On Wed, Jul 23, 2014 at 1:03 AM, Fei Long Wang feil...@catalyst.net.nz
wrote:
Greetings,
I'm trying to figure out if Keystone can support more granular role
management or if there is any plan to do that in the future. Currently,
AWS can support adding a role and assigning the capability from 3
different level/perspective: service, function and resource[1]. Keystone
can support the service level for now, but I didn't find the
function/resource level support from current code/blueprint. Am I
missing anything? Any comment is appreciated. Cheers.
Absolutely, but Keystone does not own the definition of the role (it's
capabilities), which is distributed throughout the other services. So while
you can create a role in Keystone and assign it to users however you'd
like, you also have to give that role capabilities by defining policy rules
in the other services. For example, in nova's policy.json:
https://github.com/openstack/nova/blob/master/etc/nova/policy.json
[1] awspolicygen.s3.amazonaws.com/policygen.html
--
Cheers Best regards,
Fei Long Wang (王飞龙)
--
Senior Cloud Software Engineer
Tel: +64-48032246
Email: flw...@catalyst.net.nz
Catalyst IT Limited
Level 6, Catalyst House, 150 Willis Street, Wellington
--
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev