← Back to team overview

openstack team mailing list archive

[KeyStone] Should there by any RoleRefs?

 

In process of creating separate backend, I found out several obstacles that
I believe should be removed.
One of them is RoleRefs.
As I suggest, there should no such thing at all. At least they should be
isolated in sql backend which implements relation between tenants, roles and
users through separate table with four columns.
It should be cleaner to show this dependancy to user in our REST interface
/tenants/tenant_id/roles/role_id/users/user_id and pass to backend just this
id-triplet. If someone wants to GET all roles in all tenants that the user
has, there can be url like users/user_id/roles for this. But data
manipulation should not be done through users collection.
The basic idea is to clearly represent collections and items in this
collections in REST interface and server logic.

Kind regards, Yuriy.