[openstack-dev] [all] Policy rules for APIs based on "domain_id"

Valeriy Ponomaryov vponomaryov at mirantis.com
Tue Jun 20 13:59:01 UTC 2017 

Also, one more additional kind of "feature-request" is to be able to filter
each project's entities per domain as well as we can do it with
project/tenant now.

So, as a result, we will be able to configure different "list" APIs to
return objects grouped by either domain or project.

Thoughts?

On Tue, Jun 20, 2017 at 1:07 PM, Adam Heczko <aheczko at mirantis.com> wrote:

> Hello Valeriy,
> agree, that would be very useful. I think that this deserves attention and
> cross project discussion.
> Maybe a community goal process [2] is a valid path forward in this regard.
>
> [2] https://governance.openstack.org/tc/goals/
>
> On Tue, Jun 20, 2017 at 11:15 AM, Valeriy Ponomaryov <
> vponomaryov at mirantis.com> wrote:
>
>> Hello OpenStackers,
>>
>> Wanted to pay some attention to one of restrictions in OpenStack.
>> It came out, that it is impossible to define policy rules for API
>> services based on "domain_id".
>> As far as I know, only Keystone supports it.
>>
>> So, it is unclear whether it is intended or it is just technical debt
>> that each OpenStack project should
>> eliminate?
>>
>> For the moment, I filed bug [1].
>>
>> Use case is following: usage of Keystone API v3 all over the cloud and
>> level of trust is domain, not project.
>>
>> And if it is technical debt how much different teams are interested in
>> having such possibility?
>>
>> [1] https://bugs.launchpad.net/nova/+bug/1699060
>>
>> --
>> Kind Regards
>> Valeriy Ponomaryov
>> www.mirantis.com
>> vponomaryov at mirantis.com
>>
>> ____________________________________________________________
>> ______________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscrib
>> e
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
>
> --
> Adam Heczko
> Security Engineer @ Mirantis Inc.
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Kind Regards
Valeriy Ponomaryov
www.mirantis.com
vponomaryov at mirantis.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170620/9f7d1563/attachment.html>

More information about the OpenStack-dev mailing list