OpenStack Identity (keystone)

Support an additional (more standard) inheritance rule

Registered by Henry Nash

Add support (in addition to the current inheritance rule) for the more standard rule that inherited role assignments should be active on the project on which they are placed, as well as sub-projects.

After consideration, to abandon this for the following reason:

- the increased risk of confusion by introducing a new inheritance model would probably outweigh the advantage of having a more standard model.
- you can create the same affect as the standard method by using 2 assignments (one direct on the target, and one inherited that will apply to all the children of the target).
- there are some use cases where the existing inheritance model still makes sense (e.g. on a project acting as a domain)

Blueprint information

Status:
Complete
Approver:
Steve Martinelli
Priority:
Medium
Drafter:
Henry Nash
Direction:
Approved
Assignee:
Henry Nash
Definition:
Obsolete
Series goal:
Accepted for mitaka
Implementation:
Slow progress
Milestone target:
None
Started by
Steve Martinelli
Completed by
Henry Nash

Related branches

Sprints

Whiteboard

Changing the approach: the behavior will not be based on config option, but at opinionated new URL.

Gerrit topic: https://review.openstack.org/#q,topic:bp/inheritance-config,n,z

Addressed by: https://review.openstack.org/200434
    Provide config option to direct inheritance rules

Gerrit topic: https://review.openstack.org/#q,topic:bp/assignment-inherit-rule,n,z

SPFE granted in Keystone Meeting 7/21 (see: http://eavesdrop.openstack.org/irclogs/%23openstack-meeting/%23openstack-meeting.2015-07-21.log.html at 18:45)

(morganfainberg): This is worth a FFE but is unlikely to land prior to L3

Addressed by: https://review.openstack.org/241301
    Provide storage for new inheritance assignment

(?)

Work Items

Nearby

This blueprint contains Public information 
Everyone can see this information.
Edit subscription

Subscribers

No subscribers.