Hi In thinking about how to implement the OS-INHERIT extension as well as planning for simplification in iceHouse of all our backend grants tables, I realized we needed to rationalise the various different methodologies for getting the list of roles in the token/auth controllers (v2 local is different to v2 remote/token, which again is different to v3). This make all this code hard to maintain - and in at least one case wrong (e.g. if your only role on a project is via group membership, authenticating using v2 will fail).
The small bp (https://blueprints.launchpad.net/keystone/+spec/authenticate-role-rationalization) and a full implementation of this is now ready for review at: https://review.openstack.org/#/c/35897/. A nice feature is that this has a negative impact on keystone code size - i.e. it removes a net of 240 odd lines of code :-) As an aside, it was doing this work that I found the rather nasty bug of: https://bugs.launchpad.net/keystone/+bug/1197874. A fix is also posted for review at https://review.openstack.org/#/c/35739/. I think both of these should got in H2. As a further aside, a WIP version for the OS-INHERIT extension is also posted, for anyone who wants to comment on the approach I am taking. Henry _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
