Hi Vinod! I think you can simplify the roles in the hierarchical model by only passing the roles for the authenticated project and above. All roles are then inherited down. This means it isn’t necessary to pass a scope along with each role. The scope is just passed once with the token and the project-admin role (for example) would be checking to see that the user has the project-admin role and that the project_id prefix matches.
There is only one case that this doesn’t handle, and that is when the user has one role (say member) in ProjA and project-admin in ProjA2. If the user is authenticated to ProjA, he can’t do project-adminy stuff for ProjA2 without reauthenticating. I think this is a reasonable sacrifice considering how much easier it would be to just pass the parent roles instead of going through all of the children. Vish On Feb 13, 2014, at 2:31 AM, Vinod Kumar Boppanna <vinod.kumar.boppa...@cern.ch> wrote: > Dear All, > > At the meeting last week we (myself and Ulrich) have been assigned the task > of doing POC for Quota Management in the Hierarchical Multitenancy setup. > > So, here it is: > > Wiki Page -> https://wiki.openstack.org/wiki/POC_for_QuotaManagement > (explained here an example setup and my thoughts) > > Code -> > https://github.com/vinodkumarboppanna/POC-For-Quotas/commit/391e9108fa579d292880c8836cadfd7253586f37 > > Please post your comments or any inputs and i hope this POC will be discussed > in this weeks meeting on Friday at 1600 UTC. > > > In addition to this, we have completed the implementation the Domain Quota > Management in Nova with V2 APIs, and if anybody interested, please have a look > > BluePrint -> > https://blueprints.launchpad.net/nova/+spec/domain-quota-driver-api > Wiki Page -> https://wiki.openstack.org/wiki/APIs_for_Domain_Quota_Driver > GitHub Code -> https://github.com/vinodkumarboppanna/DomainQuotaAPIs > > > Thanks & Regards, > Vinod Kumar Boppanna > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev