Hi all, We created a POC that enables domain-related role checking to components that do not support domains (such as Nova and Cinder). The code can be found here: https://github.com/rodrigods/keystone/tree/domain-check The idea is to use the HttpCheck feature: https://github.com/openstack/oslo-incubator/blob/master/openstack/common/policy.py#L849 to check if a user has a given role in a domain. The changes were made exclusively into Keystone. The service willing to use the feature, just has to add the rule in its policy file. Here is a list of the changes added to make it work: 1 - Create a new endpoint to handle the HttpCheck calls, for example: /v3/projects/ <project_id>/roles/<role_name> 2 - Add a method to handle this endpoint at Keystone: https://github.com/rodrigods/keystone/blob/domain-check/keystone/assignment/controllers.py#L559 * Get domain_id from target project (from given project_id) * Filter all role_assignments from logged user in target domain (from user_id in given credentials) * Check if role_assignments contains target role To test it, we added the following rule into Nova's policy file: * "compute:create":"rule:domain_admin" * "domain_admin":"http://localhost:5000/v3/projects/%(project_id) s/roles/admin" Once the request arrives into Keystone, it checks if the the logged user has /admin/ role at /project_id/'s domain. So, what do you think? We would like your feedback before giving extra efforts such as creating the bp/spec. -- Rodrigo Duarte Sousa MSccandidate in Computer Science Software Engineer at OpenStack Project HP/LSD-UFCG Distributed Systems Laboratory Federal University of Campina Grande Campina Grande, PB - Brazil http://lsd.ufcg.edu.br/~rodrigod <http://lsd.ufcg.edu.br/%7Erodrigods>s -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140701/f05ae90c/attachment.html>