[openstack-dev] [all] Policy rules for APIs based on "domain_id"

Adam Heczko aheczko at mirantis.com
Tue Jun 20 10:07:46 UTC 2017

Hello Valeriy,
agree, that would be very useful. I think that this deserves attention and
cross project discussion.
Maybe a community goal process [2] is a valid path forward in this regard.

[2] https://governance.openstack.org/tc/goals/

On Tue, Jun 20, 2017 at 11:15 AM, Valeriy Ponomaryov <
vponomaryov at mirantis.com> wrote:

> Hello OpenStackers,
> Wanted to pay some attention to one of restrictions in OpenStack.
> It came out, that it is impossible to define policy rules for API services
> based on "domain_id".
> As far as I know, only Keystone supports it.
> So, it is unclear whether it is intended or it is just technical debt that
> each OpenStack project should
> eliminate?
> For the moment, I filed bug [1].
> Use case is following: usage of Keystone API v3 all over the cloud and
> level of trust is domain, not project.
> And if it is technical debt how much different teams are interested in
> having such possibility?
> [1] https://bugs.launchpad.net/nova/+bug/1699060
> --
> Kind Regards
> Valeriy Ponomaryov
> www.mirantis.com
> vponomaryov at mirantis.com
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Adam Heczko
Security Engineer @ Mirantis Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170620/368eed35/attachment.html>

More information about the OpenStack-dev mailing list