Hi Role assignment inheritance has been an extension in Keystone for a number of cycle. With the introduction of project hierarchies (which also support assignment inheritance), we’d like to move inheritance into core.
At the same time as the move to core, we’d like to modify the way inheritance rules are applied. When assignment inheritance was first introduced, it was designed for domain->project inheritance - and under that model, the rule was that an inherited role assigned to the domain would be applied to all the projects in the domain, but not to the domain itself. Now that we have generalised project hierarchies, this seem to make a lot less sense…and the more standard model of the assignment being applied to its target and all the targets sub-projects makes more sense. The proposal is, therefore, that the API we support in core (which is, by definition, different from the one in OS-INHERIT extension), will support this new model, but we will, for backward compatibility, continue to support the old extension (with the old model of inheritance), marked as deprecate, with removal no sooner than 4 cycles. Although probably not recommended from an operations usability point of view, there would be no issue mixing and matching assignments both from the core API and the extension API, during the deprecation period. The spec for this change can be found here: https://review.openstack.org/#/c/200434 At the next keystone IRC meeting, I’d like to discuss granting a spec freeze exception to allow this move to core. Henry __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
