On 05/26/2017 10:44 AM, Lance Bragstad wrote: <snip> > Interesting - I guess the way I was thinking about it was on a per-token > basis, since today you can't have a single token represent multiple > scopes. Would it be unreasonable to have oslo.context build this > information based on multiple tokens from the same user, or is that a > bad idea?
No service consumer is interacting with Tokens. That's all been abstracted away. The code in the consumers consumer is interested in is the context representation. Which is good, because then the important parts are figuring out the right context interface to consume. And the right Keystone front end to be explicit about what was intended by the operator "make jane an admin on compute in region 1". And the middle can be whatever works best on the Keystone side. As long as the details of that aren't leaked out, it can also be refactored in the future by having keystonemiddleware+oslo.context translate to the known interface. -Sean -- Sean Dague http://dague.net __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev