)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"c88e1952147131b37a1f5557926db7f7794f0230","unresolved":false,"context_lines":[{"line_number":14,"context_line":"Co-Authored-By: Rodrigo Duarte \u003crodrigods@lsd.ufcg.edu.br\u003e"},{"line_number":15,"context_line":"Co-Authored-By: Andrey Brito \u003candrey@dsc.ufcg.edu.br\u003e"},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"bp reseller"},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"Change-Id: I52509d08a945653b9d692022f1df0e59f6407f8f"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":10,"id":"3a961159_e28e0732","line":17,"updated":"2015-01-09 21:47:04.000000000","message":"Implements: blueprint reseller","commit_id":"b14c1e95a4a50d2822dbb6f62aff2bef03495f71"}],"specs/kilo/reseller.rst":[{"author":{"_account_id":13082,"name":"Irina","email":"ipovolotskaya@mirantis.com","username":"ipovolotskaya"},"change_message_id":"ebc5771fd5d9f18b3781873ed2515e092faf418f","unresolved":false,"context_lines":[{"line_number":13,"context_line":""},{"line_number":14,"context_line":"OpenStack needs to grow support for hierarchical ownership of objects."},{"line_number":15,"context_line":"This enables the management of subsets of users and projects in a way that is"},{"line_number":16,"context_line":"much more comfortable for private clouds and gives to public cloud providers"},{"line_number":17,"context_line":"the option of selling a  a piece of his cloud."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"Problem Description"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3a961159_7e2624bc","line":16,"updated":"2014-12-08 13:29:14.000000000","message":"...of selling a piece of their clouds?\n\nI can\u0027t see the idea here. Public cloud providers will have the possibility to sell a piece (a part looks even better) of their clouds?","commit_id":"74783d96a66c7110f2df2a955aa1bd60ba473646"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"92c1365e43c9063260bc9e163854c4f8dff7da25","unresolved":false,"context_lines":[{"line_number":13,"context_line":""},{"line_number":14,"context_line":"OpenStack needs to grow support for hierarchical ownership of objects."},{"line_number":15,"context_line":"This enables the management of subsets of users and projects in a way that is"},{"line_number":16,"context_line":"much more comfortable for private clouds and gives to public cloud providers"},{"line_number":17,"context_line":"the option of selling a  a piece of his cloud."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"Problem Description"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3a961159_d76e0fc9","line":16,"in_reply_to":"3a961159_7e2624bc","updated":"2014-12-08 18:54:36.000000000","message":"Hi Irina, Imagine that \"selling a piece (or a part)\" is like you can give a project/domain for a user customer, and you can set the quota for this project (the part of you cloud) and tour costumer can reseller this quotas, creating others project/domain in this hierarchy.\n\nIt is more clear?","commit_id":"74783d96a66c7110f2df2a955aa1bd60ba473646"},{"author":{"_account_id":13082,"name":"Irina","email":"ipovolotskaya@mirantis.com","username":"ipovolotskaya"},"change_message_id":"ebc5771fd5d9f18b3781873ed2515e092faf418f","unresolved":false,"context_lines":[{"line_number":14,"context_line":"OpenStack needs to grow support for hierarchical ownership of objects."},{"line_number":15,"context_line":"This enables the management of subsets of users and projects in a way that is"},{"line_number":16,"context_line":"much more comfortable for private clouds and gives to public cloud providers"},{"line_number":17,"context_line":"the option of selling a  a piece of his cloud."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"Problem Description"},{"line_number":20,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3a961159_be096c2e","line":17,"updated":"2014-12-08 13:29:14.000000000","message":"there is a problem with \u0027a  a\u0027. I believe, it should look like \u0027a piece of his cloud.","commit_id":"74783d96a66c7110f2df2a955aa1bd60ba473646"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"92c1365e43c9063260bc9e163854c4f8dff7da25","unresolved":false,"context_lines":[{"line_number":14,"context_line":"OpenStack needs to grow support for hierarchical ownership of objects."},{"line_number":15,"context_line":"This enables the management of subsets of users and projects in a way that is"},{"line_number":16,"context_line":"much more comfortable for private clouds and gives to public cloud providers"},{"line_number":17,"context_line":"the option of selling a  a piece of his cloud."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"Problem Description"},{"line_number":20,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3a961159_775f1b0f","line":17,"in_reply_to":"3a961159_be096c2e","updated":"2014-12-08 18:54:36.000000000","message":"I\u0027ll fix that. Thank you!","commit_id":"74783d96a66c7110f2df2a955aa1bd60ba473646"},{"author":{"_account_id":13082,"name":"Irina","email":"ipovolotskaya@mirantis.com","username":"ipovolotskaya"},"change_message_id":"ebc5771fd5d9f18b3781873ed2515e092faf418f","unresolved":false,"context_lines":[{"line_number":64,"context_line":""},{"line_number":65,"context_line":"* Once the user creates a domain or updates a project to become a domain, this"},{"line_number":66,"context_line":"  property is immutable. In other words, if a project has became a domain,"},{"line_number":67,"context_line":"  won\u0027t be possible to rollback this change. However, this constraint should"},{"line_number":68,"context_line":"  have a way to be easily deactivated in case makes sense for future changes"},{"line_number":69,"context_line":"  in this concept."},{"line_number":70,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"3a961159_de5c7828","line":67,"updated":"2014-12-08 13:29:14.000000000","message":"it will not be possible","commit_id":"74783d96a66c7110f2df2a955aa1bd60ba473646"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"92c1365e43c9063260bc9e163854c4f8dff7da25","unresolved":false,"context_lines":[{"line_number":64,"context_line":""},{"line_number":65,"context_line":"* Once the user creates a domain or updates a project to become a domain, this"},{"line_number":66,"context_line":"  property is immutable. In other words, if a project has became a domain,"},{"line_number":67,"context_line":"  won\u0027t be possible to rollback this change. However, this constraint should"},{"line_number":68,"context_line":"  have a way to be easily deactivated in case makes sense for future changes"},{"line_number":69,"context_line":"  in this concept."},{"line_number":70,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"3a961159_979ba7c8","line":67,"in_reply_to":"3a961159_de5c7828","updated":"2014-12-08 18:54:36.000000000","message":"Done","commit_id":"74783d96a66c7110f2df2a955aa1bd60ba473646"},{"author":{"_account_id":13082,"name":"Irina","email":"ipovolotskaya@mirantis.com","username":"ipovolotskaya"},"change_message_id":"ebc5771fd5d9f18b3781873ed2515e092faf418f","unresolved":false,"context_lines":[{"line_number":65,"context_line":"* Once the user creates a domain or updates a project to become a domain, this"},{"line_number":66,"context_line":"  property is immutable. In other words, if a project has became a domain,"},{"line_number":67,"context_line":"  won\u0027t be possible to rollback this change. However, this constraint should"},{"line_number":68,"context_line":"  have a way to be easily deactivated in case makes sense for future changes"},{"line_number":69,"context_line":"  in this concept."},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"Alternatives"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3a961159_3e4bbc5a","line":68,"updated":"2014-12-08 13:29:14.000000000","message":"maybe: in case future changes require the rollback.\nWhat do you think?","commit_id":"74783d96a66c7110f2df2a955aa1bd60ba473646"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"92c1365e43c9063260bc9e163854c4f8dff7da25","unresolved":false,"context_lines":[{"line_number":65,"context_line":"* Once the user creates a domain or updates a project to become a domain, this"},{"line_number":66,"context_line":"  property is immutable. In other words, if a project has became a domain,"},{"line_number":67,"context_line":"  won\u0027t be possible to rollback this change. However, this constraint should"},{"line_number":68,"context_line":"  have a way to be easily deactivated in case makes sense for future changes"},{"line_number":69,"context_line":"  in this concept."},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"Alternatives"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3a961159_57e77f40","line":68,"in_reply_to":"3a961159_3e4bbc5a","updated":"2014-12-08 18:54:36.000000000","message":"The Keystone community think that we can\u0027t rollback this functionality, but If we need change to do this action, that is a simple modification.","commit_id":"74783d96a66c7110f2df2a955aa1bd60ba473646"},{"author":{"_account_id":13082,"name":"Irina","email":"ipovolotskaya@mirantis.com","username":"ipovolotskaya"},"change_message_id":"ebc5771fd5d9f18b3781873ed2515e092faf418f","unresolved":false,"context_lines":[{"line_number":100,"context_line":"None"},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"Developer Impact"},{"line_number":103,"context_line":"----------------"},{"line_number":104,"context_line":"A new column in the Project Table representing that this project will now"},{"line_number":105,"context_line":"become a domain."},{"line_number":106,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"3a961159_1e6520e1","line":103,"updated":"2014-12-08 13:29:14.000000000","message":"I think, Developer Impact heading should be followed with a blank line.","commit_id":"74783d96a66c7110f2df2a955aa1bd60ba473646"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"92c1365e43c9063260bc9e163854c4f8dff7da25","unresolved":false,"context_lines":[{"line_number":100,"context_line":"None"},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"Developer Impact"},{"line_number":103,"context_line":"----------------"},{"line_number":104,"context_line":"A new column in the Project Table representing that this project will now"},{"line_number":105,"context_line":"become a domain."},{"line_number":106,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"3a961159_77e47b3b","line":103,"in_reply_to":"3a961159_1e6520e1","updated":"2014-12-08 18:54:36.000000000","message":"Done","commit_id":"74783d96a66c7110f2df2a955aa1bd60ba473646"},{"author":{"_account_id":13082,"name":"Irina","email":"ipovolotskaya@mirantis.com","username":"ipovolotskaya"},"change_message_id":"ebc5771fd5d9f18b3781873ed2515e092faf418f","unresolved":false,"context_lines":[{"line_number":108,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"Assignee(s)"},{"line_number":111,"context_line":"-----------"},{"line_number":112,"context_line":"Primary assignee:"},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"Raildo Mascena \u003craildo\u003e"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3a961159_3e62dcd8","line":111,"updated":"2014-12-08 13:29:14.000000000","message":"See my comment above, please.","commit_id":"74783d96a66c7110f2df2a955aa1bd60ba473646"},{"author":{"_account_id":13082,"name":"Irina","email":"ipovolotskaya@mirantis.com","username":"ipovolotskaya"},"change_message_id":"ebc5771fd5d9f18b3781873ed2515e092faf418f","unresolved":false,"context_lines":[{"line_number":131,"context_line":""},{"line_number":132,"context_line":"3. Domains and projects can\u0027t have the same name;"},{"line_number":133,"context_line":""},{"line_number":134,"context_line":"4. When requested a domain scoped token, provide a dual scoped token,"},{"line_number":135,"context_line":"   referencing the project which holds that domain;"},{"line_number":136,"context_line":""},{"line_number":137,"context_line":"5. Create a constraint to ensure that the domain parent will always be another"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3a961159_3eb9fc2e","line":134,"updated":"2014-12-08 13:29:14.000000000","message":"when a domain-scoped token is requested, ...","commit_id":"74783d96a66c7110f2df2a955aa1bd60ba473646"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"92c1365e43c9063260bc9e163854c4f8dff7da25","unresolved":false,"context_lines":[{"line_number":131,"context_line":""},{"line_number":132,"context_line":"3. Domains and projects can\u0027t have the same name;"},{"line_number":133,"context_line":""},{"line_number":134,"context_line":"4. When requested a domain scoped token, provide a dual scoped token,"},{"line_number":135,"context_line":"   referencing the project which holds that domain;"},{"line_number":136,"context_line":""},{"line_number":137,"context_line":"5. Create a constraint to ensure that the domain parent will always be another"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3a961159_37c11381","line":134,"in_reply_to":"3a961159_3eb9fc2e","updated":"2014-12-08 18:54:36.000000000","message":"Done","commit_id":"74783d96a66c7110f2df2a955aa1bd60ba473646"},{"author":{"_account_id":13082,"name":"Irina","email":"ipovolotskaya@mirantis.com","username":"ipovolotskaya"},"change_message_id":"ebc5771fd5d9f18b3781873ed2515e092faf418f","unresolved":false,"context_lines":[{"line_number":134,"context_line":"4. When requested a domain scoped token, provide a dual scoped token,"},{"line_number":135,"context_line":"   referencing the project which holds that domain;"},{"line_number":136,"context_line":""},{"line_number":137,"context_line":"5. Create a constraint to ensure that the domain parent will always be another"},{"line_number":138,"context_line":"   domain;"},{"line_number":139,"context_line":""},{"line_number":140,"context_line":"6. One time that set to True, we need to make the \u0027domain-ness\u0027 property"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3a961159_3e901c95","line":137,"updated":"2014-12-08 13:29:14.000000000","message":"maybe: parent domain?","commit_id":"74783d96a66c7110f2df2a955aa1bd60ba473646"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"92c1365e43c9063260bc9e163854c4f8dff7da25","unresolved":false,"context_lines":[{"line_number":134,"context_line":"4. When requested a domain scoped token, provide a dual scoped token,"},{"line_number":135,"context_line":"   referencing the project which holds that domain;"},{"line_number":136,"context_line":""},{"line_number":137,"context_line":"5. Create a constraint to ensure that the domain parent will always be another"},{"line_number":138,"context_line":"   domain;"},{"line_number":139,"context_line":""},{"line_number":140,"context_line":"6. One time that set to True, we need to make the \u0027domain-ness\u0027 property"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3a961159_77bb9b0e","line":137,"in_reply_to":"3a961159_3e901c95","updated":"2014-12-08 18:54:36.000000000","message":"Done","commit_id":"74783d96a66c7110f2df2a955aa1bd60ba473646"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"9ff7a67d466e34469714f766931c3dd4b41e80fa","unresolved":false,"context_lines":[{"line_number":5,"context_line":""},{"line_number":6,"context_line":" http://creativecommons.org/licenses/by/3.0/legalcode"},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":9,"context_line":"Reseller Use Case"},{"line_number":10,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":11,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a961159_974c23ca","line":8,"updated":"2014-12-11 06:21:31.000000000","message":"Put \u0027\u003d\u0027 until title\u0027s right bound, i.e 17x \u0027\u003d\u0027","commit_id":"69e76dc5ed722be9e6a1c737ccdd190be85527af"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"0143b021b3c2dacc9f75c4f2e87412e872e9d6f6","unresolved":false,"context_lines":[{"line_number":5,"context_line":""},{"line_number":6,"context_line":" http://creativecommons.org/licenses/by/3.0/legalcode"},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":9,"context_line":"Reseller Use Case"},{"line_number":10,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":11,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a961159_f4cf0c54","line":8,"in_reply_to":"3a961159_974c23ca","updated":"2014-12-11 18:12:46.000000000","message":"Done","commit_id":"69e76dc5ed722be9e6a1c737ccdd190be85527af"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"9ff7a67d466e34469714f766931c3dd4b41e80fa","unresolved":false,"context_lines":[{"line_number":13,"context_line":""},{"line_number":14,"context_line":"OpenStack needs to grow support for hierarchical ownership of objects."},{"line_number":15,"context_line":"This enables the management of subsets of users and projects in a way that is"},{"line_number":16,"context_line":"much more comfortable for private clouds and gives to public cloud providers"},{"line_number":17,"context_line":"the option of selling a piece of his cloud."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"Problem Description"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a961159_17e753ad","line":16,"updated":"2014-12-11 06:21:31.000000000","message":"I\u0027d rewrite to something like:\n\n[...] private clouds, besides giving to public cloud [...]","commit_id":"69e76dc5ed722be9e6a1c737ccdd190be85527af"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"0143b021b3c2dacc9f75c4f2e87412e872e9d6f6","unresolved":false,"context_lines":[{"line_number":13,"context_line":""},{"line_number":14,"context_line":"OpenStack needs to grow support for hierarchical ownership of objects."},{"line_number":15,"context_line":"This enables the management of subsets of users and projects in a way that is"},{"line_number":16,"context_line":"much more comfortable for private clouds and gives to public cloud providers"},{"line_number":17,"context_line":"the option of selling a piece of his cloud."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"Problem Description"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a961159_f4f62c8e","line":16,"in_reply_to":"3a961159_17e753ad","updated":"2014-12-11 18:12:46.000000000","message":"Done","commit_id":"69e76dc5ed722be9e6a1c737ccdd190be85527af"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"9ff7a67d466e34469714f766931c3dd4b41e80fa","unresolved":false,"context_lines":[{"line_number":14,"context_line":"OpenStack needs to grow support for hierarchical ownership of objects."},{"line_number":15,"context_line":"This enables the management of subsets of users and projects in a way that is"},{"line_number":16,"context_line":"much more comfortable for private clouds and gives to public cloud providers"},{"line_number":17,"context_line":"the option of selling a piece of his cloud."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"Problem Description"},{"line_number":20,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a961159_77017737","line":17,"updated":"2014-12-11 06:21:31.000000000","message":"Cannot they already do this?\nNeeds some clarification. Here I think you want to say something like: [...] the option of selling a piece of his cloud that, in turn, can be resold.","commit_id":"69e76dc5ed722be9e6a1c737ccdd190be85527af"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"0143b021b3c2dacc9f75c4f2e87412e872e9d6f6","unresolved":false,"context_lines":[{"line_number":14,"context_line":"OpenStack needs to grow support for hierarchical ownership of objects."},{"line_number":15,"context_line":"This enables the management of subsets of users and projects in a way that is"},{"line_number":16,"context_line":"much more comfortable for private clouds and gives to public cloud providers"},{"line_number":17,"context_line":"the option of selling a piece of his cloud."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"Problem Description"},{"line_number":20,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a961159_542d40fd","line":17,"in_reply_to":"3a961159_77017737","updated":"2014-12-11 18:12:46.000000000","message":"Done","commit_id":"69e76dc5ed722be9e6a1c737ccdd190be85527af"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"9ff7a67d466e34469714f766931c3dd4b41e80fa","unresolved":false,"context_lines":[{"line_number":19,"context_line":"Problem Description"},{"line_number":20,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"Use Case 1:"},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"* Resellers"},{"line_number":25,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a961159_d7978bea","line":22,"updated":"2014-12-11 06:21:31.000000000","message":"Do we have a Use Case 2?","commit_id":"69e76dc5ed722be9e6a1c737ccdd190be85527af"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"0143b021b3c2dacc9f75c4f2e87412e872e9d6f6","unresolved":false,"context_lines":[{"line_number":19,"context_line":"Problem Description"},{"line_number":20,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"Use Case 1:"},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"* Resellers"},{"line_number":25,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a961159_144738bd","line":22,"in_reply_to":"3a961159_d7978bea","updated":"2014-12-11 18:12:46.000000000","message":"We have two more use case and they are in the lines 45 e 46.","commit_id":"69e76dc5ed722be9e6a1c737ccdd190be85527af"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"9ff7a67d466e34469714f766931c3dd4b41e80fa","unresolved":false,"context_lines":[{"line_number":29,"context_line":""},{"line_number":30,"context_line":"* Joe - Development Manager from WidgetMaster"},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"* Sam - Development Manager from SuperDevShop"},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Martha provides IT services to multiple enterprise clients. She would like to"},{"line_number":35,"context_line":"offer cloud services to Joe at WidgetMaster, and Sam at SuperDevShop. Joe has"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a961159_f7c3a7ea","line":32,"updated":"2014-12-11 06:21:31.000000000","message":"I think lines 22-32 could be summarized as: \u0027* Reseller Use Case\u0027.\n\nThere is no need to specify the roles of each actor, since the description below is quite complete and clear.","commit_id":"69e76dc5ed722be9e6a1c737ccdd190be85527af"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"0143b021b3c2dacc9f75c4f2e87412e872e9d6f6","unresolved":false,"context_lines":[{"line_number":29,"context_line":""},{"line_number":30,"context_line":"* Joe - Development Manager from WidgetMaster"},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"* Sam - Development Manager from SuperDevShop"},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Martha provides IT services to multiple enterprise clients. She would like to"},{"line_number":35,"context_line":"offer cloud services to Joe at WidgetMaster, and Sam at SuperDevShop. Joe has"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a961159_344994b7","line":32,"in_reply_to":"3a961159_f7c3a7ea","updated":"2014-12-11 18:12:46.000000000","message":"I\u0027m just following a kind of partner that i see in other specs, like K2K Federation.","commit_id":"69e76dc5ed722be9e6a1c737ccdd190be85527af"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"9ff7a67d466e34469714f766931c3dd4b41e80fa","unresolved":false,"context_lines":[{"line_number":51,"context_line":""},{"line_number":52,"context_line":"Implement support to limit sharing of resources both upwards and downwards in"},{"line_number":53,"context_line":"the project\u0027s hierarchy. To achieve this, the domains construct will be merged"},{"line_number":54,"context_line":"with the project, allowing to distribute users in any point of the hierarchy,"},{"line_number":55,"context_line":"instead of only in a single, root, domain. With this implementation, we\u0027ll"},{"line_number":56,"context_line":"cover the Reseller Use case, where one will be able to resell both a project"},{"line_number":57,"context_line":"and a project that behaves like a domain, where one can create users, roles"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a961159_97a8a321","line":54,"updated":"2014-12-11 06:21:31.000000000","message":"That\u0027s not actually true. It looks like we are allowed to create a domain under a project, since we can distribute users in **any** point of the hierarchy.","commit_id":"69e76dc5ed722be9e6a1c737ccdd190be85527af"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"0143b021b3c2dacc9f75c4f2e87412e872e9d6f6","unresolved":false,"context_lines":[{"line_number":51,"context_line":""},{"line_number":52,"context_line":"Implement support to limit sharing of resources both upwards and downwards in"},{"line_number":53,"context_line":"the project\u0027s hierarchy. To achieve this, the domains construct will be merged"},{"line_number":54,"context_line":"with the project, allowing to distribute users in any point of the hierarchy,"},{"line_number":55,"context_line":"instead of only in a single, root, domain. With this implementation, we\u0027ll"},{"line_number":56,"context_line":"cover the Reseller Use case, where one will be able to resell both a project"},{"line_number":57,"context_line":"and a project that behaves like a domain, where one can create users, roles"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a961159_14e3b8a4","line":54,"in_reply_to":"3a961159_97a8a321","updated":"2014-12-11 18:12:46.000000000","message":"I\u0027ll clarify this.","commit_id":"69e76dc5ed722be9e6a1c737ccdd190be85527af"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"9ff7a67d466e34469714f766931c3dd4b41e80fa","unresolved":false,"context_lines":[{"line_number":52,"context_line":"Implement support to limit sharing of resources both upwards and downwards in"},{"line_number":53,"context_line":"the project\u0027s hierarchy. To achieve this, the domains construct will be merged"},{"line_number":54,"context_line":"with the project, allowing to distribute users in any point of the hierarchy,"},{"line_number":55,"context_line":"instead of only in a single, root, domain. With this implementation, we\u0027ll"},{"line_number":56,"context_line":"cover the Reseller Use case, where one will be able to resell both a project"},{"line_number":57,"context_line":"and a project that behaves like a domain, where one can create users, roles"},{"line_number":58,"context_line":"and groups."}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a961159_3771afe0","line":55,"updated":"2014-12-11 06:21:31.000000000","message":"Well, we don\u0027t see a lot of abbreviations like we\u0027ll in specs :)","commit_id":"69e76dc5ed722be9e6a1c737ccdd190be85527af"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"9ff7a67d466e34469714f766931c3dd4b41e80fa","unresolved":false,"context_lines":[{"line_number":54,"context_line":"with the project, allowing to distribute users in any point of the hierarchy,"},{"line_number":55,"context_line":"instead of only in a single, root, domain. With this implementation, we\u0027ll"},{"line_number":56,"context_line":"cover the Reseller Use case, where one will be able to resell both a project"},{"line_number":57,"context_line":"and a project that behaves like a domain, where one can create users, roles"},{"line_number":58,"context_line":"and groups."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"* It will also be possible to update an existing project to make it behave like"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a961159_d7330b12","line":57,"updated":"2014-12-11 06:21:31.000000000","message":"So this work is related to domain-roles [1]?\nIf so, maybe we need to add some dependency/reference in this spec.\n\n[1] https://review.openstack.org/#/c/133855/9/specs/kilo/domain-roles.rst","commit_id":"69e76dc5ed722be9e6a1c737ccdd190be85527af"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"0143b021b3c2dacc9f75c4f2e87412e872e9d6f6","unresolved":false,"context_lines":[{"line_number":54,"context_line":"with the project, allowing to distribute users in any point of the hierarchy,"},{"line_number":55,"context_line":"instead of only in a single, root, domain. With this implementation, we\u0027ll"},{"line_number":56,"context_line":"cover the Reseller Use case, where one will be able to resell both a project"},{"line_number":57,"context_line":"and a project that behaves like a domain, where one can create users, roles"},{"line_number":58,"context_line":"and groups."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"* It will also be possible to update an existing project to make it behave like"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a961159_943968f4","line":57,"in_reply_to":"3a961159_d7330b12","updated":"2014-12-11 18:12:46.000000000","message":"Yes, this spec is related do domain-roles, but this not a dependence, because we can manager the role assignments in Hierarchical Multitenancy without the domain roles implementation. \n\nWe can use the role assignments as works today, we have a best approach using inherited roles assignments to projects.","commit_id":"69e76dc5ed722be9e6a1c737ccdd190be85527af"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"9ff7a67d466e34469714f766931c3dd4b41e80fa","unresolved":false,"context_lines":[{"line_number":66,"context_line":"  property is immutable. In other words, if a project has became a domain,"},{"line_number":67,"context_line":"  it will not be possible to rollback this change. However, this constraint"},{"line_number":68,"context_line":"  should have a way to be easily deactivated in case makes sense for future"},{"line_number":69,"context_line":"  changes in this concept."},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"Alternatives"},{"line_number":72,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a961159_f71f276a","line":69,"updated":"2014-12-11 06:21:31.000000000","message":"Maybe need to clarify \u0027in case makes sense for future changes in this concept.\u0027","commit_id":"69e76dc5ed722be9e6a1c737ccdd190be85527af"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"9ff7a67d466e34469714f766931c3dd4b41e80fa","unresolved":false,"context_lines":[{"line_number":142,"context_line":"   immutable;"},{"line_number":143,"context_line":""},{"line_number":144,"context_line":"* Note: For details about role assignments in the hierarchy, see the domain"},{"line_number":145,"context_line":"  role spec: https://review.openstack.org/#/c/133855"},{"line_number":146,"context_line":""},{"line_number":147,"context_line":"Dependencies"},{"line_number":148,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a961159_5215693e","line":145,"updated":"2014-12-11 06:21:31.000000000","message":"When you say role assignments in the hierarchy, it sounds like inherited role assignments. I think you should clarify that you\u0027re talking about domain roles, which are domain scope roles that can be defined by the domain admin in a way that fit better his/her needs.","commit_id":"69e76dc5ed722be9e6a1c737ccdd190be85527af"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"0143b021b3c2dacc9f75c4f2e87412e872e9d6f6","unresolved":false,"context_lines":[{"line_number":142,"context_line":"   immutable;"},{"line_number":143,"context_line":""},{"line_number":144,"context_line":"* Note: For details about role assignments in the hierarchy, see the domain"},{"line_number":145,"context_line":"  role spec: https://review.openstack.org/#/c/133855"},{"line_number":146,"context_line":""},{"line_number":147,"context_line":"Dependencies"},{"line_number":148,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a961159_8f6cf5d1","line":145,"in_reply_to":"3a961159_5215693e","updated":"2014-12-11 18:12:46.000000000","message":"For now, Inherited role assignments is a way to resolve the role assignments in Hierarchical Multitenancy. In a future, domain roles can be a better solution for this.\n\nI\u0027ll rephrase this. :)","commit_id":"69e76dc5ed722be9e6a1c737ccdd190be85527af"},{"author":{"_account_id":8978,"name":"Marek Denis","email":"marek.denis+openstack@gmail.com","username":"marek-denis"},"change_message_id":"1e75d1c7fb033f4bacad51a0c52fc3b1877a364f","unresolved":false,"context_lines":[{"line_number":130,"context_line":""},{"line_number":131,"context_line":"3. Domains and projects can\u0027t have the same name;"},{"line_number":132,"context_line":""},{"line_number":133,"context_line":"4. When a domain scoped token is requested, provide a dual scoped token,"},{"line_number":134,"context_line":"   referencing the project which holds that domain;"},{"line_number":135,"context_line":""},{"line_number":136,"context_line":"5. Create a constraint to ensure that the parent domain will always be another"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3a961159_ce0b1822","line":133,"updated":"2014-12-15 07:24:55.000000000","message":"what is a \u0027dual scoped token\u0027 - a token scoped both to domain and a project?  IF so, doesn\u0027t it affect general structure of tokens?","commit_id":"07de979082d257230e2ab1dffbdfe6c84fa53393"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"24096c33dcac9fe7fb981d32d8bf4925ff23a5ff","unresolved":false,"context_lines":[{"line_number":130,"context_line":""},{"line_number":131,"context_line":"3. Domains and projects can\u0027t have the same name;"},{"line_number":132,"context_line":""},{"line_number":133,"context_line":"4. When a domain scoped token is requested, provide a dual scoped token,"},{"line_number":134,"context_line":"   referencing the project which holds that domain;"},{"line_number":135,"context_line":""},{"line_number":136,"context_line":"5. Create a constraint to ensure that the parent domain will always be another"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3a961159_148d23d3","line":133,"in_reply_to":"3a961159_ce0b1822","updated":"2014-12-15 14:31:49.000000000","message":"Yes, a dual scoped token, is a token scoped for domain and project. Maybe we have to change the structure of tokens, I think that we have to change the \"target\" or the token. I need to explain more about this here.","commit_id":"07de979082d257230e2ab1dffbdfe6c84fa53393"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"4e5a625b6703c0bd78a448bdd394696141f16370","unresolved":false,"context_lines":[{"line_number":139,"context_line":"6. One time that set to True, we need to make the \u0027domain-ness\u0027 property"},{"line_number":140,"context_line":"   immutable;"},{"line_number":141,"context_line":""},{"line_number":142,"context_line":"* Note: Today we can use the current role assingments to grant roles for users"},{"line_number":143,"context_line":"  in the hierarchy, for a better usability, We recomend use inherited roles"},{"line_number":144,"context_line":"  assignments to manager the access control for the users, but exists a spec"},{"line_number":145,"context_line":"  retaled do domain roles, that can improve this role managment in Hierarchical"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3a961159_72c20c54","line":142,"updated":"2014-12-14 20:21:18.000000000","message":"typo: assingments\nMaybe adding \u0027mechanism\u0027 in: \u0027role assignments mechanism\u0027 \nAlso, just considering to gran roles for users? What about groups? Could be: \u0027for users and groups\u0027","commit_id":"07de979082d257230e2ab1dffbdfe6c84fa53393"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"24096c33dcac9fe7fb981d32d8bf4925ff23a5ff","unresolved":false,"context_lines":[{"line_number":139,"context_line":"6. One time that set to True, we need to make the \u0027domain-ness\u0027 property"},{"line_number":140,"context_line":"   immutable;"},{"line_number":141,"context_line":""},{"line_number":142,"context_line":"* Note: Today we can use the current role assingments to grant roles for users"},{"line_number":143,"context_line":"  in the hierarchy, for a better usability, We recomend use inherited roles"},{"line_number":144,"context_line":"  assignments to manager the access control for the users, but exists a spec"},{"line_number":145,"context_line":"  retaled do domain roles, that can improve this role managment in Hierarchical"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3a961159_d4ad5b32","line":142,"in_reply_to":"3a961159_72c20c54","updated":"2014-12-15 14:31:49.000000000","message":"You\u0027re right. I\u0027ll add \"and groups\" in this phrase.","commit_id":"07de979082d257230e2ab1dffbdfe6c84fa53393"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"4e5a625b6703c0bd78a448bdd394696141f16370","unresolved":false,"context_lines":[{"line_number":140,"context_line":"   immutable;"},{"line_number":141,"context_line":""},{"line_number":142,"context_line":"* Note: Today we can use the current role assingments to grant roles for users"},{"line_number":143,"context_line":"  in the hierarchy, for a better usability, We recomend use inherited roles"},{"line_number":144,"context_line":"  assignments to manager the access control for the users, but exists a spec"},{"line_number":145,"context_line":"  retaled do domain roles, that can improve this role managment in Hierarchical"},{"line_number":146,"context_line":"  Multitenancy: https://review.openstack.org/#/c/133855"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3a961159_1298e876","line":143,"updated":"2014-12-14 20:21:18.000000000","message":"Think this sentence could be rewrite.","commit_id":"07de979082d257230e2ab1dffbdfe6c84fa53393"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"4e5a625b6703c0bd78a448bdd394696141f16370","unresolved":false,"context_lines":[{"line_number":141,"context_line":""},{"line_number":142,"context_line":"* Note: Today we can use the current role assingments to grant roles for users"},{"line_number":143,"context_line":"  in the hierarchy, for a better usability, We recomend use inherited roles"},{"line_number":144,"context_line":"  assignments to manager the access control for the users, but exists a spec"},{"line_number":145,"context_line":"  retaled do domain roles, that can improve this role managment in Hierarchical"},{"line_number":146,"context_line":"  Multitenancy: https://review.openstack.org/#/c/133855"},{"line_number":147,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"3a961159_3293245c","line":144,"updated":"2014-12-14 20:21:18.000000000","message":"s/manager/manage","commit_id":"07de979082d257230e2ab1dffbdfe6c84fa53393"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"24096c33dcac9fe7fb981d32d8bf4925ff23a5ff","unresolved":false,"context_lines":[{"line_number":141,"context_line":""},{"line_number":142,"context_line":"* Note: Today we can use the current role assingments to grant roles for users"},{"line_number":143,"context_line":"  in the hierarchy, for a better usability, We recomend use inherited roles"},{"line_number":144,"context_line":"  assignments to manager the access control for the users, but exists a spec"},{"line_number":145,"context_line":"  retaled do domain roles, that can improve this role managment in Hierarchical"},{"line_number":146,"context_line":"  Multitenancy: https://review.openstack.org/#/c/133855"},{"line_number":147,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"3a961159_14a44349","line":144,"in_reply_to":"3a961159_3293245c","updated":"2014-12-15 14:31:49.000000000","message":"Done","commit_id":"07de979082d257230e2ab1dffbdfe6c84fa53393"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"4e5a625b6703c0bd78a448bdd394696141f16370","unresolved":false,"context_lines":[{"line_number":142,"context_line":"* Note: Today we can use the current role assingments to grant roles for users"},{"line_number":143,"context_line":"  in the hierarchy, for a better usability, We recomend use inherited roles"},{"line_number":144,"context_line":"  assignments to manager the access control for the users, but exists a spec"},{"line_number":145,"context_line":"  retaled do domain roles, that can improve this role managment in Hierarchical"},{"line_number":146,"context_line":"  Multitenancy: https://review.openstack.org/#/c/133855"},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"Dependencies"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3a961159_72992c78","line":145,"updated":"2014-12-14 20:21:18.000000000","message":"s/retaled do/related to\ns/managment/management","commit_id":"07de979082d257230e2ab1dffbdfe6c84fa53393"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"24096c33dcac9fe7fb981d32d8bf4925ff23a5ff","unresolved":false,"context_lines":[{"line_number":142,"context_line":"* Note: Today we can use the current role assingments to grant roles for users"},{"line_number":143,"context_line":"  in the hierarchy, for a better usability, We recomend use inherited roles"},{"line_number":144,"context_line":"  assignments to manager the access control for the users, but exists a spec"},{"line_number":145,"context_line":"  retaled do domain roles, that can improve this role managment in Hierarchical"},{"line_number":146,"context_line":"  Multitenancy: https://review.openstack.org/#/c/133855"},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"Dependencies"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3a961159_34669f2a","line":145,"in_reply_to":"3a961159_72992c78","updated":"2014-12-15 14:31:49.000000000","message":"Done","commit_id":"07de979082d257230e2ab1dffbdfe6c84fa53393"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"4e5a625b6703c0bd78a448bdd394696141f16370","unresolved":false,"context_lines":[{"line_number":144,"context_line":"  assignments to manager the access control for the users, but exists a spec"},{"line_number":145,"context_line":"  retaled do domain roles, that can improve this role managment in Hierarchical"},{"line_number":146,"context_line":"  Multitenancy: https://review.openstack.org/#/c/133855"},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"Dependencies"},{"line_number":149,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":150,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"3a961159_127f0816","line":147,"updated":"2014-12-14 20:21:18.000000000","message":"Grosso modo, I think be paragraph above needs to be rewrite.\nAlso, I think it deserves a subsetion in \u0027Proposed Change\u0027.\nIt could start with something like:\n\u0027Regarding role assignments management, it will be possible to use ....\u0027","commit_id":"07de979082d257230e2ab1dffbdfe6c84fa53393"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"24096c33dcac9fe7fb981d32d8bf4925ff23a5ff","unresolved":false,"context_lines":[{"line_number":144,"context_line":"  assignments to manager the access control for the users, but exists a spec"},{"line_number":145,"context_line":"  retaled do domain roles, that can improve this role managment in Hierarchical"},{"line_number":146,"context_line":"  Multitenancy: https://review.openstack.org/#/c/133855"},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"Dependencies"},{"line_number":149,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":150,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"3a961159_147b63be","line":147,"in_reply_to":"3a961159_127f0816","updated":"2014-12-15 14:31:49.000000000","message":"Ok, I\u0027ll add something about that.","commit_id":"07de979082d257230e2ab1dffbdfe6c84fa53393"},{"author":{"_account_id":11022,"name":"Rodrigo Duarte Sousa","email":"rodrigodsousa@gmail.com","username":"rodrigods"},"change_message_id":"b1c6fbc2c5bd2a3ab2518683fed3b7fc391f5468","unresolved":false,"context_lines":[{"line_number":67,"context_line":""},{"line_number":68,"context_line":"* Regarding role assignments management, it will be possible to use the"},{"line_number":69,"context_line":"  inherited role assingment to manage the grant beetween user/groups and the"},{"line_number":70,"context_line":"  hierarchy. Exist a spec about domain roles, so in a future, we can improve"},{"line_number":71,"context_line":"  this assignment control with this functionality."},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"Alternatives"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3a961159_367a1f88","line":70,"updated":"2014-12-15 16:25:00.000000000","message":"maybe rephrase the sentence with:\n\n\"There is a spec targeting the domain roles feature\"","commit_id":"776e9bc2cf8d64c24fb57359acf61dd232872a62"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"865a72fcbd667829cc7d59e283a6fefbed0b486c","unresolved":false,"context_lines":[{"line_number":67,"context_line":""},{"line_number":68,"context_line":"* Regarding role assignments management, it will be possible to use the"},{"line_number":69,"context_line":"  inherited role assingment to manage the grant beetween user/groups and the"},{"line_number":70,"context_line":"  hierarchy. Exist a spec about domain roles, so in a future, we can improve"},{"line_number":71,"context_line":"  this assignment control with this functionality."},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"Alternatives"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3a961159_163a8398","line":70,"in_reply_to":"3a961159_367a1f88","updated":"2014-12-15 16:31:35.000000000","message":"Done","commit_id":"776e9bc2cf8d64c24fb57359acf61dd232872a62"},{"author":{"_account_id":7725,"name":"David Stanek","email":"dstanek@dstanek.com","username":"dstanek"},"change_message_id":"d99ba6c8286c935e7995b39709665a4808e06890","unresolved":false,"context_lines":[{"line_number":42,"context_line":""},{"line_number":43,"context_line":"Others Use Cases:"},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"* Contracting parties"},{"line_number":46,"context_line":"* Mergers/aquisitions"},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"Proposed Change"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3a961159_21db711c","line":45,"updated":"2014-12-17 14:31:34.000000000","message":"Are these use cases a part of this spec or just supporting material that will belong in another spec? If this spec will implement these use cases they would be documented here as well.","commit_id":"dd129a34759fb3ebb6489f68da3d75b176b1ec96"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"2da46b1da79c6735e01525f50232c69554ac2dc4","unresolved":false,"context_lines":[{"line_number":42,"context_line":""},{"line_number":43,"context_line":"Others Use Cases:"},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"* Contracting parties"},{"line_number":46,"context_line":"* Mergers/aquisitions"},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"Proposed Change"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3a961159_24ad3f89","line":45,"in_reply_to":"3a961159_21db711c","updated":"2014-12-17 14:52:05.000000000","message":"This spec will just implement the reseller use case, I just saying that we can implement others use cases like that. Do you think that I need to explain this Use cases here or It\u0027s better remove this use cases?","commit_id":"dd129a34759fb3ebb6489f68da3d75b176b1ec96"},{"author":{"_account_id":7725,"name":"David Stanek","email":"dstanek@dstanek.com","username":"dstanek"},"change_message_id":"98af3b12a2b659304d1199581e092fe8f2518083","unresolved":false,"context_lines":[{"line_number":42,"context_line":""},{"line_number":43,"context_line":"Others Use Cases:"},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"* Contracting parties"},{"line_number":46,"context_line":"* Mergers/aquisitions"},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"Proposed Change"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3a961159_c4eb9b76","line":45,"in_reply_to":"3a961159_24ad3f89","updated":"2014-12-17 16:35:55.000000000","message":"I would remove them because you never actually say they are not implemented by the spec.","commit_id":"dd129a34759fb3ebb6489f68da3d75b176b1ec96"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"b99a700d04f5f9c9b7e1aaddc6727bebde1f280b","unresolved":false,"context_lines":[{"line_number":42,"context_line":""},{"line_number":43,"context_line":"Others Use Cases:"},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"* Contracting parties"},{"line_number":46,"context_line":"* Mergers/aquisitions"},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"Proposed Change"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3a961159_65eadaad","line":45,"in_reply_to":"3a961159_c4eb9b76","updated":"2014-12-17 20:26:16.000000000","message":"Done","commit_id":"dd129a34759fb3ebb6489f68da3d75b176b1ec96"},{"author":{"_account_id":7725,"name":"David Stanek","email":"dstanek@dstanek.com","username":"dstanek"},"change_message_id":"d99ba6c8286c935e7995b39709665a4808e06890","unresolved":false,"context_lines":[{"line_number":51,"context_line":"Implement support to limit sharing of resources both upwards and downwards in"},{"line_number":52,"context_line":"the project\u0027s hierarchy. To achieve this, the domains construct will be merged"},{"line_number":53,"context_line":"with the project, allowing to distribute users in the domains hierarchy,"},{"line_number":54,"context_line":"instead of only in a single, root, domain. With this implementation, we\u0027ll"},{"line_number":55,"context_line":"cover the Reseller Use case, where one will be able to resell both a project"},{"line_number":56,"context_line":"and a project that behaves like a domain, where one can create users, roles"},{"line_number":57,"context_line":"and groups."}],"source_content_type":"text/x-rst","patch_set":8,"id":"3a961159_c1eb8d76","line":54,"updated":"2014-12-17 14:31:34.000000000","message":"I don\u0027t think the commas are necessary around root.","commit_id":"dd129a34759fb3ebb6489f68da3d75b176b1ec96"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"2da46b1da79c6735e01525f50232c69554ac2dc4","unresolved":false,"context_lines":[{"line_number":51,"context_line":"Implement support to limit sharing of resources both upwards and downwards in"},{"line_number":52,"context_line":"the project\u0027s hierarchy. To achieve this, the domains construct will be merged"},{"line_number":53,"context_line":"with the project, allowing to distribute users in the domains hierarchy,"},{"line_number":54,"context_line":"instead of only in a single, root, domain. With this implementation, we\u0027ll"},{"line_number":55,"context_line":"cover the Reseller Use case, where one will be able to resell both a project"},{"line_number":56,"context_line":"and a project that behaves like a domain, where one can create users, roles"},{"line_number":57,"context_line":"and groups."}],"source_content_type":"text/x-rst","patch_set":8,"id":"3a961159_24e7ff41","line":54,"in_reply_to":"3a961159_c1eb8d76","updated":"2014-12-17 14:52:05.000000000","message":"Done","commit_id":"dd129a34759fb3ebb6489f68da3d75b176b1ec96"},{"author":{"_account_id":8978,"name":"Marek Denis","email":"marek.denis+openstack@gmail.com","username":"marek-denis"},"change_message_id":"6d17593cb31e479694b69f1a8caba8050bdf753d","unresolved":false,"context_lines":[{"line_number":66,"context_line":"  it will not be possible to rollback this change."},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"* Regarding role assignments management, it will be possible to use the"},{"line_number":69,"context_line":"  inherited role assingment to manage the grant beetween user/groups and the"},{"line_number":70,"context_line":"  hierarchy. Exist a spec about domain roles, so in a future, we can improve"},{"line_number":71,"context_line":"  this assignment control with this functionality."},{"line_number":72,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"3a961159_ae1cbac2","line":69,"updated":"2014-12-17 07:20:58.000000000","message":"assignment","commit_id":"dd129a34759fb3ebb6489f68da3d75b176b1ec96"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"7f3a1ca52891cdecee059d6d1f421429e2cd1a4c","unresolved":false,"context_lines":[{"line_number":66,"context_line":"  it will not be possible to rollback this change."},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"* Regarding role assignments management, it will be possible to use the"},{"line_number":69,"context_line":"  inherited role assingment to manage the grant beetween user/groups and the"},{"line_number":70,"context_line":"  hierarchy. Exist a spec about domain roles, so in a future, we can improve"},{"line_number":71,"context_line":"  this assignment control with this functionality."},{"line_number":72,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"3a961159_9efe456a","line":69,"in_reply_to":"3a961159_ae1cbac2","updated":"2014-12-17 13:08:15.000000000","message":"Done","commit_id":"dd129a34759fb3ebb6489f68da3d75b176b1ec96"},{"author":{"_account_id":7725,"name":"David Stanek","email":"dstanek@dstanek.com","username":"dstanek"},"change_message_id":"d99ba6c8286c935e7995b39709665a4808e06890","unresolved":false,"context_lines":[{"line_number":104,"context_line":"Developer Impact"},{"line_number":105,"context_line":"----------------"},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"* A new column in the Project Table representing that this project will now"},{"line_number":108,"context_line":"  become a domain."},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"* When a user request a domain scoped token, we will send a dual scoped token"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3a961159_a144c174","line":107,"updated":"2014-12-17 14:31:34.000000000","message":"Is this better than having domains owned by domains and leaving projects and users attached to a domain?","commit_id":"dd129a34759fb3ebb6489f68da3d75b176b1ec96"},{"author":{"_account_id":7725,"name":"David Stanek","email":"dstanek@dstanek.com","username":"dstanek"},"change_message_id":"98af3b12a2b659304d1199581e092fe8f2518083","unresolved":false,"context_lines":[{"line_number":104,"context_line":"Developer Impact"},{"line_number":105,"context_line":"----------------"},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"* A new column in the Project Table representing that this project will now"},{"line_number":108,"context_line":"  become a domain."},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"* When a user request a domain scoped token, we will send a dual scoped token"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3a961159_75ffef01","line":107,"in_reply_to":"3a961159_041be31c","updated":"2014-12-17 16:35:55.000000000","message":"We talked about this in chat. I misunderstood what domain-ness actually meant. I thought it was a project that acted like a domain instead of a project. It is actually a project that acts like a domain and a project.","commit_id":"dd129a34759fb3ebb6489f68da3d75b176b1ec96"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"b99a700d04f5f9c9b7e1aaddc6727bebde1f280b","unresolved":false,"context_lines":[{"line_number":104,"context_line":"Developer Impact"},{"line_number":105,"context_line":"----------------"},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"* A new column in the Project Table representing that this project will now"},{"line_number":108,"context_line":"  become a domain."},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"* When a user request a domain scoped token, we will send a dual scoped token"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3a961159_2507f282","line":107,"in_reply_to":"3a961159_75ffef01","updated":"2014-12-17 20:26:16.000000000","message":"Done","commit_id":"dd129a34759fb3ebb6489f68da3d75b176b1ec96"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"2da46b1da79c6735e01525f50232c69554ac2dc4","unresolved":false,"context_lines":[{"line_number":104,"context_line":"Developer Impact"},{"line_number":105,"context_line":"----------------"},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"* A new column in the Project Table representing that this project will now"},{"line_number":108,"context_line":"  become a domain."},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"* When a user request a domain scoped token, we will send a dual scoped token"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3a961159_041be31c","line":107,"in_reply_to":"3a961159_a144c174","updated":"2014-12-17 14:52:05.000000000","message":"I think that with just one table, its more simple the maintainability and the consistency. Imagine that I update the name of this project, if I have a table for project and other for domain, for the same project domainess, I need to update in two tables, and others things.\n\nSo I think this is better than having two tables to represent domain and project.","commit_id":"dd129a34759fb3ebb6489f68da3d75b176b1ec96"},{"author":{"_account_id":7725,"name":"David Stanek","email":"dstanek@dstanek.com","username":"dstanek"},"change_message_id":"d99ba6c8286c935e7995b39709665a4808e06890","unresolved":false,"context_lines":[{"line_number":107,"context_line":"* A new column in the Project Table representing that this project will now"},{"line_number":108,"context_line":"  become a domain."},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"* When a user request a domain scoped token, we will send a dual scoped token"},{"line_number":111,"context_line":"  for domain and project."},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"Implementation"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3a961159_0159155b","line":110,"updated":"2014-12-17 14:31:34.000000000","message":"s/request/requests/","commit_id":"dd129a34759fb3ebb6489f68da3d75b176b1ec96"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"2da46b1da79c6735e01525f50232c69554ac2dc4","unresolved":false,"context_lines":[{"line_number":107,"context_line":"* A new column in the Project Table representing that this project will now"},{"line_number":108,"context_line":"  become a domain."},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"* When a user request a domain scoped token, we will send a dual scoped token"},{"line_number":111,"context_line":"  for domain and project."},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"Implementation"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3a961159_a4ca0f9f","line":110,"in_reply_to":"3a961159_0159155b","updated":"2014-12-17 14:52:05.000000000","message":"Done","commit_id":"dd129a34759fb3ebb6489f68da3d75b176b1ec96"},{"author":{"_account_id":7725,"name":"David Stanek","email":"dstanek@dstanek.com","username":"dstanek"},"change_message_id":"98af3b12a2b659304d1199581e092fe8f2518083","unresolved":false,"context_lines":[{"line_number":137,"context_line":""},{"line_number":138,"context_line":"3. Domains and projects can\u0027t have the same name;"},{"line_number":139,"context_line":""},{"line_number":140,"context_line":"4. When a domain scoped token is requested for a project with the domainess"},{"line_number":141,"context_line":"   flag active, a dual scoped token will be provided (it will reference the"},{"line_number":142,"context_line":"   project which holds that domain). Additionally, the project and domain have"},{"line_number":143,"context_line":"   the same ID, which means that role assignments will be applied for a single"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3a961159_3562c7d8","line":140,"updated":"2014-12-17 16:35:55.000000000","message":"So when a domain token is requested the user will specify the project id (one with domain-ness) as the domain they want scoped? Does this mean that domain lookups will look into the domain table first and then fall back to the project table?","commit_id":"dd129a34759fb3ebb6489f68da3d75b176b1ec96"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"b99a700d04f5f9c9b7e1aaddc6727bebde1f280b","unresolved":false,"context_lines":[{"line_number":137,"context_line":""},{"line_number":138,"context_line":"3. Domains and projects can\u0027t have the same name;"},{"line_number":139,"context_line":""},{"line_number":140,"context_line":"4. When a domain scoped token is requested for a project with the domainess"},{"line_number":141,"context_line":"   flag active, a dual scoped token will be provided (it will reference the"},{"line_number":142,"context_line":"   project which holds that domain). Additionally, the project and domain have"},{"line_number":143,"context_line":"   the same ID, which means that role assignments will be applied for a single"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3a961159_2598d21a","line":140,"in_reply_to":"3a961159_3562c7d8","updated":"2014-12-17 20:26:16.000000000","message":"We are proposing drop the domain table. So, when I request a domain scoped token, The keystone will go in the project table, look for a project with the domainess flag enabled and that the parent_id is None (so this is a root domain) or the parent_id is another domain.\n\nWe are just change the way that domain works, not include a new call to get a domain.","commit_id":"dd129a34759fb3ebb6489f68da3d75b176b1ec96"},{"author":{"_account_id":8978,"name":"Marek Denis","email":"marek.denis+openstack@gmail.com","username":"marek-denis"},"change_message_id":"6d17593cb31e479694b69f1a8caba8050bdf753d","unresolved":false,"context_lines":[{"line_number":175,"context_line":"            \"links\": {"},{"line_number":176,"context_line":"                \"self\": \"http://identity:35357/v3/projects/1789d1\""},{"line_number":177,"context_line":"            },"},{"line_number":178,"context_line":"            \"name\": \"project-x\""},{"line_number":179,"context_line":"        },"},{"line_number":180,"context_line":"        \"roles\": ["},{"line_number":181,"context_line":"            {"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3a961159_2e5fea73","line":178,"updated":"2014-12-17 07:20:58.000000000","message":"technically both domain, even with identical ID, will be two objects in the database (and in different tables) ?","commit_id":"dd129a34759fb3ebb6489f68da3d75b176b1ec96"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"2da46b1da79c6735e01525f50232c69554ac2dc4","unresolved":false,"context_lines":[{"line_number":175,"context_line":"            \"links\": {"},{"line_number":176,"context_line":"                \"self\": \"http://identity:35357/v3/projects/1789d1\""},{"line_number":177,"context_line":"            },"},{"line_number":178,"context_line":"            \"name\": \"project-x\""},{"line_number":179,"context_line":"        },"},{"line_number":180,"context_line":"        \"roles\": ["},{"line_number":181,"context_line":"            {"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3a961159_a4abef87","line":178,"in_reply_to":"3a961159_2158d155","updated":"2014-12-17 14:52:05.000000000","message":"When you say collisions, you are say when I\u0027ll do the sql migration?\n\nCollisions like domain have the same name to a project?","commit_id":"dd129a34759fb3ebb6489f68da3d75b176b1ec96"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"7f3a1ca52891cdecee059d6d1f421429e2cd1a4c","unresolved":false,"context_lines":[{"line_number":175,"context_line":"            \"links\": {"},{"line_number":176,"context_line":"                \"self\": \"http://identity:35357/v3/projects/1789d1\""},{"line_number":177,"context_line":"            },"},{"line_number":178,"context_line":"            \"name\": \"project-x\""},{"line_number":179,"context_line":"        },"},{"line_number":180,"context_line":"        \"roles\": ["},{"line_number":181,"context_line":"            {"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3a961159_ab990270","line":178,"in_reply_to":"3a961159_2e5fea73","updated":"2014-12-17 13:08:15.000000000","message":"No.\n\n* When creating a domain, keystone will also create a project that has a matching id.\n* For all existing  domains, A sql migration will create a project with an id that matches the domain id.\n* A sql migration will initialize parent_project_id for any other projects that do not have parent_project_id set to match their domain_id.","commit_id":"dd129a34759fb3ebb6489f68da3d75b176b1ec96"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"b99a700d04f5f9c9b7e1aaddc6727bebde1f280b","unresolved":false,"context_lines":[{"line_number":175,"context_line":"            \"links\": {"},{"line_number":176,"context_line":"                \"self\": \"http://identity:35357/v3/projects/1789d1\""},{"line_number":177,"context_line":"            },"},{"line_number":178,"context_line":"            \"name\": \"project-x\""},{"line_number":179,"context_line":"        },"},{"line_number":180,"context_line":"        \"roles\": ["},{"line_number":181,"context_line":"            {"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3a961159_2566122a","line":178,"in_reply_to":"3a961159_90d3895e","updated":"2014-12-17 20:26:16.000000000","message":"The project domainess its just one entity (one object) that behavior like a project and like a domain.","commit_id":"dd129a34759fb3ebb6489f68da3d75b176b1ec96"},{"author":{"_account_id":7725,"name":"David Stanek","email":"dstanek@dstanek.com","username":"dstanek"},"change_message_id":"98af3b12a2b659304d1199581e092fe8f2518083","unresolved":false,"context_lines":[{"line_number":175,"context_line":"            \"links\": {"},{"line_number":176,"context_line":"                \"self\": \"http://identity:35357/v3/projects/1789d1\""},{"line_number":177,"context_line":"            },"},{"line_number":178,"context_line":"            \"name\": \"project-x\""},{"line_number":179,"context_line":"        },"},{"line_number":180,"context_line":"        \"roles\": ["},{"line_number":181,"context_line":"            {"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3a961159_552f5388","line":178,"in_reply_to":"3a961159_a4abef87","updated":"2014-12-17 16:35:55.000000000","message":"Existing records can have the same ID already right?","commit_id":"dd129a34759fb3ebb6489f68da3d75b176b1ec96"},{"author":{"_account_id":7725,"name":"David Stanek","email":"dstanek@dstanek.com","username":"dstanek"},"change_message_id":"98af3b12a2b659304d1199581e092fe8f2518083","unresolved":false,"context_lines":[{"line_number":175,"context_line":"            \"links\": {"},{"line_number":176,"context_line":"                \"self\": \"http://identity:35357/v3/projects/1789d1\""},{"line_number":177,"context_line":"            },"},{"line_number":178,"context_line":"            \"name\": \"project-x\""},{"line_number":179,"context_line":"        },"},{"line_number":180,"context_line":"        \"roles\": ["},{"line_number":181,"context_line":"            {"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3a961159_90d3895e","line":178,"in_reply_to":"3a961159_a4abef87","updated":"2014-12-17 16:35:55.000000000","message":"Yes. Are we saying that every project with domain-ness will also have a domain?","commit_id":"dd129a34759fb3ebb6489f68da3d75b176b1ec96"},{"author":{"_account_id":7725,"name":"David Stanek","email":"dstanek@dstanek.com","username":"dstanek"},"change_message_id":"d99ba6c8286c935e7995b39709665a4808e06890","unresolved":false,"context_lines":[{"line_number":175,"context_line":"            \"links\": {"},{"line_number":176,"context_line":"                \"self\": \"http://identity:35357/v3/projects/1789d1\""},{"line_number":177,"context_line":"            },"},{"line_number":178,"context_line":"            \"name\": \"project-x\""},{"line_number":179,"context_line":"        },"},{"line_number":180,"context_line":"        \"roles\": ["},{"line_number":181,"context_line":"            {"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3a961159_2158d155","line":178,"in_reply_to":"3a961159_ab990270","updated":"2014-12-17 14:31:34.000000000","message":"What will you do is there are collisions?","commit_id":"dd129a34759fb3ebb6489f68da3d75b176b1ec96"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"c915dba22c07ed513c82212e6e9367287353deb8","unresolved":false,"context_lines":[{"line_number":14,"context_line":"OpenStack needs to grow support for hierarchical ownership of objects."},{"line_number":15,"context_line":"This enables the management of subsets of users and projects in a way that is"},{"line_number":16,"context_line":"much more comfortable for private clouds, besides giving to public cloud"},{"line_number":17,"context_line":"providers the option of reselling a piece of his cloud."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"Problem Description"},{"line_number":20,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3a961159_3f967df0","line":17,"updated":"2015-01-09 04:33:34.000000000","message":"s/his/their\nto be in accordance with \u0027public cloud providers\u0027 (plural)","commit_id":"f89dfa1dbca3b751d51389a955ac6d05683c8f61"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"23fe964a9db5c9d600cdcf92e98128f8899dd802","unresolved":false,"context_lines":[{"line_number":14,"context_line":"OpenStack needs to grow support for hierarchical ownership of objects."},{"line_number":15,"context_line":"This enables the management of subsets of users and projects in a way that is"},{"line_number":16,"context_line":"much more comfortable for private clouds, besides giving to public cloud"},{"line_number":17,"context_line":"providers the option of reselling a piece of his cloud."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"Problem Description"},{"line_number":20,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3a961159_67c94925","line":17,"in_reply_to":"3a961159_3f967df0","updated":"2015-01-09 21:35:38.000000000","message":"Done","commit_id":"f89dfa1dbca3b751d51389a955ac6d05683c8f61"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"c915dba22c07ed513c82212e6e9367287353deb8","unresolved":false,"context_lines":[{"line_number":25,"context_line":""},{"line_number":26,"context_line":"**Actors**"},{"line_number":27,"context_line":""},{"line_number":28,"context_line":"* Martha - owner of ProductionIT"},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"* Joe - Development Manager from WidgetMaster"},{"line_number":31,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"3a961159_bf898dcb","line":28,"updated":"2015-01-09 04:33:34.000000000","message":"Owner, with uppercase O, just to be in accordance with Joe and Sam (Developmment Manager)","commit_id":"f89dfa1dbca3b751d51389a955ac6d05683c8f61"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"23fe964a9db5c9d600cdcf92e98128f8899dd802","unresolved":false,"context_lines":[{"line_number":25,"context_line":""},{"line_number":26,"context_line":"**Actors**"},{"line_number":27,"context_line":""},{"line_number":28,"context_line":"* Martha - owner of ProductionIT"},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"* Joe - Development Manager from WidgetMaster"},{"line_number":31,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"3a961159_87ce352c","line":28,"in_reply_to":"3a961159_bf898dcb","updated":"2015-01-09 21:35:38.000000000","message":"Done","commit_id":"f89dfa1dbca3b751d51389a955ac6d05683c8f61"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"c915dba22c07ed513c82212e6e9367287353deb8","unresolved":false,"context_lines":[{"line_number":37,"context_line":"create users, projects, and quotas, as well as the ability to list and delete"},{"line_number":38,"context_line":"resources across WidgetMaster. Martha needs to be able to set the quotas for"},{"line_number":39,"context_line":"both WidgetMaster and SuperDevShop; Joe can manage users, projects and quotas"},{"line_number":40,"context_line":"in WidgetMaster as well as Sam in SuperDevShop. She also needs to ensure that"},{"line_number":41,"context_line":"Joe cannot see or manipulate anything owned by Sam."},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"Proposed Change"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3a961159_ff7dd5b2","line":40,"updated":"2015-01-09 04:33:34.000000000","message":"\u0027Joe can manage users, projects and quotas in WidgetMaster as well as Sam in SuperDevShop.\u0027\n\nThis is redundant with what is said in lines 36-38. Maybe removing this sentence and modifying the sentences at lines 33-34 by the following would be better:\n\nJoe *and Sam have* multiple QA and Development teams with many users. *They need* the ability to create users, ...\n\n\nFeel free to take this suggestion or not.","commit_id":"f89dfa1dbca3b751d51389a955ac6d05683c8f61"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"23fe964a9db5c9d600cdcf92e98128f8899dd802","unresolved":false,"context_lines":[{"line_number":37,"context_line":"create users, projects, and quotas, as well as the ability to list and delete"},{"line_number":38,"context_line":"resources across WidgetMaster. Martha needs to be able to set the quotas for"},{"line_number":39,"context_line":"both WidgetMaster and SuperDevShop; Joe can manage users, projects and quotas"},{"line_number":40,"context_line":"in WidgetMaster as well as Sam in SuperDevShop. She also needs to ensure that"},{"line_number":41,"context_line":"Joe cannot see or manipulate anything owned by Sam."},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"Proposed Change"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3a961159_a7ea5172","line":40,"in_reply_to":"3a961159_ff7dd5b2","updated":"2015-01-09 21:35:38.000000000","message":"Done","commit_id":"f89dfa1dbca3b751d51389a955ac6d05683c8f61"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"c915dba22c07ed513c82212e6e9367287353deb8","unresolved":false,"context_lines":[{"line_number":38,"context_line":"resources across WidgetMaster. Martha needs to be able to set the quotas for"},{"line_number":39,"context_line":"both WidgetMaster and SuperDevShop; Joe can manage users, projects and quotas"},{"line_number":40,"context_line":"in WidgetMaster as well as Sam in SuperDevShop. She also needs to ensure that"},{"line_number":41,"context_line":"Joe cannot see or manipulate anything owned by Sam."},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"Proposed Change"},{"line_number":44,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3a961159_7f3805ee","line":41,"updated":"2015-01-09 04:33:34.000000000","message":"Can Sam see or manipulate anything owned by Joe?\n\nMaybe we need to make this sentence more generic:\n\n\u0027Joe and Sam cannot see or manipulate anything owned by each other.\u0027","commit_id":"f89dfa1dbca3b751d51389a955ac6d05683c8f61"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"23fe964a9db5c9d600cdcf92e98128f8899dd802","unresolved":false,"context_lines":[{"line_number":38,"context_line":"resources across WidgetMaster. Martha needs to be able to set the quotas for"},{"line_number":39,"context_line":"both WidgetMaster and SuperDevShop; Joe can manage users, projects and quotas"},{"line_number":40,"context_line":"in WidgetMaster as well as Sam in SuperDevShop. She also needs to ensure that"},{"line_number":41,"context_line":"Joe cannot see or manipulate anything owned by Sam."},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"Proposed Change"},{"line_number":44,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3a961159_07e245a0","line":41,"in_reply_to":"3a961159_7f3805ee","updated":"2015-01-09 21:35:38.000000000","message":"Done","commit_id":"f89dfa1dbca3b751d51389a955ac6d05683c8f61"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"c915dba22c07ed513c82212e6e9367287353deb8","unresolved":false,"context_lines":[{"line_number":61,"context_line":"  it will not be possible to rollback this change."},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"* Regarding role assignments management, it will be possible to use the"},{"line_number":64,"context_line":"  inherited role assignment to manage the grant beetween user/groups and the"},{"line_number":65,"context_line":"  hierarchy. Exist a spec about domain roles, so in a future, we can improve"},{"line_number":66,"context_line":"  this assignment control with this functionality."},{"line_number":67,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"3a961159_9f12115f","line":64,"updated":"2015-01-09 04:33:34.000000000","message":"s/assingment/assignments\ns/grant/grants","commit_id":"f89dfa1dbca3b751d51389a955ac6d05683c8f61"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"23fe964a9db5c9d600cdcf92e98128f8899dd802","unresolved":false,"context_lines":[{"line_number":61,"context_line":"  it will not be possible to rollback this change."},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"* Regarding role assignments management, it will be possible to use the"},{"line_number":64,"context_line":"  inherited role assignment to manage the grant beetween user/groups and the"},{"line_number":65,"context_line":"  hierarchy. Exist a spec about domain roles, so in a future, we can improve"},{"line_number":66,"context_line":"  this assignment control with this functionality."},{"line_number":67,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"3a961159_47b9ad7b","line":64,"in_reply_to":"3a961159_9f12115f","updated":"2015-01-09 21:35:38.000000000","message":"Done","commit_id":"f89dfa1dbca3b751d51389a955ac6d05683c8f61"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"c915dba22c07ed513c82212e6e9367287353deb8","unresolved":false,"context_lines":[{"line_number":62,"context_line":""},{"line_number":63,"context_line":"* Regarding role assignments management, it will be possible to use the"},{"line_number":64,"context_line":"  inherited role assignment to manage the grant beetween user/groups and the"},{"line_number":65,"context_line":"  hierarchy. Exist a spec about domain roles, so in a future, we can improve"},{"line_number":66,"context_line":"  this assignment control with this functionality."},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"Alternatives"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3a961159_51033d0c","line":65,"updated":"2015-01-09 04:33:34.000000000","message":"s/hierarchy/project hierarchy","commit_id":"f89dfa1dbca3b751d51389a955ac6d05683c8f61"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"23fe964a9db5c9d600cdcf92e98128f8899dd802","unresolved":false,"context_lines":[{"line_number":62,"context_line":""},{"line_number":63,"context_line":"* Regarding role assignments management, it will be possible to use the"},{"line_number":64,"context_line":"  inherited role assignment to manage the grant beetween user/groups and the"},{"line_number":65,"context_line":"  hierarchy. Exist a spec about domain roles, so in a future, we can improve"},{"line_number":66,"context_line":"  this assignment control with this functionality."},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"Alternatives"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3a961159_67bea966","line":65,"in_reply_to":"3a961159_51033d0c","updated":"2015-01-09 21:35:38.000000000","message":"Done","commit_id":"f89dfa1dbca3b751d51389a955ac6d05683c8f61"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"c915dba22c07ed513c82212e6e9367287353deb8","unresolved":false,"context_lines":[{"line_number":63,"context_line":"* Regarding role assignments management, it will be possible to use the"},{"line_number":64,"context_line":"  inherited role assignment to manage the grant beetween user/groups and the"},{"line_number":65,"context_line":"  hierarchy. Exist a spec about domain roles, so in a future, we can improve"},{"line_number":66,"context_line":"  this assignment control with this functionality."},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"Alternatives"},{"line_number":69,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3a961159_512a5d7e","line":66,"updated":"2015-01-09 04:33:34.000000000","message":"I would rephrase this last sentence with:\n\nThere is a spec that proposes domain roles, that can be used to improve assignment control at domain level.\n\nOr you can even remove this sentence, since you are already telling the same thing in a NOTE section at the end of this spec.","commit_id":"f89dfa1dbca3b751d51389a955ac6d05683c8f61"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"23fe964a9db5c9d600cdcf92e98128f8899dd802","unresolved":false,"context_lines":[{"line_number":63,"context_line":"* Regarding role assignments management, it will be possible to use the"},{"line_number":64,"context_line":"  inherited role assignment to manage the grant beetween user/groups and the"},{"line_number":65,"context_line":"  hierarchy. Exist a spec about domain roles, so in a future, we can improve"},{"line_number":66,"context_line":"  this assignment control with this functionality."},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"Alternatives"},{"line_number":69,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3a961159_87b39599","line":66,"in_reply_to":"3a961159_512a5d7e","updated":"2015-01-09 21:35:38.000000000","message":"Done","commit_id":"f89dfa1dbca3b751d51389a955ac6d05683c8f61"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"c915dba22c07ed513c82212e6e9367287353deb8","unresolved":false,"context_lines":[{"line_number":100,"context_line":"----------------"},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"* A new column in the Project Table representing that this project will now"},{"line_number":103,"context_line":"  become a domain."},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"* When a user requests a domain scoped token, we will send a dual scoped token"},{"line_number":106,"context_line":"  for domain and project."}],"source_content_type":"text/x-rst","patch_set":9,"id":"3a961159_51517d0c","line":103,"updated":"2015-01-09 04:33:34.000000000","message":"Maybe: \u0027A new column in the Project Table representing that a project behaves like a domain.