On 05/28/2014 07:43 PM, Ben Nemec wrote:
This is a development list, please ask usage questions on the users
list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Thanks.
Ordinarily I would ordinarily agree, but this is getting into stuff that
devs need to discuss.
-Ben
On 05/28/2014 07:58 AM, Ajaya Agrawal wrote:
Hi All,
We want to introduce a role of project admin in our cloud who can add users
only in the project in which he is an admin. AFAIK RBAC policies are not
supported by keystone v2 api. So I suppose we will need to use keystone v3
to support the concept of project admin. But I hear things like all the
projects don't talk keystone v3 as of now.
What is the recommended way of doing it?
You can user V3 operations along side V2 just for Keystone. It does
not matter that the other projects do not honor the V3 operations, only
Keystone needs to. So limiting "add role to user and project" calls to
V3 should be fine. So long as the rule enforced for V2 is more strict
than the V3 rule, you will not have any improper elevation of priveledges.
I would avoid calling the role "admin" for obvious reasons. Creating a
role named project_manager probably makes more sense.
Cheers,
Ajaya
_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
