Super inherited roles and assignments
https:/
The above BP (which is already implemented in keystone) helps cloud admin to setup one-off inherited role on customers domain, this way a cloud provide (admin user) can scope his/her token to a customer domain and do some admin work on behalf of customer. This solution work well with small scale cloud deployment where number of customer domains are less (in 100s) but for large scale cloud deployment this solution (one-off inherited role-assignment) is not scalable, as the number of customer domains are in multiple of 1000s.
To resolve this problem we want to introduce a notion of super inherited role-assignments which will work as below.
1. Cloud provide has to maintain a domain which will represent an admin domain (lets call it super domain), all the cloud admin will belong to this domain.
2. A super inherited role assignment will linkup a subject (user/group) with a role on all domain, all projects of a particular domain. (user/group, role_id, "all domains", "all projects")
3. Cloud admin will scope his/her token to a customer project and can gain roles which are given through super inherited role-assignments on a project.
This will help cloud provider to efficiently manage their customers and resources.
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- Arvind Tiwari
- Direction:
- Needs approval
- Assignee:
- Arvind Tiwari
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
-
Unknown
- Milestone target:
- None
- Started by
- Completed by
- Dolph Mathews
Related branches
Related bugs
Sprints
Whiteboard
step 1 is implementation specific crap -- the rest is just global roles, and it would have to be done out of tree as the community has repeatedly rejected the notion. domain-wide roles are as close as we'll get.
Work Items
Dependency tree
* Blueprints in grey have been implemented.