\u0027","commit_id":"f89dfa1dbca3b751d51389a955ac6d05683c8f61"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"23fe964a9db5c9d600cdcf92e98128f8899dd802","unresolved":false,"context_lines":[{"line_number":100,"context_line":"----------------"},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"* A new column in the Project Table representing that this project will now"},{"line_number":103,"context_line":"  become a domain."},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"* When a user requests a domain scoped token, we will send a dual scoped token"},{"line_number":106,"context_line":"  for domain and project."}],"source_content_type":"text/x-rst","patch_set":9,"id":"3a961159_27a4a14a","line":103,"in_reply_to":"3a961159_51517d0c","updated":"2015-01-09 21:35:38.000000000","message":"Done","commit_id":"f89dfa1dbca3b751d51389a955ac6d05683c8f61"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"c915dba22c07ed513c82212e6e9367287353deb8","unresolved":false,"context_lines":[{"line_number":132,"context_line":""},{"line_number":133,"context_line":"3. Domains and projects can\u0027t have the same name;"},{"line_number":134,"context_line":""},{"line_number":135,"context_line":"4. When a domain scoped token is requested for a project with the domainess"},{"line_number":136,"context_line":"   flag active, a dual scoped token will be provided (it will reference the"},{"line_number":137,"context_line":"   project which holds that domain). Additionally, the project and domain have"},{"line_number":138,"context_line":"   the same ID, which means that role assignments will be applied for a single"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3a961159_d13c8dc1","line":135,"updated":"2015-01-09 04:33:34.000000000","message":"s/domainess/domain-ness","commit_id":"f89dfa1dbca3b751d51389a955ac6d05683c8f61"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"23fe964a9db5c9d600cdcf92e98128f8899dd802","unresolved":false,"context_lines":[{"line_number":132,"context_line":""},{"line_number":133,"context_line":"3. Domains and projects can\u0027t have the same name;"},{"line_number":134,"context_line":""},{"line_number":135,"context_line":"4. When a domain scoped token is requested for a project with the domainess"},{"line_number":136,"context_line":"   flag active, a dual scoped token will be provided (it will reference the"},{"line_number":137,"context_line":"   project which holds that domain). Additionally, the project and domain have"},{"line_number":138,"context_line":"   the same ID, which means that role assignments will be applied for a single"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3a961159_07a7a551","line":135,"in_reply_to":"3a961159_d13c8dc1","updated":"2015-01-09 21:35:38.000000000","message":"Done","commit_id":"f89dfa1dbca3b751d51389a955ac6d05683c8f61"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"c915dba22c07ed513c82212e6e9367287353deb8","unresolved":false,"context_lines":[{"line_number":201,"context_line":"                \"self\": \"http://identity:35357/v3/users/0ca8f6\""},{"line_number":202,"context_line":"            },"},{"line_number":203,"context_line":"            \"name\": \"Joe\""},{"line_number":204,"context_line":"        }"},{"line_number":205,"context_line":"        }"},{"line_number":206,"context_line":"    }"},{"line_number":207,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"3a961159_115a951d","line":204,"updated":"2015-01-09 04:33:34.000000000","message":"Perhaps we need indentation + 1 to what is inside token {}","commit_id":"f89dfa1dbca3b751d51389a955ac6d05683c8f61"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"c915dba22c07ed513c82212e6e9367287353deb8","unresolved":false,"context_lines":[{"line_number":206,"context_line":"    }"},{"line_number":207,"context_line":""},{"line_number":208,"context_line":""},{"line_number":209,"context_line":"5. Create a constraint to ensure that the parent domain will always be another"},{"line_number":210,"context_line":"   domain;"},{"line_number":211,"context_line":""},{"line_number":212,"context_line":"6. One time that set to True, we need to make the \u0027domain-ness\u0027 property"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3a961159_519fbdb3","line":209,"updated":"2015-01-09 04:33:34.000000000","message":"s/the parent domain/the parent of a domain","commit_id":"f89dfa1dbca3b751d51389a955ac6d05683c8f61"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"23fe964a9db5c9d600cdcf92e98128f8899dd802","unresolved":false,"context_lines":[{"line_number":206,"context_line":"    }"},{"line_number":207,"context_line":""},{"line_number":208,"context_line":""},{"line_number":209,"context_line":"5. Create a constraint to ensure that the parent domain will always be another"},{"line_number":210,"context_line":"   domain;"},{"line_number":211,"context_line":""},{"line_number":212,"context_line":"6. One time that set to True, we need to make the \u0027domain-ness\u0027 property"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3a961159_e7053916","line":209,"in_reply_to":"3a961159_519fbdb3","updated":"2015-01-09 21:35:38.000000000","message":"Done","commit_id":"f89dfa1dbca3b751d51389a955ac6d05683c8f61"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"c915dba22c07ed513c82212e6e9367287353deb8","unresolved":false,"context_lines":[{"line_number":209,"context_line":"5. Create a constraint to ensure that the parent domain will always be another"},{"line_number":210,"context_line":"   domain;"},{"line_number":211,"context_line":""},{"line_number":212,"context_line":"6. One time that set to True, we need to make the \u0027domain-ness\u0027 property"},{"line_number":213,"context_line":"   immutable;"},{"line_number":214,"context_line":""},{"line_number":215,"context_line":"* Note: Today we can use the current role assignments mechanism to grant roles"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3a961159_f1b50932","line":212,"updated":"2015-01-09 04:33:34.000000000","message":"s/One time that/Once","commit_id":"f89dfa1dbca3b751d51389a955ac6d05683c8f61"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"23fe964a9db5c9d600cdcf92e98128f8899dd802","unresolved":false,"context_lines":[{"line_number":209,"context_line":"5. Create a constraint to ensure that the parent domain will always be another"},{"line_number":210,"context_line":"   domain;"},{"line_number":211,"context_line":""},{"line_number":212,"context_line":"6. One time that set to True, we need to make the \u0027domain-ness\u0027 property"},{"line_number":213,"context_line":"   immutable;"},{"line_number":214,"context_line":""},{"line_number":215,"context_line":"* Note: Today we can use the current role assignments mechanism to grant roles"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3a961159_8206231b","line":212,"in_reply_to":"3a961159_f1b50932","updated":"2015-01-09 21:35:38.000000000","message":"Done","commit_id":"f89dfa1dbca3b751d51389a955ac6d05683c8f61"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"c915dba22c07ed513c82212e6e9367287353deb8","unresolved":false,"context_lines":[{"line_number":214,"context_line":""},{"line_number":215,"context_line":"* Note: Today we can use the current role assignments mechanism to grant roles"},{"line_number":216,"context_line":"  in the hierarchy for users and groups, for a better usability to manage the"},{"line_number":217,"context_line":"  access control for the users adn groups, we recomend use inherited roles"},{"line_number":218,"context_line":"  assignments implementation, so you can grant a role to a user/group in a"},{"line_number":219,"context_line":"  project/domain and inherited this assignment for the hierarchy."},{"line_number":220,"context_line":"  Exists a spec retaled to domain roles, that can improve this role managment"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3a961159_5186dd65","line":217,"updated":"2015-01-09 04:33:34.000000000","message":"s/adn/and\n\ns/use inherited roles assignments implementation/the use of inherited role assignments","commit_id":"f89dfa1dbca3b751d51389a955ac6d05683c8f61"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"23fe964a9db5c9d600cdcf92e98128f8899dd802","unresolved":false,"context_lines":[{"line_number":214,"context_line":""},{"line_number":215,"context_line":"* Note: Today we can use the current role assignments mechanism to grant roles"},{"line_number":216,"context_line":"  in the hierarchy for users and groups, for a better usability to manage the"},{"line_number":217,"context_line":"  access control for the users adn groups, we recomend use inherited roles"},{"line_number":218,"context_line":"  assignments implementation, so you can grant a role to a user/group in a"},{"line_number":219,"context_line":"  project/domain and inherited this assignment for the hierarchy."},{"line_number":220,"context_line":"  Exists a spec retaled to domain roles, that can improve this role managment"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3a961159_a20b1f23","line":217,"in_reply_to":"3a961159_5186dd65","updated":"2015-01-09 21:35:38.000000000","message":"Done","commit_id":"f89dfa1dbca3b751d51389a955ac6d05683c8f61"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"c915dba22c07ed513c82212e6e9367287353deb8","unresolved":false,"context_lines":[{"line_number":216,"context_line":"  in the hierarchy for users and groups, for a better usability to manage the"},{"line_number":217,"context_line":"  access control for the users adn groups, we recomend use inherited roles"},{"line_number":218,"context_line":"  assignments implementation, so you can grant a role to a user/group in a"},{"line_number":219,"context_line":"  project/domain and inherited this assignment for the hierarchy."},{"line_number":220,"context_line":"  Exists a spec retaled to domain roles, that can improve this role managment"},{"line_number":221,"context_line":"  in Hierarchical Multitenancy: https://review.openstack.org/#/c/133855"},{"line_number":222,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"3a961159_d1d80d81","line":219,"updated":"2015-01-09 04:33:34.000000000","message":"s/hierarchy/subtree","commit_id":"f89dfa1dbca3b751d51389a955ac6d05683c8f61"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"23fe964a9db5c9d600cdcf92e98128f8899dd802","unresolved":false,"context_lines":[{"line_number":216,"context_line":"  in the hierarchy for users and groups, for a better usability to manage the"},{"line_number":217,"context_line":"  access control for the users adn groups, we recomend use inherited roles"},{"line_number":218,"context_line":"  assignments implementation, so you can grant a role to a user/group in a"},{"line_number":219,"context_line":"  project/domain and inherited this assignment for the hierarchy."},{"line_number":220,"context_line":"  Exists a spec retaled to domain roles, that can improve this role managment"},{"line_number":221,"context_line":"  in Hierarchical Multitenancy: https://review.openstack.org/#/c/133855"},{"line_number":222,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"3a961159_021a336f","line":219,"in_reply_to":"3a961159_d1d80d81","updated":"2015-01-09 21:35:38.000000000","message":"Done","commit_id":"f89dfa1dbca3b751d51389a955ac6d05683c8f61"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"c915dba22c07ed513c82212e6e9367287353deb8","unresolved":false,"context_lines":[{"line_number":217,"context_line":"  access control for the users adn groups, we recomend use inherited roles"},{"line_number":218,"context_line":"  assignments implementation, so you can grant a role to a user/group in a"},{"line_number":219,"context_line":"  project/domain and inherited this assignment for the hierarchy."},{"line_number":220,"context_line":"  Exists a spec retaled to domain roles, that can improve this role managment"},{"line_number":221,"context_line":"  in Hierarchical Multitenancy: https://review.openstack.org/#/c/133855"},{"line_number":222,"context_line":""},{"line_number":223,"context_line":"Dependencies"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3a961159_f1e34931","line":220,"updated":"2015-01-09 04:33:34.000000000","message":"s/retaled/related\n\ns/managment/management","commit_id":"f89dfa1dbca3b751d51389a955ac6d05683c8f61"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"23fe964a9db5c9d600cdcf92e98128f8899dd802","unresolved":false,"context_lines":[{"line_number":217,"context_line":"  access control for the users adn groups, we recomend use inherited roles"},{"line_number":218,"context_line":"  assignments implementation, so you can grant a role to a user/group in a"},{"line_number":219,"context_line":"  project/domain and inherited this assignment for the hierarchy."},{"line_number":220,"context_line":"  Exists a spec retaled to domain roles, that can improve this role managment"},{"line_number":221,"context_line":"  in Hierarchical Multitenancy: https://review.openstack.org/#/c/133855"},{"line_number":222,"context_line":""},{"line_number":223,"context_line":"Dependencies"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3a961159_c2366be8","line":220,"in_reply_to":"3a961159_f1e34931","updated":"2015-01-09 21:35:38.000000000","message":"Done","commit_id":"f89dfa1dbca3b751d51389a955ac6d05683c8f61"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"c915dba22c07ed513c82212e6e9367287353deb8","unresolved":false,"context_lines":[{"line_number":224,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":225,"context_line":""},{"line_number":226,"context_line":"* Depends on Hierarchical Multitenancy improvements spec:"},{"line_number":227,"context_line":"  https://review.openstack.org/#/c/135309/"},{"line_number":228,"context_line":""},{"line_number":229,"context_line":"Documentation Impact"},{"line_number":230,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3a961159_fff8754b","line":227,"updated":"2015-01-09 04:33:34.000000000","message":"Why not replace the naked link with: `Hierarchical Multitenancy improvements spec \u003chttps://review.openstack.org/#/c/135309/\u003e`_","commit_id":"f89dfa1dbca3b751d51389a955ac6d05683c8f61"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"23fe964a9db5c9d600cdcf92e98128f8899dd802","unresolved":false,"context_lines":[{"line_number":224,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":225,"context_line":""},{"line_number":226,"context_line":"* Depends on Hierarchical Multitenancy improvements spec:"},{"line_number":227,"context_line":"  https://review.openstack.org/#/c/135309/"},{"line_number":228,"context_line":""},{"line_number":229,"context_line":"Documentation Impact"},{"line_number":230,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3a961159_a2223fa1","line":227,"in_reply_to":"3a961159_fff8754b","updated":"2015-01-09 21:35:38.000000000","message":"Done","commit_id":"f89dfa1dbca3b751d51389a955ac6d05683c8f61"},{"author":{"_account_id":5707,"name":"Henry Nash","email":"henryn@linux.vnet.ibm.com","username":"henry-nash"},"change_message_id":"d5c9b8a2cb8cf6313fa1813f0fd3b06b73a622b8","unresolved":false,"context_lines":[{"line_number":31,"context_line":""},{"line_number":32,"context_line":"* Sam - Development Manager from SuperDevShop"},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Martha provides IT services to multiple enterprise clients. She would like to"},{"line_number":35,"context_line":"offer cloud services to Joe at WidgetMaster, and Sam at SuperDevShop. Joe has"},{"line_number":36,"context_line":"multiple QA and Development teams with many users. They need the ability to"},{"line_number":37,"context_line":"create users, projects, and quotas, as well as the ability to list and delete"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3a961159_e219a724","line":34,"updated":"2015-01-09 21:54:53.000000000","message":"So I\u0027m a bit confused who is doing the reselling?  Who owns the underlying cloud here...Martha? If, so there\u0027s no reselling going on.  Or do you mean Martha is reselling someone else\u0027s cloud?  