[openstack-dev] [Keystone] More granular role management
Dolph Mathews
dolph.mathews at gmail.com
Wed Jul 23 13:56:58 UTC 2014
On Wed, Jul 23, 2014 at 1:03 AM, Fei Long Wang <feilong at catalyst.net.nz>
wrote:
> Greetings,
>
> I'm trying to figure out if Keystone can support more granular role
> management or if there is any plan to do that in the future. Currently,
> AWS can support adding a role and assigning the capability from 3
> different level/perspective: service, function and resource[1]. Keystone
> can support the service level for now, but I didn't find the
> function/resource level support from current code/blueprint. Am I
> missing anything? Any comment is appreciated. Cheers.
>
Absolutely, but Keystone does not own the "definition" of the role (it's
capabilities), which is distributed throughout the other services. So while
you can create a role in Keystone and assign it to users however you'd
like, you also have to give that role capabilities by defining policy rules
in the other services. For example, in nova's policy.json:
https://github.com/openstack/nova/blob/master/etc/nova/policy.json
>
> [1] awspolicygen.s3.amazonaws.com/policygen.html
>
> --
> Cheers & Best regards,
> Fei Long Wang (王飞龙)
> --------------------------------------------------------------------------
> Senior Cloud Software Engineer
> Tel: +64-48032246
> Email: flwang at catalyst.net.nz
> Catalyst IT Limited
> Level 6, Catalyst House, 150 Willis Street, Wellington
> --------------------------------------------------------------------------
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140723/71c624be/attachment.html>
More information about the OpenStack-dev
mailing list