Something has been struggling to the surface of my brain since our last
talk.
It should not be inherited 'roles' but rather:
"users in this group should get role X in all projects in a domain."
It is the group to role mapping that we need to fix. Right now, we can
add a group to a role in a specific project. What we need to be able to
do is add a group to a role in all projects in a domain.
It is a slight change in emphasis. It is not "inherited roles" but
rather "patterns of role assignments" with "all projects in this domain
the first implemented pattern.
We don't want to list all role assignments globally. list Role
assigments should come from the objects involved. So I think the top
level listing and the filtering of effective etc is the wrong approach.
Right now, the APIs to assign a group to a role in a specific project
and to assign a group to a role in a domain are specified. What we want
is the rule to assign a group to a role in all projects in a domain:
|
So instead of PUT /domains/{domain_id}/groups/{group_id}/roles/{role_id}|
It would be something like
|PUT||/domain-all-projects/{domain_id}/users/{user_id}/roles/{role_id}|
There should be no "effective" role assignments.
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
