There are two distinct permissions to be managed:

1.  What can the user do.
2.  What actions can this token be used to do.

2. is a subset of 1.

Just because I, Adam Young, have the ability to destroy the golden image I have up on glance does not mean that I want to delegate that ability every time I use a token.

But that is exactly the mechanism we have today.

As a user, I should not be locked in to only delegating roles. A role may say "you can read or modify an image" but I want to only delegate the "Read" part when creating a new VM: I want Nova to be able to read the image I specify.

Hence, I started a spec around "capabilities" which are I think, a different check than for RBAC.

OpenStack-dev mailing list

Reply via email to