There are two distinct permissions to be managed:
1. What can the user do.
2. What actions can this token be used to do.
2. is a subset of 1.
Just because I, Adam Young, have the ability to destroy the golden image
I have up on glance does not mean that I want to delegate that ability
every time I use a token.
But that is exactly the mechanism we have today.
As a user, I should not be locked in to only delegating roles. A role
may say "you can read or modify an image" but I want to only delegate
the "Read" part when creating a new VM: I want Nova to be able to read
the image I specify.
Hence, I started a spec around "capabilities" which are I think, a
different check than for RBAC.
OpenStack-dev mailing list