Cloned from launchpad blueprint https://blueprints.launchpad.net/keystone/+spec/super-inherited-roles-and-assignments.

Description:

https://blueprints.launchpad.net/keystone/+spec/inherited-domain-roles

The above BP (which is already implemented in keystone) helps cloud admin to setup one-off inherited role on customers domain, this way a cloud provide (admin user) can scope his/her token to a customer domain and do some admin work on behalf of customer. This solution work well with small scale cloud deployment where number of customer domains are less (in 100s) but for large scale cloud deployment this solution (one-off inherited role-assignment)  is not scalable, as the number of customer domains are in multiple of 1000s.

To resolve this problem we want to introduce a notion of super inherited role-assignments which will work as below.

1. Cloud provide has to maintain a domain which will represent an admin domain (lets call it super domain), all the cloud admin will belong to this domain.

2. A super inherited role assignment will linkup a subject (user/group) with a role on all domain, all projects of a particular domain. (user/group, role_id, "all domains", "all projects")

3. Cloud admin will scope his/her token to a customer project and can gain roles which are given through super inherited role-assignments on a project.

This will help cloud provider to efficiently manage their customers and resources.

Specification URL (additional information):

None