As we attempt to close the gap on Bug 968696, we have to make sure we are headed forward in a path that won't get us stuck.
It seems that many people use Admin-every accounts for many things that they are not really meant for. Such as performing Operations that should be scoped to a project, like creating networks in Neutron or Block devices in Cinder. With the service scoping of role assignments, we have both the opportunity and responsibility to rework how these operations are authorized. Back in the time when we were discussing and engineering Hierarchical Multi-tenancy (HMT) the operators told us that they did not want to have to rescope tokens in order to provide help for their users. I remember getting this both verbally and in writing, although I cannot find the message now. If we created basic policy rules that allowed a Nova service account to list all servers (for example) but not to change those servers without getting a token scoped to that specific project, would it break a lot of tooling? The other use case we've found is the need to clean up project-scoped resources. Once a project has been deleted in Keystone, it is impossible to get a project scoped token to delete the resources in cinder, glance, and so on. It seems like these operations need to be on a per-system (service? endpoint) basis for the foreseeable future. Is this acceptable? Are there any alterntives that people would rather see implemented?
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
