[openstack-dev] [keystone] Service scoped role definition

David Chadwick d.w.chadwick at kent.ac.uk
Tue Dec 10 21:26:57 UTC 2013


Hi Arvind

the granularity in naming can be as fine as required i.e. a naming
hierarchy can be as deep as required. So if there is a requirement for
individual endpoints to name their own roles, then the addition of
endpoint_id to the naming structure is fine.

regards

David

On 10/12/2013 16:42, Tiwari, Arvind wrote:
> Hi David,
> 
> I am cool with the proposal, just wanted to grad you attention on may
> question which I asked in my last email (which is below)
> 
> Q. what if two (or more) endpoints want to have same role_name for a
> service (nova.east.admin, nova.west.admin, nova.north.admin .....)?
> 
> (Can we think of adding an optional endpoint_id attribute in role
> data model to allow such role, which is also needed to envision
> endpoint scoped tokens for our use case)
> 
> { "role": { "id": "76e72a", "domain_id" = "--id--",    (optional, if
> present, role is named by specific domain) "project_id" = "--id--",
> (optional, if present, role is named by project) "service_id" =
> "--id--",    (optional, if present, role is named by service) 
> "endpoint_id" = "--id--",    (optional, if present, role is named by
> service) "name": "---role_name---",  (must be unique when combined
> with domain, project and service ids) "scope": {"id": "---id---",
> (resource_id) "type": "service | file | domain etc.", 
> "endpoint":"---endpoint---" } } }
> 
> For Adam's question " We are not linking role names to service id."
> (email attached) AT: These attributes are all optional and will not
> stop anyone how don't want to included service_id or (any other
> attribute) for role name uniqueness. So in particular deployment want
> to keep just the role name unique, this model will not restrict you.
> 
> Thoughts?
> 
> 
> 
> Thanks, Arvind
> 
> 
> 
> -----Original Message----- From: David Chadwick
> [mailto:d.w.chadwick at kent.ac.uk] Sent: Tuesday, December 10, 2013
> 1:30 AM To: Adam Young; Tiwari, Arvind; OpenStack Development Mailing
> List (not for usage questions) Cc: Henry Nash;
> dolph.mathews at gmail.com; Yee, Guang Subject: Re: [openstack-dev]
> [keystone] Service scoped role definition
> 
> How about the following which clearly separates naming and scoping 
> constraints
> 
> { "role": { "id": "76e72a", "domain_id" = "--id--",    (optional, if
> present, role is named by specific domain) "project_id" = "--id--",
> (optional, if present, role is named by project) "service_id" =
> "--id--",    (optional, if present, role is named by service) "name":
> "---role_name---",  (must be unique when combined with domain,
> project and service ids) "scope": {"id": "---id---", (resource_id) 
> "type": "service | file | domain etc.", "endpoint":"---endpoint---" 
> } } }
> 
> regards
> 
> David
> 



More information about the OpenStack-dev mailing list