On 06/03/2015 02:44 PM, David Chadwick wrote: > In the design that we have been building for a policy administration > database, we dont require a single policy in order to unify common > concepts such as hierarchical attributes and roles between the different > policies of Openstack services. This is because policies and hierarchies > are held separately and are linked via a many to many relationship. My > understanding of Adam's primary requirement was that a role hierarchy > say, should be common across all OpenStack service policies, without > this necessarily meaning you have to have one huge policy. And there is > no requirement for Keystone to own all the policies. So each service > could still own and manage its own policy, whilst having attribute > hierarchies in common. > > Does this help? > > regards > > David
That part makes total sense. What concerned me is there was an intermediary step that seemed like it was literally *one file* (https://review.openstack.org/134656). That particular step I think is unworkable. By "common role hierachy" do you mean namespaced roles for services? Because if yes, definitely. And I think that's probably the first concrete step moving the whole thing forward, which should be doable on the existing static json definitions. -Sean -- Sean Dague http://dague.net __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
