Open Stack

On Feb 15, 2014, at 4:36 AM, Vinod Kumar Boppanna <vinod.kumar.boppanna at cern.ch> wrote:

> 
> Dear Vish,
> 
> I completely agree with you. Its like a trade off between getting re-authenticated (when in a hierarchy user has different roles at different levels) or parsing the entire hierarchy till the leaf and include all the roles the user has at each level in the scope.
> 
> I am ok with any one (both has some advantages and dis-advantages).
> 
> But one point i didn't understand why should we parse the tree above the level where the user gets authenticated (as you specified in the reply). Like if user is authenticated at level 3, then do we mean that the roles at level 2 and level 1 also should be passed?
> Why this is needed? I only see either we pass only the role at the level the user is getting authenticated or pass the roles at the level till the leaf starting from the level the user is getting authenticated.


This is needed because in my proposed model roles are inherited down the heirarchy. That means if you authenticate against ProjA.ProjA2 and you have a role like “netadmin” in ProjA, you will also have it in ProjA2. So it is necessary to walk up the tree to find the full list of roles.

Vish

> 
> Regards,
> Vinod Kumar Boppanna
> ________________________________________
> Message: 21
> Date: Fri, 14 Feb 2014 10:13:59 -0800
> From: Vishvananda Ishaya <vishvananda at gmail.com>
> To: "OpenStack Development Mailing List (not for usage questions)"
>        <openstack-dev at lists.openstack.org>
> Subject: Re: [openstack-dev] Hierarchicical Multitenancy Discussion
> Message-ID: <4508B18F-458B-4A3E-BA66-22F9FA47EAC0 at gmail.com>
> Content-Type: text/plain; charset="windows-1252"
> 
> Hi Vinod!
> 
> I think you can simplify the roles in the hierarchical model by only passing the roles for the authenticated project and above. All roles are then inherited down. This means it isn?t necessary to pass a scope along with each role. The scope is just passed once with the token and the project-admin role (for example) would be checking to see that the user has the project-admin role and that the project_id prefix matches.
> 
> There is only one case that this doesn?t handle, and that is when the user has one role (say member) in ProjA and project-admin in ProjA2. If the user is authenticated to ProjA, he can?t do project-adminy stuff for ProjA2 without reauthenticating. I think this is a reasonable sacrifice considering how much easier it would be to just pass the parent roles instead of going through all of the children.
> 
> Vish
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140216/7c320704/attachment.pgp>