[openstack-dev] [keystone] A default domain
Yee, Guang
guang.yee at hp.com
Wed Jan 16 17:53:06 UTC 2013
I think super-admin (ADMIN) should be able to list all users. Unless we are
doing away with that concept. Or perhaps that's where a global role would
come in handy?
+1 on domain isolation. If token is scoped to a domain, it should only be
able to administrate resources within that domain. i.e. delegated admin
Guang
-----Original Message-----
From: Vishvananda Ishaya [mailto:vishvananda at gmail.com]
Sent: Wednesday, January 16, 2013 9:29 AM
To: OpenStack Development Mailing List
Subject: Re: [openstack-dev] [keystone] A default domain
On Jan 16, 2013, at 8:07 AM, Dolph Mathews <dolph.mathews at gmail.com> wrote:
> Currently, the API user is allowed to not include a domain_id in a request
to create new users or create new projects. The assumption is that the
service will assign those resources to the creating user's domain.
>
> In a recent keystone meeting, I believe we did have a brief discussion
about applying such a behavior to other calls. Currently, the two calls you
listed are different (the first returns all users in the system regardless
of domain). Further, if the second call was going to default to a domain, I
would hope it would default to the requesting user's domain, not the default
domain.
>
> That said, with the introduction of domain-specific role grants[1] and
domain-scoped tokens[2], we have a third option: listing users in the domain
for which your token token is authorized, regardless of whether you specify
a domain in the query string. I don't think we would have a way to list all
users in the system at that point.
If we are being pedantic about REST, this should not be allowed, because a
given uri should corresspond to one set of data. I guess the "right" way to
do it would be to redirect to ?domain_id=<users_domain>. That said, I've
always felt that REST breaks down with lists and authz so some cheating may
be warranted.
Vish
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6186 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130116/6ee04655/attachment.bin>
More information about the OpenStack-dev
mailing list