Liem - WIth the essex release, the roles are exactly the same as they we defined in the Diablo release - to be interpreted entirely by the service. Role is not defined beyond that point. Role was originally defined as per-tenant, so an "Admin" role on service tenant is, in effect, an "uber-admin" across all systems at this time. This accounts are, however, intended for services to be interacting agnostic of the user. Users do not, and should not, be assigned a role to this same tenant unless you're intending them to have that uber-admin permission - and that's as a side effect.
There's lots of conversation going on about the need to represent multiple roles, and have those roles relative to a number of different factors. Your own (HPs) domain suggestion is a perfect example of such. I'm looking forward to HP's talk about domains and suggestions for improving RBAC at the design summit. -joe On Apr 10, 2012, at 6:44 PM, Nguyen, Liem Manh wrote: > Hi fellow Stackers, > > I am reading http://keystone.openstack.org/configuringservices.html, and it > appears that for service registration, all services (or rather service users) > reside within the same tenant with the same Admin role. So, if I understand > it correctly, it is then possible that a service user for Nova can actually > accidentally nuke an endpoint for a Glance service, for example? Don't we > want isolation among services, i.e., a user owning one service may not modify > another service that he/she did not create? > > Thanks, > Liem > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : [email protected] > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : [email protected] Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
