Bug 1041914

Summary: [RFE][keystone]: Allow a token to be scoped to many projects in the v3 spec
Product: Red Hat OpenStack Reporter: RHOS Integration <rhos-integ>
Component: RFEsAssignee: RHOS Maint <rhos-maint>
Status: CLOSED WONTFIX QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: jlennox, markmc, yeylon
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: https://blueprints.launchpad.net/keystone/+spec/make-project-unbounded-v3
Whiteboard: upstream_milestone_none upstream_status_not-started upstream_definition_obsolete
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-09 01:12:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description RHOS Integration 2013-12-12 20:03:10 UTC 
Cloned from launchpad blueprint https://blueprints.launchpad.net/keystone/+spec/make-project-unbounded-v3.

Description:

In v2 of keystone, tenant is unbounded with respect to token: 
https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/docbkx/common/xsd/token.xsd#L57

In v3 of keystone, a token can only be scoped to 1 project (renamed from tenant in this version):
https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md#authenticate-post-tokens

In following the contract for v2 explicitly, we are allowing in our implementation the ability to access multiple default tenants upon authentication. The other method (of going from unscoped to direct-1-tenant-scope works as well). 

The change to 1 project per token makes it difficult for us to adopt v3. 

I'd like the v3 contract to indicate a list of projects that the token is scoped to. This flexibility in the contract will help us migrate users to v3. This isn't a request to change the reference implementation, just the contract.

Specification URL (additional information):

None
Comment 2 Jamie Lennox 2015-03-09 01:12:38 UTC 
This is not on the roadmap. So much of OpenStack auth management relies on the concept of one token per project. 

This has been closed upstream.