[openstack-dev] [Keystone] Domains, Projects, and Groups are all collections
Adam Young
ayoung at redhat.com
Wed Jan 23 21:06:37 UTC 2013
On 01/23/2013 03:54 PM, David Chadwick wrote:
> Two points. First you meant authz not authn, which threw me.
Yep. Sorry for the confusion. Authorization, not authentication.
> Secondly you must surely use tenants/projects for authz as well as
> roles. And surely the CSPs make use of this attribute as well do they
> not?
Yes. Specifically, a role assignment is an attribute of a user that
links them to a project. All the other organizational and workflow
containers come down to specifying this.
So if the user has to have the "master" role in the "dojo" project, the
attribute for access control would be specified something like
"role=master,project=dojo"
>
> David
>
> On 23/01/2013 20:46, Adam Young wrote:
>> On 01/23/2013 03:33 PM, David Chadwick wrote:
>>>
>>>
>>> On 23/01/2013 20:23, Adam Young wrote:
>>>> the dominant attribute for authN is named roles
>>>
>>> Can you please explain this to me
>>
>> I see the term "Attribute" like "property" in object oriented
>> programming. It is a term about the form of the meta data. In
>> Keystone, we have "attributes". The only attribute we use for policy
>> enforcement today is role assignments, but we can expand on that in the
>> future.
>>
>>
>>
>>>
>>> thanks
>>>
>>> David
>>
More information about the OpenStack-dev
mailing list