openstack team mailing list archive

[Rafael Durán Castañeda <rafadurancastaneda@xxxxxxxxx>]

Hi,

Looking at code from Keystone I found something that doesn't make sense to
me. Looking at  __validate_service_or_keystone_admin_token
<https://github.com/openstack/keystone/blob/master/keystone/logic/service.py#L510>method
Keystone-admin-role is valid only if it isn't associated to any tenant (
role_ref.tenant_id is None), so a user has Admin role for all tenants or
none, is this the expected behavior?  Is it possible to grant Admin role for
specific tenant in any way? I think would be more flexible being able to
grant role to specific tenant too, but I suppose there is a good reason for
this, it isn't?

Bye