Cross-Tenant ACLs
Need the flexibility to support "<tenant_
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- None
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- New
- Series goal:
- Accepted for grizzly
- Implementation:
- Implemented
- Milestone target:
- 1.7.6
- Started by
- John Dickinson
- Completed by
- John Dickinson
Related branches
Related bugs
Sprints
Whiteboard
Looking at the Swift keystoneauth middleware code, only way “<tenant ID>:<username>” and “<tenant name>:<username>” are applicable is the given account matches “<reseller>
https:/
Line 169-172
This means users must shared the same tenant and account. This is not flexible enough to support use cases such as userA of tenantA wants to grant read-only access to his container UserAContainer to userB of tenantB, where userB does not have/need any role association with TenantA. UserA should be able to just create an ACL “X-Container-Read: TenantB:userB”.
Furthermore, we need cross-tenant ACLs, sharing container with users regardless of their tenant association. For example, “*:<username>”. The benefit with cross-tenant ACLs is improved usability as there’s no need to lookup tenant ID/name when creating ACLs.
Gerrit topic: https:/
Addressed by: https:/
bp/