https://etherpad.openstack.org/p/keystone-mitaka-summit-policy Policy
We made some head-way, what's the next logical step?
- Distribution of policy files from Keystone server: Either we should use the policy backend or deprecate.
- Management of Roles
- Merge role ID and Role name
- Get a standard base set of roles
- Idea 1: Virtual roles (aka role-groups): This proposes "management roles" to be created that map to "policy roles" (i.e. those that appear in a policy file)
- This is composed of three distinct things:
- Role inference (assigning one role grants a second)
- Hidden roles (an assiged role that does not show up in a token)
- Role namespaces
- Idea 2: Implied roles: This proposes a role hierarchy of policy roles
- Virtual only misses the ability to compose permissions. We were going to push this on the POlicy side, but we can start on the token issuing
- Bug 968696 (Admin not properly scoped)
- How to handle APIS not scoped to projects
- Roles for management of remote services like "add hypervisor"
- How to delete a resource where the project has been deleted
