Open Stack

Something has been struggling to the surface of my brain since our last 
talk.

It should not be inherited 'roles' but rather:

"users in this group should get role X in all projects in a domain."

It is the group to role mapping that we need to fix.  Right now, we can 
add a group to a role in a specific project.  What we need to be able to 
do is add a group to a role in all projects in a domain.

It is a slight change in emphasis.  It is not "inherited roles"  but 
rather "patterns of role assignments"  with "all projects in this domain 
the first implemented pattern.

We don't want to list all role assignments globally.  list Role 
assigments should come from the  objects involved.  So I think the top 
level listing and the filtering of effective etc is the wrong approach.


Right now, the APIs to assign a group to a role in a specific project 
and to assign a group to a role in a domain are specified. What we want 
is the rule to assign a group to a role in all projects in a domain:
|
So instead of PUT /domains/{domain_id}/groups/{group_id}/roles/{role_id}|

It would be something like

|PUT||/domain-all-projects/{domain_id}/users/{user_id}/roles/{role_id}|

There should be no "effective" role assignments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130620/6ba66feb/attachment.html>