Open Stack

On 05/28/2014 07:43 PM, Ben Nemec wrote:
> This is a development list, please ask usage questions on the users
> list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
> Thanks.
Ordinarily I would ordinarily agree, but this is getting into stuff that 
devs need to discuss.


> -Ben
>
> On 05/28/2014 07:58 AM, Ajaya Agrawal wrote:
>> Hi All,
>>
>> We want to introduce a role of project admin in our cloud who can add users
>> only in the project in which he is an admin. AFAIK RBAC policies are not
>> supported by keystone v2 api. So I suppose we will need to use keystone v3
>> to support the concept of project admin. But I hear things like all the
>> projects don't talk keystone v3 as of now.
>>
>> What is the recommended way of doing it?

You can user V3 operations along side V2 just for  Keystone.  It does 
not matter that the other projects do not honor the V3 operations, only 
Keystone needs to.  So limiting  "add role to user and project" calls to 
V3 should be fine.  So long as the rule enforced for V2 is more strict 
than the V3 rule, you will not have any improper elevation of priveledges.

I would avoid calling the role "admin"  for obvious reasons. Creating a 
role named project_manager probably makes more sense.


>>
>> Cheers,
>> Ajaya
>>
>>
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev