As Identity I want Repose to apply RCN level roles so that we can connect multiple domains to a single RCN.
(part of account management, seamless experience, Identity release 3.12 early July, Our target date is to release in June for Identity to consume and test with.
Single domain —> admin user, domain, tenants and roles are all on single level. Seamless wants to connect multiple domains to a single RCN. Domain level roles are not associated with a tenant. Tenant level actions will be at the tenant level. The problem is, with RCN level roles, say the user is in domain A, then changes to domain B, (non-tenanted?) roles in domain B need to not bleed over to domain A.
Our calls to identity will have an ?apply_rcn_roles (query parameter) so that validate calls, endpoint calls, and groups calls with this parameter will make sure every (non-tenanted?) role is associated with every tenant on domain B.
People who want it add a query parameter to their requests.
Put in another way:
Domain is a collection of users. There is an admin for each domain that can create users.
There's a concept of "RCN" that will combine Domains together. There are users that have access that spans domains but still belong to a specific domain. The issue is that when you look at "role1" (non-tenanted role) for one domain, it should not apply to any other domain.
Tenant IDs are not unique across domains.
- Need to support turning this on or off, default is off
- Flag is sent on Identity calls asking for RCN level roles
- Flag is the existence of the query parameter
- All keystone logic applies to the role (keystone v2v2)
- Keystone v3 filter will be updated at some point in the future.