There are two distinct permissions to be managed:
1. What can the user do.
2. What actions can this token be used to do.
2. is a subset of 1.
Just because I, Adam Young, have the ability to destroy the golden image
I have up on glance does not mean that I want to delegate that ability
every time I use a token.
But that is exactly the mechanism we have today.
As a user, I should not be locked in to only delegating roles. A role
may say "you can read or modify an image" but I want to only delegate
the "Read" part when creating a new VM: I want Nova to be able to read
the image I specify.
Hence, I started a spec around "capabilities" which are I think, a
different check than for RBAC.
https://review.openstack.org/#/c/123726/
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
