Re: [openstack-dev] [Keystone] Splitting up the assignment component

2014-11-26 Thread David Chadwick
I tend to agree with Morgan. There are resources and there are users. And there is something in the middle that says which users can access which resources. It might be an ACL, a RBAC role, or a set of ABAC attributes, or something else (such as a MAC policy). So to my mind this middle bit, whilst

Re: [openstack-dev] [Keystone] Splitting up the assignment component

2014-11-26 Thread Adam Young
On 11/26/2014 09:52 AM, David Chadwick wrote: I tend to agree with Morgan. There are resources and there are users. And there is something in the middle that says which users can access which resources. It might be an ACL, a RBAC role, or a set of ABAC attributes, or something else (such as a

Re: [openstack-dev] [Keystone] Splitting up the assignment component

2014-11-25 Thread Morgan Fainberg
On Nov 25, 2014, at 4:25 AM, Henry Nash hen...@linux.vnet.ibm.com wrote: Hi As most of you know, we have approved a spec (https://review.openstack.org/#/c/129397/) to split the assignments component up into two pieces, and the code (divided up into a series of patches) is currently