Not in Essex. When we discussed the Domains blueprint, one issue that I
brought up was nested groups/projects. That would solve your problem. It
is not currently being developed.
Ok. I can deal with handling tens of thousands of tokens, but I need
some way to ensure a user doesn't need to continuously authenticate
when changing between projects. I'm totally fine saving a long-lived
token that can be used for authentication, then re-authenticating with
that token to receive other project tokens. This way the web interface can use
the long-lived token on the user's behalf for authentication between projects.
I definitely want to solve this legitimately for folsom or grizzly as
this completely breaks my use case (and likely the use case of most
private cloud users).
Again, this is really a group nesting problem. I am not sure if the domain
blueprint would help you out here:
https://review.openstack.org/#/c/8114/
https://blueprints.launchpad.net/keystone/+spec/keystone-domains
http://etherpad.openstack.org/keystone-domains
I can likely live with adding/removing admins from groups. I'd prefer
not to, but we require this to some extent right now anyway. I'd
definitely like to resolve this by grizzly at least, though.
- Ryan