[openstack-dev] [Keystone] [Swift] Composite Auth question
McCabe, Donagh
Donagh.McCabe at hp.com
Thu Jul 17 10:43:38 UTC 2014
Hi,
I'm working on the Swift implications of using composite authorization [1] [2].
My question for Keystone developers is : what project-id do we expect the service token to be scoped to - the service's project or the end-user's project? When reviewing the Keystone spec, I had assumed the former. However, now that I'm looking at it in more detail, I would like to check my understanding.
The implications are:
1/ If scoped to the service's project, the role used must be exclusive to Glance/Cinder. I.e. an end-user must never be assigned this role. In effect, a role on one project grants the service user some privileges on every project.
2/ if scoped to the end-user's project, the glance/cinder service user must have a role on every project that uses them (including across domains); this seems infeasible.
Regards,
Donagh
[1] swift-specs: https://review.openstack.org/105228
[2] keystone-specs: https://review.openstack.org/#/c/96315/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140717/4dff16b9/attachment.html>
More information about the OpenStack-dev
mailing list