On 10/13/2015 12:15 AM, Shinobu Kinjo wrote:
Sorry for my lack of explanation.
Are the both scopes of admin and non-admin totally different?
Is each project not nested in admin scope like:
So, a couple terms:
We use the term 'scope' to refer to the project. Think of this as a
container that holds resources.
The user is assigned a role on the project, and that determines what
operations the user can perform.
However, When OpenStack started, roles were not scoped, but were
global. Thus, there are many APIs
where the only check is that the user has the role 'admin' and the
project scope is never checked.
Because Roles are defined in Keystone after install, none of the default
policy files actually check any
specific roles. The only role other than 'admin' that you will see in a
Packstack install is that for
a Member (often _member_ ). This role was added to standardize how we
enforce policy; users used to be
assigned exclusively to a project, and adding this mechanism allowed a
user to access multiple projects
while maintaining a single policy mechanism.
So there are some APIs where either the project scope is checked -OR-
the role admin is checked.
We are not making use of hierarchical multitenatcy here; your example
shows proejct-a,b, and c nested under admin.
This change would not require that.
admin {
Some properties
...
{
...
project-a {
owner-a
...
}
project-b {
owner-b
...
}
...
project-x {
owner-x
...
}
}
}
Or is "ADMIN_PROJECT_ID" totally different flag?
It means that only a token scoped to 'admin' would (potentially) have
the role 'admin' available.
I hope you could get me -;
Shinobu
----- Original Message -----
From: "Adam Young" <ayo...@redhat.com>
To: openstack-dev@lists.openstack.org
Sent: Tuesday, October 13, 2015 12:56:54 PM
Subject: Re: [openstack-dev] Proposed solution to "Admin" ness improperly
scoped:
On 10/12/2015 08:07 PM, Shinobu Kinjo wrote:
Just question.
Will be scopes of non-admin users projects in admin scoped project?
I'm sorry I don't understand what you are asking.
Shinobu
----- Original Message -----
From: "Adam Young" <ayo...@redhat.com>
To: "OpenStack Development Mailing List" <openstack-dev@lists.openstack.org>
Sent: Monday, October 12, 2015 3:38:01 AM
Subject: [openstack-dev] Proposed solution to "Admin" ness improperly scoped:
https://bugs.launchpad.net/keystone/+bug/968696/comments/39
1. Add a config value ADMIN_PROJECT_ID
2. In token creation, if ADMIN_PROJECT_ID is not None: only add the
admin role to the token if the id of the scoped project == ADMIN_PROJECT_ID
Does this work?
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