we should be clearer about this.","commit_id":"b14c1e95a4a50d2822dbb6f62aff2bef03495f71"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"03d4381d095b5169dd0e201dd03a481a014dc1db","unresolved":false,"context_lines":[{"line_number":31,"context_line":""},{"line_number":32,"context_line":"* Sam - Development Manager from SuperDevShop"},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Martha provides IT services to multiple enterprise clients. She would like to"},{"line_number":35,"context_line":"offer cloud services to Joe at WidgetMaster, and Sam at SuperDevShop. Joe has"},{"line_number":36,"context_line":"multiple QA and Development teams with many users. They need the ability to"},{"line_number":37,"context_line":"create users, projects, and quotas, as well as the ability to list and delete"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3a961159_ccf6765d","line":34,"in_reply_to":"3a961159_e219a724","updated":"2015-01-12 23:41:30.000000000","message":"Martha can reselling your piece of cloud to Joe and Sam and they can reseller your piece of cloud, maybe I can emphasize this in this use case.","commit_id":"b14c1e95a4a50d2822dbb6f62aff2bef03495f71"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"c88e1952147131b37a1f5557926db7f7794f0230","unresolved":false,"context_lines":[{"line_number":32,"context_line":"* Sam - Development Manager from SuperDevShop"},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Martha provides IT services to multiple enterprise clients. She would like to"},{"line_number":35,"context_line":"offer cloud services to Joe at WidgetMaster, and Sam at SuperDevShop. Joe has"},{"line_number":36,"context_line":"multiple QA and Development teams with many users. They need the ability to"},{"line_number":37,"context_line":"create users, projects, and quotas, as well as the ability to list and delete"},{"line_number":38,"context_line":"resources across WidgetMaster. Martha needs to be able to set the quotas for"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3a961159_626057a5","line":35,"updated":"2015-01-09 21:47:04.000000000","message":"s/Joe has/Joe and Sam have/","commit_id":"b14c1e95a4a50d2822dbb6f62aff2bef03495f71"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"03d4381d095b5169dd0e201dd03a481a014dc1db","unresolved":false,"context_lines":[{"line_number":32,"context_line":"* Sam - Development Manager from SuperDevShop"},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Martha provides IT services to multiple enterprise clients. She would like to"},{"line_number":35,"context_line":"offer cloud services to Joe at WidgetMaster, and Sam at SuperDevShop. Joe has"},{"line_number":36,"context_line":"multiple QA and Development teams with many users. They need the ability to"},{"line_number":37,"context_line":"create users, projects, and quotas, as well as the ability to list and delete"},{"line_number":38,"context_line":"resources across WidgetMaster. Martha needs to be able to set the quotas for"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3a961159_ec9252fb","line":35,"in_reply_to":"3a961159_626057a5","updated":"2015-01-12 23:41:30.000000000","message":"Done","commit_id":"b14c1e95a4a50d2822dbb6f62aff2bef03495f71"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"c88e1952147131b37a1f5557926db7f7794f0230","unresolved":false,"context_lines":[{"line_number":36,"context_line":"multiple QA and Development teams with many users. They need the ability to"},{"line_number":37,"context_line":"create users, projects, and quotas, as well as the ability to list and delete"},{"line_number":38,"context_line":"resources across WidgetMaster. Martha needs to be able to set the quotas for"},{"line_number":39,"context_line":"both WidgetMaster and SuperDevShop;She also needs to ensure that Joe and Sam"},{"line_number":40,"context_line":"cannot see or manipulate anything owned by each other."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"Proposed Change"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3a961159_e26b6784","line":39,"updated":"2015-01-09 21:47:04.000000000","message":"s/\";\"/\". \"","commit_id":"b14c1e95a4a50d2822dbb6f62aff2bef03495f71"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"03d4381d095b5169dd0e201dd03a481a014dc1db","unresolved":false,"context_lines":[{"line_number":36,"context_line":"multiple QA and Development teams with many users. They need the ability to"},{"line_number":37,"context_line":"create users, projects, and quotas, as well as the ability to list and delete"},{"line_number":38,"context_line":"resources across WidgetMaster. Martha needs to be able to set the quotas for"},{"line_number":39,"context_line":"both WidgetMaster and SuperDevShop;She also needs to ensure that Joe and Sam"},{"line_number":40,"context_line":"cannot see or manipulate anything owned by each other."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"Proposed Change"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3a961159_0c987e1a","line":39,"in_reply_to":"3a961159_e26b6784","updated":"2015-01-12 23:41:30.000000000","message":"Done","commit_id":"b14c1e95a4a50d2822dbb6f62aff2bef03495f71"},{"author":{"_account_id":5707,"name":"Henry Nash","email":"henryn@linux.vnet.ibm.com","username":"henry-nash"},"change_message_id":"d5c9b8a2cb8cf6313fa1813f0fd3b06b73a622b8","unresolved":false,"context_lines":[{"line_number":42,"context_line":"Proposed Change"},{"line_number":43,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"Implement support to limit sharing of resources both upwards and downwards in"},{"line_number":46,"context_line":"the project\u0027s hierarchy. To achieve this, the domains construct will be merged"},{"line_number":47,"context_line":"with the project, allowing to distribute users in the domains hierarchy,"},{"line_number":48,"context_line":"instead of only in a single root domain. With this implementation, we\u0027ll"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3a961159_8296233d","line":45,"updated":"2015-01-09 21:54:53.000000000","message":"it seems odd to say that the change is to \"limit sharing\"...Maybe a better way to describe it is to be more specific in terms of the goal is to allow users/groups to be owned at more than just the top level of the hierarchy...","commit_id":"b14c1e95a4a50d2822dbb6f62aff2bef03495f71"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"03d4381d095b5169dd0e201dd03a481a014dc1db","unresolved":false,"context_lines":[{"line_number":42,"context_line":"Proposed Change"},{"line_number":43,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"Implement support to limit sharing of resources both upwards and downwards in"},{"line_number":46,"context_line":"the project\u0027s hierarchy. To achieve this, the domains construct will be merged"},{"line_number":47,"context_line":"with the project, allowing to distribute users in the domains hierarchy,"},{"line_number":48,"context_line":"instead of only in a single root domain. With this implementation, we\u0027ll"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3a961159_ec60920f","line":45,"in_reply_to":"3a961159_8296233d","updated":"2015-01-12 23:41:30.000000000","message":"Ok, I\u0027ll rephrase this part.","commit_id":"b14c1e95a4a50d2822dbb6f62aff2bef03495f71"},{"author":{"_account_id":5707,"name":"Henry Nash","email":"henryn@linux.vnet.ibm.com","username":"henry-nash"},"change_message_id":"d5c9b8a2cb8cf6313fa1813f0fd3b06b73a622b8","unresolved":false,"context_lines":[{"line_number":53,"context_line":"* It will also be possible to update an existing project to make it behave like"},{"line_number":54,"context_line":"  a domain by setting the \"domain-ness\" capability;"},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"* The domains will only be created under another domain, never under a project;"},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"* Once the user creates a domain or updates a project to become a domain, this"},{"line_number":59,"context_line":"  property is immutable. In other words, if a project has became a domain,"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3a961159_a29b1f65","line":56,"updated":"2015-01-09 21:54:53.000000000","message":"I still don\u0027t like this restriction, but will go with the consensus view","commit_id":"b14c1e95a4a50d2822dbb6f62aff2bef03495f71"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"03d4381d095b5169dd0e201dd03a481a014dc1db","unresolved":false,"context_lines":[{"line_number":53,"context_line":"* It will also be possible to update an existing project to make it behave like"},{"line_number":54,"context_line":"  a domain by setting the \"domain-ness\" capability;"},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"* The domains will only be created under another domain, never under a project;"},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"* Once the user creates a domain or updates a project to become a domain, this"},{"line_number":59,"context_line":"  property is immutable. In other words, if a project has became a domain,"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3a961159_0c34fef9","line":56,"in_reply_to":"3a961159_a29b1f65","updated":"2015-01-12 23:41:30.000000000","message":"I think this is a good way for this first release for the reseller implementation because its more simple to user organize your hierarchy but we can discuss more about change this point in the next summit. What do you think?","commit_id":"b14c1e95a4a50d2822dbb6f62aff2bef03495f71"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"c88e1952147131b37a1f5557926db7f7794f0230","unresolved":false,"context_lines":[{"line_number":60,"context_line":"  it will not be possible to rollback this change."},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"* Regarding role assignments management, it will be possible to use the"},{"line_number":63,"context_line":"  inherited role assignments to manage the grant beetween user/groups and the"},{"line_number":64,"context_line":"  project hierarchy."},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"Alternatives"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3a961159_c2f58bcd","line":63,"updated":"2015-01-09 21:47:04.000000000","message":"s/\"grant beetween user/groups\"/\"grants beetween users/groups\"","commit_id":"b14c1e95a4a50d2822dbb6f62aff2bef03495f71"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"03d4381d095b5169dd0e201dd03a481a014dc1db","unresolved":false,"context_lines":[{"line_number":60,"context_line":"  it will not be possible to rollback this change."},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"* Regarding role assignments management, it will be possible to use the"},{"line_number":63,"context_line":"  inherited role assignments to manage the grant beetween user/groups and the"},{"line_number":64,"context_line":"  project hierarchy."},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"Alternatives"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3a961159_2c39baf2","line":63,"in_reply_to":"3a961159_c2f58bcd","updated":"2015-01-12 23:41:30.000000000","message":"Done","commit_id":"b14c1e95a4a50d2822dbb6f62aff2bef03495f71"},{"author":{"_account_id":5707,"name":"Henry Nash","email":"henryn@linux.vnet.ibm.com","username":"henry-nash"},"change_message_id":"d5c9b8a2cb8cf6313fa1813f0fd3b06b73a622b8","unresolved":false,"context_lines":[{"line_number":62,"context_line":"* Regarding role assignments management, it will be possible to use the"},{"line_number":63,"context_line":"  inherited role assignments to manage the grant beetween user/groups and the"},{"line_number":64,"context_line":"  project hierarchy."},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"Alternatives"},{"line_number":67,"context_line":"------------"},{"line_number":68,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"3a961159_82ad4387","line":65,"updated":"2015-01-09 21:54:53.000000000","message":"Are the users defined by my ancestor domains cumulative? I.e. do I see the superset, or just the ones in the \"first domain ancestor above me\"?","commit_id":"b14c1e95a4a50d2822dbb6f62aff2bef03495f71"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"03d4381d095b5169dd0e201dd03a481a014dc1db","unresolved":false,"context_lines":[{"line_number":62,"context_line":"* Regarding role assignments management, it will be possible to use the"},{"line_number":63,"context_line":"  inherited role assignments to manage the grant beetween user/groups and the"},{"line_number":64,"context_line":"  project hierarchy."},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"Alternatives"},{"line_number":67,"context_line":"------------"},{"line_number":68,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"3a961159_04012eaf","line":65,"in_reply_to":"3a961159_82ad4387","updated":"2015-01-12 23:41:30.000000000","message":"I think that we need to clarify two use cases:\n\n1- I\u0027m a user in a parent domain and I want to see (or manager) users in my subdomains:\n\nI need to grant a inherited role assignment to subdomains (and we need to create this API call, since today we can just inherited role to subprojects in just one domain) to do this actions.\n\n2- I\u0027m a user in a subdomain and I want to see (or manager) users in my parent domain:\n\nI believe that we can NOT do this actions, because I\u0027ll broke the isolation in the reseller use case.\n\nSo the answers is a user just see/manager users in your domain or in a subdomain if they have a inherited role assignments for this subdomains.","commit_id":"b14c1e95a4a50d2822dbb6f62aff2bef03495f71"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"c88e1952147131b37a1f5557926db7f7794f0230","unresolved":false,"context_lines":[{"line_number":97,"context_line":"Developer Impact"},{"line_number":98,"context_line":"----------------"},{"line_number":99,"context_line":""},{"line_number":100,"context_line":"* A new column in the Project Table representing that this project behaves"},{"line_number":101,"context_line":"  like a domain."},{"line_number":102,"context_line":""},{"line_number":103,"context_line":"* When a user requests a domain scoped token, we will send a dual scoped token"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3a961159_020073aa","line":100,"updated":"2015-01-09 21:47:04.000000000","message":"s/this/the given project/","commit_id":"b14c1e95a4a50d2822dbb6f62aff2bef03495f71"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"03d4381d095b5169dd0e201dd03a481a014dc1db","unresolved":false,"context_lines":[{"line_number":97,"context_line":"Developer Impact"},{"line_number":98,"context_line":"----------------"},{"line_number":99,"context_line":""},{"line_number":100,"context_line":"* A new column in the Project Table representing that this project behaves"},{"line_number":101,"context_line":"  like a domain."},{"line_number":102,"context_line":""},{"line_number":103,"context_line":"* When a user requests a domain scoped token, we will send a dual scoped token"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3a961159_8c1f0e70","line":100,"in_reply_to":"3a961159_020073aa","updated":"2015-01-12 23:41:30.000000000","message":"Done","commit_id":"b14c1e95a4a50d2822dbb6f62aff2bef03495f71"},{"author":{"_account_id":5707,"name":"Henry Nash","email":"henryn@linux.vnet.ibm.com","username":"henry-nash"},"change_message_id":"d5c9b8a2cb8cf6313fa1813f0fd3b06b73a622b8","unresolved":false,"context_lines":[{"line_number":126,"context_line":"1. \u0027Domain-ness\u0027 as an attribute of a project;"},{"line_number":127,"context_line":""},{"line_number":128,"context_line":"2. The list domains v3 API call must show only top level (root) projects for"},{"line_number":129,"context_line":"   compatability;"},{"line_number":130,"context_line":""},{"line_number":131,"context_line":"3. Domains and projects can\u0027t have the same name;"},{"line_number":132,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"3a961159_a2007f67","line":129,"updated":"2015-01-09 21:54:53.000000000","message":"not sure I quite understand...so if today I have domain X and 3 root projects (that are all part of domain X), then I would see 4 domains?