Open Stack

If a user is bound to their default tenant, why wouldn't any role
assignments for that user in their default tenant apply?

 

Here is how I thought things were to work:

-          User1 has TenantA as her default tenant

-          User1 has been assigned RoleX for TenantA

-          User1 has also been assigned RoleY for TenantB

 

User1 authenticates specifying TenantB, this binds User1 into the context of
TenantB.  In subsequent web service requests using the token received after
authentication, the Auth component filter would decorate the headers with
RoleY.

If User1 authenticates specifying TenantA, or specifying no Tenant,  this
binds User1 into the context of TenantA.  The headers would then be
decorated with RoleX.

 

Jason

 

From: openstack-bounces+jason.rouault=hp.com at lists.launchpad.net
[mailto:openstack-bounces+jason.rouault=hp.com at lists.launchpad.net] On
Behalf Of Ziad Sawalha
Sent: Tuesday, July 12, 2011 10:09 PM
To: Yuriy Taraday; openstack at lists.launchpad.net
Subject: Re: [Openstack] Keystone tenants vs. Nova projects

 

Our goal is to support Nova use cases right now. You can provide access to
multiple tenants using a role assignment (assigning a user a role on a
specific tenant effectively binds them to that tenant).

 

However, this raises the issue of what the 'implied' role of a user is when
they are bound to their default tenant. So we're considering how to alter
the model to clean that up. No great solution yet. Any suggestions are
welcome..

 

Ziad

 

From: Yuriy Taraday <yorik.sar at gmail.com>
Date: Tue, 28 Jun 2011 16:59:08 +0400
To: <openstack at lists.launchpad.net>
Subject: [Openstack] Keystone tenants vs. Nova projects

 

Currently Keystone model assumes that user is bound to exactly one tenant.
It conflicts with the fact that in Nova user can have access to several
projects. 

Which way will it be?


Kind regards, Yuriy.

_______________________________________________ Mailing list:
https://launchpad.net/~openstack Post to : openstack at lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack More help :
https://help.launchpad.net/ListHelp This email may include confidential
information. If you received it in error, please delete it.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20110713/a0d7b76a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4854 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20110713/a0d7b76a/attachment.bin>