[openstack-dev] [keystone] Service scoped role definition

Adam Young ayoung at redhat.com
Tue Dec 10 18:45:16 UTC 2013


On 12/10/2013 11:42 AM, Tiwari, Arvind wrote:
> Hi David,
>
> I am cool with the proposal, just wanted to grad you attention on may question which I asked in my last email (which is below)
>
> Q. what if two (or more) endpoints want to have same role_name for a service (nova.east.admin, nova.west.admin, nova.north.admin .....)?
>
> (Can we think of adding an optional endpoint_id attribute in role data model to allow such role, which is also needed to envision endpoint scoped tokens for our use case)

You are over designing.  Services and Endpoints have no business in this 
design.  That is enforcement, not definition or assignment of the 
Roles.  We need a clean namespace, and mixing services and endpoints in 
there adds no benefit.

>
> {
>       "role": {
>        "id": "76e72a",
>        "domain_id" = "--id--",    (optional, if present, role is named by specific domain)
>        "project_id" = "--id--",    (optional, if present, role is named by project)
>        "service_id" = "--id--",    (optional, if present, role is named by service)
>        "endpoint_id" = "--id--",    (optional, if present, role is named by service)
>        "name": "---role_name---",  (must be unique when combined with domain, project and service ids)
>        "scope": {"id": "---id---", (resource_id)
>           "type": "service | file | domain etc.",
>           "endpoint":"---endpoint---"
>         }
>      }
>   }
>
> For Adam's question " We are not linking role names to service id." (email attached)
> AT: These attributes are all optional and will not stop anyone how don't want to included service_id or (any other attribute) for role name uniqueness. So in particular deployment want to keep just the role name unique, this model will not restrict you.
>
> Thoughts?
>
>
>
> Thanks,
> Arvind
>
>
>
> -----Original Message-----
> From: David Chadwick [mailto:d.w.chadwick at kent.ac.uk]
> Sent: Tuesday, December 10, 2013 1:30 AM
> To: Adam Young; Tiwari, Arvind; OpenStack Development Mailing List (not for usage questions)
> Cc: Henry Nash; dolph.mathews at gmail.com; Yee, Guang
> Subject: Re: [openstack-dev] [keystone] Service scoped role definition
>
> How about the following which clearly separates naming and scoping
> constraints
>
>   {
>       "role": {
>        "id": "76e72a",
>        "domain_id" = "--id--",    (optional, if present, role is named by specific domain)
>        "project_id" = "--id--",    (optional, if present, role is named by project)
>        "service_id" = "--id--",    (optional, if present, role is named by service)
>        "name": "---role_name---",  (must be unique when combined with domain, project and service ids)
>        "scope": {"id": "---id---", (resource_id)
>           "type": "service | file | domain etc.",
>           "endpoint":"---endpoint---"
>         }
>      }
>   }
>
> regards
>
> David




More information about the OpenStack-dev mailing list