[openstack-dev] [keystone] Request for spec freeze execption

Morgan Fainberg morgan.fainberg at gmail.com
Sat Jul 18 09:08:12 UTC 2015


This is a relatively small scope of change and seems to be worth including in Liberty. I'm ok with this exception is there are no other red flags from the core team. 

Sent via mobile

> On Jul 17, 2015, at 11:15, Henry Nash <henryn at linux.vnet.ibm.com> wrote:
> 
> Hi
> 
> Role assignment inheritance has been an extension in Keystone for a number of cycle.  With the introduction of project hierarchies (which also support assignment inheritance), we’d like to move inheritance into core.
> 
> At the same time as the move to core, we’d like to modify the way inheritance rules are applied.  When assignment inheritance was first introduced, it was designed for domain->project inheritance - and under that model, the rule was that an inherited role assigned to the domain would be applied to all the projects in the domain, but not to the domain itself.  Now that we have generalised project hierarchies, this seem to make a lot less sense…and the more standard model of the assignment being applied to its target and all the targets sub-projects makes more sense.
> 
> The proposal is, therefore, that the API we support in core (which is, by definition, different from the one in OS-INHERIT extension), will support this new model, but we will, for backward compatibility, continue to support the old extension (with the old model of inheritance), marked as deprecate, with removal no sooner than 4 cycles. Although probably not recommended from an operations usability point of view, there would be no issue mixing and matching assignments both from the core API and the extension API, during the deprecation period.
> 
> The spec for this change can be found here:  https://review.openstack.org/#/c/200434
> 
> At the next keystone IRC meeting, I’d like to discuss granting a spec freeze exception to allow this move to core.
> 
> Henry
> 
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



More information about the OpenStack-dev mailing list