Vish, Excellent idea to discuss this more widely. To your point about domains not being well understood and that most policy files being just "admin or not", the exception here is, of course, keystone itself - where we can use domains to support enable various levels of cloud/domain & project level admin type of capability via the policy file. Although the default policy file we supply is a bit like the "admin or not" versions, we also supply a much richer sample for those who want to do admin delegation via domains:
https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json The other point is that one thing we did introduce in Havana was the concept of domain inheritance (where a role assigned to a domain could be specified to be inherited by all projects within that domain). This was an attempt to provide an rudimentary "multi-ownership" capability (within our current token formats and policy capabilities). https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3-os-inherit-ext.md I'm not suggesting these solve all the issues, just that we should be aware of these in the upcoming discussions. Henry On 28 Jan 2014, at 18:35, Vishvananda Ishaya <vishvana...@gmail.com> wrote: > Hi Everyone, > > I apologize for the obtuse title, but there isn't a better succinct term to > describe what is needed. OpenStack has no support for multiple owners of > objects. This means that a variety of private cloud use cases are simply not > supported. Specifically, objects in the system can only be managed on the > tenant level or globally. > > The key use case here is to delegate administration rights for a group of > tenants to a specific user/role. There is something in Keystone called a > “domain” which supports part of this functionality, but without support from > all of the projects, this concept is pretty useless. > > In IRC today I had a brief discussion about how we could address this. I have > put some details and a straw man up here: > > https://wiki.openstack.org/wiki/HierarchicalMultitenancy > > I would like to discuss this strawman and organize a group of people to get > actual work done by having an irc meeting this Friday at 1600UTC. I know this > time is probably a bit tough for Europe, so if we decide we need a regular > meeting to discuss progress then we can vote on a better time for this > meeting. > > https://wiki.openstack.org/wiki/Meetings#Hierarchical_Multitenancy_Meeting > > Please note that this is going to be an active team that produces code. We > will *NOT* spend a lot of time debating approaches, and instead focus on > making something that works and learning as we go. The output of this team > will be a MultiTenant devstack install that actually works, so that we can > ensure the features we are adding to each project work together. > > Vish > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
