Update patch set 2

Patch Set 2: (2 comments) Patch-set: 2 Attention: {"person_ident":"Gerrit User 28271 \u003c28271@4a232e18-c5a9-48ee-94c0-e04e7cca6543\u003e","operation":"REMOVE","reason":"\u003cGERRIT_ACCOUNT_28271\u003e replied on the change"} Attention: {"person_ident":"Gerrit User 7973 \u003c7973@4a232e18-c5a9-48ee-94c0-e04e7cca6543\u003e","operation":"ADD","reason":"\u003cGERRIT_ACCOUNT_28271\u003e replied on the change"}
2024-02-08 12:17:33 +00:00 · 2024-02-08 12:17:33 +00:00 · ad479b38d4
parent 90d864ba7c
commit ad479b38d4
1 changed files with 48 additions and 0 deletions
--- a/48
+++ b/48
@ -80,6 +80,30 @@
      "revId": "f0940f651cc2ac3bfda3cb5b2b71e7079e77aea0",
      "serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
    },
+    {
+      "unresolved": true,
+      "key": {
+        "uuid": "55b0f94e_30e8afe0",
+        "filename": "specs/keystone/2023.1/domain-manager-role.rst",
+        "patchSetId": 2
+      },
+      "lineNbr": 52,
+      "author": {
+        "id": 28271
+      },
+      "writtenOn": "2024-02-08T12:17:33Z",
+      "side": 1,
+      "message": "So aligning the persona would imply that a domain-manger has all the same rights as a project-manager.\n\nIn other words it would be `admin` -\u003e `manager` -\u003e `member` -\u003e `reader`. But it would differ in scopes. But do you plan on using the same role names on different scopes? I thought there would only be one `reader` / `member` who is always project-scoped. And one `admin` that should always be system-scoped and project-scoped.\nNow we would have a role `manager` that for on persona is only project-scoped and for another persona would be domain-scoped and project-scoped? I am concerned, that this might lead to misconfigurations.\n\nWhile domains are handled as just another openstack resource, it will create a whole new layer, which lies between the whole openstack cloud and the project layer. From security perspective I would lean towards an explicit separation between the roles that are allowed to handle resources on these layers.\n\nSo including the domain-manager into the hierarchy would be possible, if there is no need for some role, that only manages projects, groups and users in a domain.\nBut I am concerned about using the same name for different layers.",
+      "parentUuid": "7c5ad8cf_aae6842d",
+      "range": {
+        "startLine": 50,
+        "startChar": 0,
+        "endLine": 52,
+        "endChar": 44
+      },
+      "revId": "f0940f651cc2ac3bfda3cb5b2b71e7079e77aea0",
+      "serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
+    },
    {
      "unresolved": true,
      "key": {
@ -171,6 +195,30 @@
      },
      "revId": "f0940f651cc2ac3bfda3cb5b2b71e7079e77aea0",
      "serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
+    },
+    {
+      "unresolved": true,
+      "key": {
+        "uuid": "ee00bcd6_c49d8d7f",
+        "filename": "specs/keystone/2023.1/domain-manager-role.rst",
+        "patchSetId": 2
+      },
+      "lineNbr": 120,
+      "author": {
+        "id": 28271
+      },
+      "writtenOn": "2024-02-08T12:17:33Z",
+      "side": 1,
+      "message": "you are right, we should allow the assigning of project managers here.",
+      "parentUuid": "20f41828_5e00664a",
+      "range": {
+        "startLine": 120,
+        "startChar": 29,
+        "endLine": 120,
+        "endChar": 45
+      },
+      "revId": "f0940f651cc2ac3bfda3cb5b2b71e7079e77aea0",
+      "serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
    }
  ]
 }