Update patch set 2
Patch Set 2: (2 comments) Patch-set: 2 Attention: {"person_ident":"Gerrit User 28271 \u003c28271@4a232e18-c5a9-48ee-94c0-e04e7cca6543\u003e","operation":"REMOVE","reason":"\u003cGERRIT_ACCOUNT_28271\u003e replied on the change"} Attention: {"person_ident":"Gerrit User 7973 \u003c7973@4a232e18-c5a9-48ee-94c0-e04e7cca6543\u003e","operation":"ADD","reason":"\u003cGERRIT_ACCOUNT_28271\u003e replied on the change"}
This commit is contained in:
parent
90d864ba7c
commit
ad479b38d4
|
@ -80,6 +80,30 @@
|
|||
"revId": "f0940f651cc2ac3bfda3cb5b2b71e7079e77aea0",
|
||||
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
|
||||
},
|
||||
{
|
||||
"unresolved": true,
|
||||
"key": {
|
||||
"uuid": "55b0f94e_30e8afe0",
|
||||
"filename": "specs/keystone/2023.1/domain-manager-role.rst",
|
||||
"patchSetId": 2
|
||||
},
|
||||
"lineNbr": 52,
|
||||
"author": {
|
||||
"id": 28271
|
||||
},
|
||||
"writtenOn": "2024-02-08T12:17:33Z",
|
||||
"side": 1,
|
||||
"message": "So aligning the persona would imply that a domain-manger has all the same rights as a project-manager.\n\nIn other words it would be `admin` -\u003e `manager` -\u003e `member` -\u003e `reader`. But it would differ in scopes. But do you plan on using the same role names on different scopes? I thought there would only be one `reader` / `member` who is always project-scoped. And one `admin` that should always be system-scoped and project-scoped.\nNow we would have a role `manager` that for on persona is only project-scoped and for another persona would be domain-scoped and project-scoped? I am concerned, that this might lead to misconfigurations.\n\nWhile domains are handled as just another openstack resource, it will create a whole new layer, which lies between the whole openstack cloud and the project layer. From security perspective I would lean towards an explicit separation between the roles that are allowed to handle resources on these layers.\n\nSo including the domain-manager into the hierarchy would be possible, if there is no need for some role, that only manages projects, groups and users in a domain.\nBut I am concerned about using the same name for different layers.",
|
||||
"parentUuid": "7c5ad8cf_aae6842d",
|
||||
"range": {
|
||||
"startLine": 50,
|
||||
"startChar": 0,
|
||||
"endLine": 52,
|
||||
"endChar": 44
|
||||
},
|
||||
"revId": "f0940f651cc2ac3bfda3cb5b2b71e7079e77aea0",
|
||||
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
|
||||
},
|
||||
{
|
||||
"unresolved": true,
|
||||
"key": {
|
||||
|
@ -171,6 +195,30 @@
|
|||
},
|
||||
"revId": "f0940f651cc2ac3bfda3cb5b2b71e7079e77aea0",
|
||||
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
|
||||
},
|
||||
{
|
||||
"unresolved": true,
|
||||
"key": {
|
||||
"uuid": "ee00bcd6_c49d8d7f",
|
||||
"filename": "specs/keystone/2023.1/domain-manager-role.rst",
|
||||
"patchSetId": 2
|
||||
},
|
||||
"lineNbr": 120,
|
||||
"author": {
|
||||
"id": 28271
|
||||
},
|
||||
"writtenOn": "2024-02-08T12:17:33Z",
|
||||
"side": 1,
|
||||
"message": "you are right, we should allow the assigning of project managers here.",
|
||||
"parentUuid": "20f41828_5e00664a",
|
||||
"range": {
|
||||
"startLine": 120,
|
||||
"startChar": 29,
|
||||
"endLine": 120,
|
||||
"endChar": 45
|
||||
},
|
||||
"revId": "f0940f651cc2ac3bfda3cb5b2b71e7079e77aea0",
|
||||
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
|
||||
}
|
||||
]
|
||||
}
|
Loading…
Reference in New Issue