On Fri, Jun 14, 2013 at 9:45 AM, David Chadwick <[email protected]>wrote: > > 2. Step 1b. How does the delegate know which role to request? This is > unintuitive. A delegator (rather than delegate) knows the role he wants to > delegate. One would normally expect the delegator to request Keystone to > delegate this role to the named delegate, rather than the delegate asking > for a role to be delegated to it, since it requires an out of band > communications between the delegator and delegate to take place before the > delegation, in which the delegator tells the delegate its un/pw and the > role it should ask for. This seems to be a rather contrived exchange of > messages. >
Now that the OAuth implementation has merged, I came back to this conversation to check that everything was addressed... this issue was definitely not! I'd suggest revising the spec to delete the consumer's requested_role_ids in favor of the delegator specifying the roles to be delegated on the requested project ID. I opened a bug for tracking- https://bugs.launchpad.net/keystone/+bug/1216408
_______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
