitrary nesting, and provides a reasonable namespace. Then
a role def would look like:
"glance/admin" for the admin role on the glance project.
In theory, we could add the domain to the namespace, but that seems
unwieldy. If we did, a role def would then look like this
"default/glance/admin" for the admin role on the glance project.
Is that clearer than the nested roles?
On 11/26/2013 06:57 PM, Tiwari, Arvind wrote:
> Hi Adam,
>
> Based on our discussion over IRC, I have updated the below etherpad with proposal for nested role definition
>
> https://etherpad.openstack.org/p/service-scoped-role-definition
>
> Please take a look @ "Proposal (Ayoung) - Nested role definitions", I am sorry if I could not catch your idea.
>
> Feel free to update the etherpad.
>
> Regards,
> Arvind
>
>
> -----Original Message-----
> From: Tiwari, Arvind
> Sent: Tuesday, November 26, 2013 4:08 PM
> To: David Chadwick; OpenStack Development Mailing List
> Subject: Re: [openstack-dev] [keystone] Service scoped role definition
>
> Hi David,
>
> Thanks for your time and valuable comments. I have replied to your comments and try to explain why I am advocating to this BP.
>
> Let me know your thoughts, please feel free to update below etherpad
> https://etherpad.openstack.org/p/service-scoped-role-definition
>
> Thanks again,
> Arvind
>
> -----Original Message-----
> From: David Chadwick [mailto:d.w.chadwick at kent.ac.uk]
> Sent: Monday, November 25, 2013 12:12 PM
> To: Tiwari, Arvind; OpenStack Development Mailing List
> Cc: Henry Nash; ayoung at redhat.com; dolph.mathews at gmail.com; Yee, Guang
> Subject: Re: [openstack-dev] [keystone] Service scoped role definition
>
> Hi Arvind
>
> I have just added some comments to your blueprint page
>
> regards
>
> David
>
>
> On 19/11/2013 00:01, Tiwari, Arvind wrote:
>> Hi,
>>
>>
>>
>> Based on our discussion in design summit , I have redone the service_id
>> binding with roles BP
>> <https://blueprints.launchpad.net/keystone/+spec/serviceid-binding-with-role-definition>.
>> I have added a new BP (link below) along with detailed use case to
>> support this BP.
>>
>> https://blueprints.launchpad.net/keystone/+spec/service-scoped-role-definition
>>
>> Below etherpad link has some proposals for Role REST representation and
>> pros and cons analysis
>>
>>
>>
>> https://etherpad.openstack.org/p/service-scoped-role-definition
>>
>>
>>
>> Please take look and let me know your thoughts.
>>
>>
>>
>> It would be awesome if we can discuss it in tomorrow's meeting.
>>
>>
>>
>> Thanks,
>>
>> Arvind
>>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
More information about the OpenStack-dev
mailing list