Fine-Grained Access Control

In a large implementation, there can be many users each having some level of access to a shared pool of resources. Not all users need that much access though and there are cases where access must be restricted further. V3 introduces policies and that works for restricting access to certain capabilities (only a user with the role "admin" or group "foo" can create server in nova, etc). Policies bloat up though if they need to get down the resource level (only joe can delete server "ABC").

This blue print (which will be expanded upon) introduces the concept of a "resource group" in an attempt to provide highly-available, easily modifiable fine grained access control to OpenStack services.

1. The v3 core spec doesn’t allow for fine-grained access control. You can force it into policy blobs, but that isn’t scalable or transparent enough
2. Identity shouldn’t act as a CMDB, keeping track and storing references to all resources
3. Having a configurable group that represents resources across services is easier to maintain in identity
4. Token scope has layers (all optional), and
     a. Service endpoints the token has access to
     b. Which roles the token is scoped to
     c. Which policies the token is scoped to
5. Likewise, policies should have scope:
     a. Which resource groups the policies apply to
6. Services should make a call available to introspect which servers, files, etc make up that resource group