I am happy with this as far as it goes. I would like to see it being made more general, where domains, services and projects can also own and name roles
regards David On 04/12/2013 01:51, Adam Young wrote: > I've been thinking about your comment that "nested roles are confusing" > > > What if we backed off and said the following: > > > "Some role-definitions are owned by services. If a Role definition is > owned by a service, in role assignment lists in tokens, those roles we > be prefixd by the service name. / is a reserved cahracter and weill be > used as the divider between segments of the role definition " > > That drops arbitrary nesting, and provides a reasonable namespace. Then > a role def would look like: > > "glance/admin" for the admin role on the glance project. > > > > In theory, we could add the domain to the namespace, but that seems > unwieldy. If we did, a role def would then look like this > > > "default/glance/admin" for the admin role on the glance project. > > Is that clearer than the nested roles? > > > > On 11/26/2013 06:57 PM, Tiwari, Arvind wrote: >> Hi Adam, >> >> Based on our discussion over IRC, I have updated the below etherpad >> with proposal for nested role definition >> >> https://etherpad.openstack.org/p/service-scoped-role-definition >> >> Please take a look @ "Proposal (Ayoung) - Nested role definitions", I >> am sorry if I could not catch your idea. >> >> Feel free to update the etherpad. >> >> Regards, >> Arvind >> >> >> -----Original Message----- >> From: Tiwari, Arvind >> Sent: Tuesday, November 26, 2013 4:08 PM >> To: David Chadwick; OpenStack Development Mailing List >> Subject: Re: [openstack-dev] [keystone] Service scoped role definition >> >> Hi David, >> >> Thanks for your time and valuable comments. I have replied to your >> comments and try to explain why I am advocating to this BP. >> >> Let me know your thoughts, please feel free to update below etherpad >> https://etherpad.openstack.org/p/service-scoped-role-definition >> >> Thanks again, >> Arvind >> >> -----Original Message----- >> From: David Chadwick [mailto:[email protected]] >> Sent: Monday, November 25, 2013 12:12 PM >> To: Tiwari, Arvind; OpenStack Development Mailing List >> Cc: Henry Nash; [email protected]; [email protected]; Yee, Guang >> Subject: Re: [openstack-dev] [keystone] Service scoped role definition >> >> Hi Arvind >> >> I have just added some comments to your blueprint page >> >> regards >> >> David >> >> >> On 19/11/2013 00:01, Tiwari, Arvind wrote: >>> Hi, >>> >>> >>> Based on our discussion in design summit , I have redone the service_id >>> binding with roles BP >>> <https://blueprints.launchpad.net/keystone/+spec/serviceid-binding-with-role-definition>. >>> >>> I have added a new BP (link below) along with detailed use case to >>> support this BP. >>> >>> https://blueprints.launchpad.net/keystone/+spec/service-scoped-role-definition >>> >>> >>> Below etherpad link has some proposals for Role REST representation and >>> pros and cons analysis >>> >>> >>> https://etherpad.openstack.org/p/service-scoped-role-definition >>> >>> >>> Please take look and let me know your thoughts. >>> >>> >>> It would be awesome if we can discuss it in tomorrow's meeting. >>> >>> >>> Thanks, >>> >>> Arvind >>> >> _______________________________________________ >> OpenStack-dev mailing list >> [email protected] >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
