Re: [openstack-dev] [keystone] Request for spec freeze execption

[Morgan Fainberg]

This is a relatively small scope of change and seems to be worth including in 
Liberty. I'm ok with this exception is there are no other red flags from the 
core team. 

Sent via mobile

> On Jul 17, 2015, at 11:15, Henry Nash  wrote:
> 
> Hi
> 
> Role assignment inheritance has been an extension in Keystone for a number of 
> cycle.  With the introduction of project hierarchies (which also support 
> assignment inheritance), we’d like to move inheritance into core.
> 
> At the same time as the move to core, we’d like to modify the way inheritance 
> rules are applied.  When assignment inheritance was first introduced, it was 
> designed for domain->project inheritance - and under that model, the rule was 
> that an inherited role assigned to the domain would be applied to all the 
> projects in the domain, but not to the domain itself.  Now that we have 
> generalised project hierarchies, this seem to make a lot less sense…and the 
> more standard model of the assignment being applied to its target and all the 
> targets sub-projects makes more sense.
> 
> The proposal is, therefore, that the API we support in core (which is, by 
> definition, different from the one in OS-INHERIT extension), will support 
> this new model, but we will, for backward compatibility, continue to support 
> the old extension (with the old model of inheritance), marked as deprecate, 
> with removal no sooner than 4 cycles. Although probably not recommended from 
> an operations usability point of view, there would be no issue mixing and 
> matching assignments both from the core API and the extension API, during the 
> deprecation period.
> 
> The spec for this change can be found here:  
> https://review.openstack.org/#/c/200434
> 
> At the next keystone IRC meeting, I’d like to discuss granting a spec freeze 
> exception to allow this move to core.
> 
> Henry
> 
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [keystone] Request for spec freeze execption

[Henry Nash]

Hi

Role assignment inheritance has been an extension in Keystone for a number of 
cycle.  With the introduction of project hierarchies (which also support 
assignment inheritance), we’d like to move inheritance into core.

At the same time as the move to core, we’d like to modify the way inheritance 
rules are applied.  When assignment inheritance was first introduced, it was 
designed for domain->project inheritance - and under that model, the rule was 
that an inherited role assigned to the domain would be applied to all the 
projects in the domain, but not to the domain itself.  Now that we have 
generalised project hierarchies, this seem to make a lot less sense…and the 
more standard model of the assignment being applied to its target and all the 
targets sub-projects makes more sense.

The proposal is, therefore, that the API we support in core (which is, by 
definition, different from the one in OS-INHERIT extension), will support this 
new model, but we will, for backward compatibility, continue to support the old 
extension (with the old model of inheritance), marked as deprecate, with 
removal no sooner than 4 cycles. Although probably not recommended from an 
operations usability point of view, there would be no issue mixing and matching 
assignments both from the core API and the extension API, during the 
deprecation period.

The spec for this change can be found here:  
https://review.openstack.org/#/c/200434

At the next keystone IRC meeting, I’d like to discuss granting a spec freeze 
exception to allow this move to core.

Henry

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev