[openstack-dev] [Keystone] [Swift] Composite Auth question

McCabe, Donagh Donagh.McCabe at hp.com
Thu Jul 17 10:43:38 UTC 2014


Hi,



I'm working on the Swift implications of using composite authorization [1] [2].



My question for Keystone developers is : what  project-id do we expect the service token to be scoped to - the service's project or the end-user's project? When reviewing the Keystone spec, I had assumed the former. However, now that I'm looking at it in more detail, I would like to check my understanding.



The implications are:



1/ If scoped to the service's project, the role used must be exclusive to Glance/Cinder. I.e. an end-user must never be assigned this role. In effect, a role on one project grants the service user some privileges on every project.



2/ if scoped to the end-user's project, the glance/cinder service user must have a role on every project that uses them (including across domains); this seems infeasible.



Regards,

Donagh



[1] swift-specs: https://review.openstack.org/105228
[2] keystone-specs: https://review.openstack.org/#/c/96315/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140717/4dff16b9/attachment.html>


More information about the OpenStack-dev mailing list