#openstack-meeting log

16:05:20 <vishy> #startmeeting Hierarchical Multitenancy
16:05:21 <openstack> Meeting started Fri Apr  4 16:05:20 2014 UTC and is due to finish in 60 minutes.  The chair is vishy. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:05:22 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:05:24 <openstack> The meeting name has been set to 'hierarchical_multitenancy'
16:06:28 <vishy> has anyone looked at wiki.openstack.org/wiki/HierarchicalMultitenancy
16:06:42 <vishy> ?
16:06:56 <vishy> #link http://wiki.openstack.org/wiki/HierarchicalMultitenancy
16:07:05 <raildo> vishy: I read this week
16:07:15 <vishy> any comments or changes?
16:07:43 <raildo> vishy: about it "Roles will be inherited down the project hierarchy tree" I was wondering how is the implementation of the inherited roles in poc. Is there anyone implementing?
16:07:56 <raildo> in "Keystone Changes"
16:08:15 <vishy> raildo: hmm i thought that it was done in the keystone patch
16:08:17 <vishy> let me look
16:09:06 <raildo> ok
16:09:25 <vishy> ah no i was wrong
16:09:35 <vishy> it appears no one has implemented that in the poc
16:10:21 <raildo> vishy: I was interested in implementing
16:10:45 <vishy> if you want to take tellesnobrega’s code and add in role inheritance it doesn’t look too hard
16:11:09 <raildo> I was reading and thinking about the design of the solution and was with out a doubt.
16:11:15 <vishy> you could also add in passing both hierarchical_ids and hierarchical_names and separate with ascii 0x30 if you want
16:11:26 <raildo> https://docs.google.com/document/d/1mYLb_goIVK3VKrITqyKLGHTh7t_UEjgZTBx-QTz__Mc/edit?usp=sharing
16:13:03 <raildo> If you can have a look, summarizing my question is that it should will be automatic inheritance of all the roles of a parent project, or if the user will choose which roles are inherited.
16:13:35 <vishy> raildo: that makes sense
16:13:52 <vishy> having an optional inherited flag
16:14:34 <vishy> #link https://docs.google.com/document/d/1mYLb_goIVK3VKrITqyKLGHTh7t_UEjgZTBx-QTz__Mc/edit?usp=sharing
16:14:50 <raildo> vishy: Then the user must add the roles that are inherited, right?
16:15:06 <vishy> #info raildo suggests an inherited flag for roles which would control whether the role is inherited down the tree.
16:16:23 <vishy> added a note to the wiki
16:16:42 <raildo> ok
16:16:50 <raildo> vishy: I'll start with the implementation and hope to have something done for next week. =]
16:17:06 <vishy> #action raildo to implement inherited roles in the poc
16:17:15 <vishy> #topic design summit
16:17:35 <vishy> I proposed a session for cross project implementations
16:17:39 <vishy> #link http://summit.openstack.org/cfp/details/219
16:17:53 <vishy> there are also two other related sessions
16:18:01 <raildo> sounds good to me
16:18:19 <vishy> #link http://summit.openstack.org/cfp/details/62
16:18:23 <vishy> which is for keystone
16:18:39 <vishy> #link http://summit.openstack.org/cfp/details/58
16:18:44 <vishy> for nova (about domains)
16:19:30 <vishy> i also made some notes on there linking them to each other
16:19:33 <vishy> the domain one might end up spending time on hierarchical projects as well
16:19:49 <vishy> depending on the consensus about whether projects other than keystone should know about domains
16:20:22 <vishy> raildo: i like your suggestion about non-inheritance
16:20:30 <vishy> i’m thinking specifically about a role like CloudAdmin
16:20:59 <vishy> I could potentially see situations where the CloudAdmin could do special things that aren’t about a given resource
16:21:29 <vishy> or a resource that isn’t tenant specific like create shared provider networks in neutron
16:21:45 <vishy> so for safety reasons it might be good to have CloudAdmin not inherit down the tree
16:22:05 <raildo> +1
16:22:15 <vishy> where as a general capability like a role for attach_floating_ip
16:22:21 <vishy> you would probably want that to inherit
16:23:05 <vishy> ok good
16:23:11 <vishy> anything else?
16:23:15 <raildo> I believe that if a CloudAdmin will make any changes to a project, simply add a new role as a ProjectAdmin
16:24:24 <raildo> for me, it's done
16:26:16 <vishy> ok
16:26:19 <vishy> #endmeeting