[openstack-dev] [Keystone] Domains, Projects, and Groups are all collections
David Chadwick
d.w.chadwick at kent.ac.uk
Wed Jan 23 21:17:46 UTC 2013
On 23/01/2013 20:32, Adam Young wrote:
> I've been using the term role_assignments. A role_assignement is an
> attribute that resolves down to the link between a user an an
> organization.
this is not my understanding of a role assignment
There are role_assignemtns between groups and projects,
clearly one can assign roles to anything. But this hardly helps when
ultimately we want to assign roles to users, since permissions are also
assigned to roles.
> but what we care about at policy time is how those role assignments
> resolve for the user in question.
Correct. But actually the model should be more flexible than this. It
should be
sets of X, Y, Z... are assigned permissions by a CSP
users are assigned attributes X, Y, Z... by Keystone
then you have an ABAC model. When X,Y,Z collapse to "role" only, then
you have a pure RBAC model
Currently keystone has neither of the above models according to my
understanding
regards
David
More information about the OpenStack-dev
mailing list