Hi,
I'm working on the Swift implications of using composite authorization [1] [2]. My question for Keystone developers is : what project-id do we expect the service token to be scoped to - the service's project or the end-user's project? When reviewing the Keystone spec, I had assumed the former. However, now that I'm looking at it in more detail, I would like to check my understanding. The implications are: 1/ If scoped to the service's project, the role used must be exclusive to Glance/Cinder. I.e. an end-user must never be assigned this role. In effect, a role on one project grants the service user some privileges on every project. 2/ if scoped to the end-user's project, the glance/cinder service user must have a role on every project that uses them (including across domains); this seems infeasible. Regards, Donagh [1] swift-specs: https://review.openstack.org/105228 [2] keystone-specs: https://review.openstack.org/#/c/96315/
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev