Hi Adam
as I said in a previous post (to which Henry replied "but unfortunately
that is not the way Keystone currently works" my paraphrase), we should
not even be assigning roles to users to projects, as this is mixing up
user-role assignments and permission-role assignments. We/keystone
should simply be assigning roles to users. The service will then assign
the permissions to the roles that it wants to, and I am sure that most
of the complexity you are now trying to grapple with will go away,
because there will be no limitations on where the roles can be used. Its
up to the service to decide if a role has permissions or not.
I appreciate that this is not the way that Keystone currently works, and
you may not have time to change it for Havana, but rather than trying to
add more complexity to solve its current skewed model, why not try to
advance down an alternative path that veers towards the classical clean
RBAC model and simplification of the role assignment problem? And target
on Ice for the introduction of the revised model
regards
David
On 19/06/2013 15:36, Adam Young wrote:
So I'd like to redefine the problem definition here:
"Provide a mechanism by which role assignments can be specified for more
than one project."
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