\n\nDo all root projects become projects with the domain-ness attribute set?","commit_id":"b14c1e95a4a50d2822dbb6f62aff2bef03495f71"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"03d4381d095b5169dd0e201dd03a481a014dc1db","unresolved":false,"context_lines":[{"line_number":126,"context_line":"1. \u0027Domain-ness\u0027 as an attribute of a project;"},{"line_number":127,"context_line":""},{"line_number":128,"context_line":"2. The list domains v3 API call must show only top level (root) projects for"},{"line_number":129,"context_line":"   compatability;"},{"line_number":130,"context_line":""},{"line_number":131,"context_line":"3. Domains and projects can\u0027t have the same name;"},{"line_number":132,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"3a961159_e48d0237","line":129,"in_reply_to":"3a961159_a2007f67","updated":"2015-01-12 23:41:30.000000000","message":"Using GET v3/domains will return just the domain X.\n\nNo, We can have just a domain and the root project inside this domain is just a project as work today.","commit_id":"b14c1e95a4a50d2822dbb6f62aff2bef03495f71"},{"author":{"_account_id":5707,"name":"Henry Nash","email":"henryn@linux.vnet.ibm.com","username":"henry-nash"},"change_message_id":"d5c9b8a2cb8cf6313fa1813f0fd3b06b73a622b8","unresolved":false,"context_lines":[{"line_number":128,"context_line":"2. The list domains v3 API call must show only top level (root) projects for"},{"line_number":129,"context_line":"   compatability;"},{"line_number":130,"context_line":""},{"line_number":131,"context_line":"3. Domains and projects can\u0027t have the same name;"},{"line_number":132,"context_line":""},{"line_number":133,"context_line":"4. When a domain scoped token is requested for a project with the domain-ness"},{"line_number":134,"context_line":"   flag active, a dual scoped token will be provided (it will reference the"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3a961159_c2f4ab8a","line":131,"updated":"2015-01-09 21:54:53.000000000","message":"why is that?","commit_id":"b14c1e95a4a50d2822dbb6f62aff2bef03495f71"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"03d4381d095b5169dd0e201dd03a481a014dc1db","unresolved":false,"context_lines":[{"line_number":128,"context_line":"2. The list domains v3 API call must show only top level (root) projects for"},{"line_number":129,"context_line":"   compatability;"},{"line_number":130,"context_line":""},{"line_number":131,"context_line":"3. Domains and projects can\u0027t have the same name;"},{"line_number":132,"context_line":""},{"line_number":133,"context_line":"4. When a domain scoped token is requested for a project with the domain-ness"},{"line_number":134,"context_line":"   flag active, a dual scoped token will be provided (it will reference the"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3a961159_5fa06691","line":131,"in_reply_to":"3a961159_c2f4ab8a","updated":"2015-01-12 23:41:30.000000000","message":"Imagine that I create a domain with the name \"A\" and after If I want to change a project (with the name \"A\" too) to be domain-ness, so I have two domains with the same name. I believe this is weird and its a inconstancy.","commit_id":"b14c1e95a4a50d2822dbb6f62aff2bef03495f71"},{"author":{"_account_id":994,"name":"Arvind Tiwari","email":"arvindt7@gmail.com","username":"arvind-tiwari"},"change_message_id":"70c85637d6ed517142bf4da6f530350a54f26786","unresolved":false,"context_lines":[{"line_number":54,"context_line":"  hierarchy:"},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"** When creating a domain, keystone will also create a project"},{"line_number":57,"context_line":"   that has a matching id."},{"line_number":58,"context_line":"** For all existing  domains, A sql migration will create a project with an id"},{"line_number":59,"context_line":"   that matches the domain_id."},{"line_number":60,"context_line":"*** Domains are projects where its id matches its domain_id."}],"source_content_type":"text/x-rst","patch_set":11,"id":"3a961159_425782ca","line":57,"updated":"2015-01-13 21:04:44.000000000","message":"Why it is needed? Domain itself is a project.","commit_id":"c917bfc4395f4af5cdfa314a19e916a10db5a0d6"},{"author":{"_account_id":994,"name":"Arvind Tiwari","email":"arvindt7@gmail.com","username":"arvind-tiwari"},"change_message_id":"70c85637d6ed517142bf4da6f530350a54f26786","unresolved":false,"context_lines":[{"line_number":60,"context_line":"*** Domains are projects where its id matches its domain_id."},{"line_number":61,"context_line":"** A sql migration will initialize parent_project_id for any other projects"},{"line_number":62,"context_line":"   that do not have parent_project_id set to match their domain_id."},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"* The domains will only be created under another domain, never under a project;"},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"* Once the user creates a domain or updates a project to become a domain, this"}],"source_content_type":"text/x-rst","patch_set":11,"id":"3a961159_02b9faeb","line":63,"updated":"2015-01-13 21:04:44.000000000","message":"Not every domain need reseller capability, can we have such provision in the data model, so that reseller like domain can be created only as per need?","commit_id":"c917bfc4395f4af5cdfa314a19e916a10db5a0d6"},{"author":{"_account_id":1941,"name":"Lin Hua Cheng","email":"os.lcheng@gmail.com","username":"lin-hua-cheng"},"change_message_id":"3fbb3b6b67b3c02b184ab0d916ce0ec56a198cf2","unresolved":false,"context_lines":[{"line_number":38,"context_line":"projects, and quotas as well as the ability to list and delete resources across"},{"line_number":39,"context_line":"WidgetMaster. Martha needs to be able to set the quotas for both WidgetMaster"},{"line_number":40,"context_line":"and SuperDevShop. She also needs to ensure that Joe and Sam cannot see or"},{"line_number":41,"context_line":"manipulate anything owned by each other."},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"Proposed Change"},{"line_number":44,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":13,"id":"3a961159_1cabccd6","line":41,"updated":"2015-01-15 17:58:30.000000000","message":"Can Joe create users on WidgetMaster directly?\n\nDoes the name need to be unique only within WidgetMaster or unique over ProductionIT?","commit_id":"93711766faba2887306afb85bf664e8bfdbd8d98"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"04786edcd48309c4b950b4a198802ee664c436e2","unresolved":false,"context_lines":[{"line_number":38,"context_line":"projects, and quotas as well as the ability to list and delete resources across"},{"line_number":39,"context_line":"WidgetMaster. Martha needs to be able to set the quotas for both WidgetMaster"},{"line_number":40,"context_line":"and SuperDevShop. She also needs to ensure that Joe and Sam cannot see or"},{"line_number":41,"context_line":"manipulate anything owned by each other."},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"Proposed Change"},{"line_number":44,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":13,"id":"3a961159_7273f315","line":41,"in_reply_to":"3a961159_1cabccd6","updated":"2015-01-16 17:17:35.000000000","message":"Yes, Joe can create users in WidgetMaster.\n\nThe name of users, projects or domains?\n\nAbout the users, I believe that we can create two users with the same name in different domains (or subdomains) because we will have differents user_id and domain scope.","commit_id":"93711766faba2887306afb85bf664e8bfdbd8d98"},{"author":{"_account_id":1941,"name":"Lin Hua Cheng","email":"os.lcheng@gmail.com","username":"lin-hua-cheng"},"change_message_id":"d1d046289e88de07017c7f33c917fbb91edf805e","unresolved":false,"context_lines":[{"line_number":38,"context_line":"projects, and quotas as well as the ability to list and delete resources across"},{"line_number":39,"context_line":"WidgetMaster. Martha needs to be able to set the quotas for both WidgetMaster"},{"line_number":40,"context_line":"and SuperDevShop. She also needs to ensure that Joe and Sam cannot see or"},{"line_number":41,"context_line":"manipulate anything owned by each other."},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"Proposed Change"},{"line_number":44,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":13,"id":"3a961159_98a401ba","line":41,"in_reply_to":"3a961159_7273f315","updated":"2015-01-16 17:39:30.000000000","message":"Yeah, the user name. So the user name uniqueness check will only be enforced on the scope of the current domain","commit_id":"93711766faba2887306afb85bf664e8bfdbd8d98"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"ba3908cbf3f6c77e706de1938a2311a32ce8d6df","unresolved":false,"context_lines":[{"line_number":38,"context_line":"projects, and quotas as well as the ability to list and delete resources across"},{"line_number":39,"context_line":"WidgetMaster. Martha needs to be able to set the quotas for both WidgetMaster"},{"line_number":40,"context_line":"and SuperDevShop. She also needs to ensure that Joe and Sam cannot see or"},{"line_number":41,"context_line":"manipulate anything owned by each other."},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"Proposed Change"},{"line_number":44,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":13,"id":"3a961159_e108f028","line":41,"in_reply_to":"3a961159_98a401ba","updated":"2015-01-16 18:47:10.000000000","message":"The create_user don\u0027t verify the name, just if exists some name: https://github.com/openstack/keystone/blob/master/keystone/identity/controllers.py#L60\nand you can see the others check about create a user.","commit_id":"93711766faba2887306afb85bf664e8bfdbd8d98"},{"author":{"_account_id":1941,"name":"Lin Hua Cheng","email":"os.lcheng@gmail.com","username":"lin-hua-cheng"},"change_message_id":"3fbb3b6b67b3c02b184ab0d916ce0ec56a198cf2","unresolved":false,"context_lines":[{"line_number":48,"context_line":"with the project, allowing to distribute users in the domains hierarchy,"},{"line_number":49,"context_line":"instead of only in a single root domain. With this implementation, we\u0027ll"},{"line_number":50,"context_line":"cover the Reseller Use case, where one will be able to resell both a project"},{"line_number":51,"context_line":"and a project that behaves like a domain, where one can create users, roles"},{"line_number":52,"context_line":"and groups."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"* A domain is a project, and will function as the root project of the"}],"source_content_type":"text/x-rst","patch_set":13,"id":"3a961159_d95a3681","line":51,"updated":"2015-01-15 17:58:30.000000000","message":"Role are global and not domain specific.\n\nAre you referring to  domain roles (https://review.openstack.org/#/c/133855/) here?","commit_id":"93711766faba2887306afb85bf664e8bfdbd8d98"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"ba3908cbf3f6c77e706de1938a2311a32ce8d6df","unresolved":false,"context_lines":[{"line_number":48,"context_line":"with the project, allowing to distribute users in the domains hierarchy,"},{"line_number":49,"context_line":"instead of only in a single root domain. With this implementation, we\u0027ll"},{"line_number":50,"context_line":"cover the Reseller Use case, where one will be able to resell both a project"},{"line_number":51,"context_line":"and a project that behaves like a domain, where one can create users, roles"},{"line_number":52,"context_line":"and groups."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"* A domain is a project, and will function as the root project of the"}],"source_content_type":"text/x-rst","patch_set":13,"id":"3a961159_7e4add83","line":51,"in_reply_to":"3a961159_18c5713c","updated":"2015-01-16 18:47:10.000000000","message":"Domain will contain a domain role, and a domain role can contains others domain roles, but I\u0027ll remove this part because this is not working today and this is not the scope of this spec.","commit_id":"93711766faba2887306afb85bf664e8bfdbd8d98"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"04786edcd48309c4b950b4a198802ee664c436e2","unresolved":false,"context_lines":[{"line_number":48,"context_line":"with the project, allowing to distribute users in the domains hierarchy,"},{"line_number":49,"context_line":"instead of only in a single root domain. With this implementation, we\u0027ll"},{"line_number":50,"context_line":"cover the Reseller Use case, where one will be able to resell both a project"},{"line_number":51,"context_line":"and a project that behaves like a domain, where one can create users, roles"},{"line_number":52,"context_line":"and groups."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"* A domain is a project, and will function as the root project of the"}],"source_content_type":"text/x-rst","patch_set":13,"id":"3a961159_f2fa8375","line":51,"in_reply_to":"3a961159_4168ebb9","updated":"2015-01-16 17:17:35.000000000","message":"Matt, you understand correctly.\n\nA domain can contains sub-domains and projects. So ProductionIT, WidgetMaster could be a project with the flag domain-ness.","commit_id":"93711766faba2887306afb85bf664e8bfdbd8d98"},{"author":{"_account_id":1941,"name":"Lin Hua Cheng","email":"os.lcheng@gmail.com","username":"lin-hua-cheng"},"change_message_id":"d1d046289e88de07017c7f33c917fbb91edf805e","unresolved":false,"context_lines":[{"line_number":48,"context_line":"with the project, allowing to distribute users in the domains hierarchy,"},{"line_number":49,"context_line":"instead of only in a single root domain. With this implementation, we\u0027ll"},{"line_number":50,"context_line":"cover the Reseller Use case, where one will be able to resell both a project"},{"line_number":51,"context_line":"and a project that behaves like a domain, where one can create users, roles"},{"line_number":52,"context_line":"and groups."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"* A domain is a project, and will function as the root project of the"}],"source_content_type":"text/x-rst","patch_set":13,"id":"3a961159_18c5713c","line":51,"in_reply_to":"3a961159_b2b63bda","updated":"2015-01-16 17:39:30.000000000","message":"Domain will not contain Role but just Role Group (aka domain roles), is that correct?","commit_id":"93711766faba2887306afb85bf664e8bfdbd8d98"},{"author":{"_account_id":8512,"name":"Matt Farina","email":"matt@mattfarina.com","username":"mattfarina"},"change_message_id":"b13330aeec224f354d9b70b4d22517c7b90b8b89","unresolved":false,"context_lines":[{"line_number":48,"context_line":"with the project, allowing to distribute users in the domains hierarchy,"},{"line_number":49,"context_line":"instead of only in a single root domain. With this implementation, we\u0027ll"},{"line_number":50,"context_line":"cover the Reseller Use case, where one will be able to resell both a project"},{"line_number":51,"context_line":"and a project that behaves like a domain, where one can create users, roles"},{"line_number":52,"context_line":"and groups."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"* A domain is a project, and will function as the root project of the"}],"source_content_type":"text/x-rst","patch_set":13,"id":"3a961159_4168ebb9","line":51,"in_reply_to":"3a961159_d95a3681","updated":"2015-01-16 16:13:55.000000000","message":"If I understand things correctly (and you likely know better than me), domains can be hierarchical like projects. Could a domain instead sell a sub-domain? I\u0027m trying to understand why the move to make domains linked to a corresponding project.\n\nFor example:\nProcutionIT (domain) -\u003e WidgetMaster (domain) -\u003e Projects A, B, C (all projects of WidgetMaster).","commit_id":"93711766faba2887306afb85bf664e8bfdbd8d98"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"04786edcd48309c4b950b4a198802ee664c436e2","unresolved":false,"context_lines":[{"line_number":48,"context_line":"with the project, allowing to distribute users in the domains hierarchy,"},{"line_number":49,"context_line":"instead of only in a single root domain. With this implementation, we\u0027ll"},{"line_number":50,"context_line":"cover the Reseller Use case, where one will be able to resell both a project"},{"line_number":51,"context_line":"and a project that behaves like a domain, where one can create users, roles"},{"line_number":52,"context_line":"and groups."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"* A domain is a project, and will function as the root project of the"}],"source_content_type":"text/x-rst","patch_set":13,"id":"3a961159_b2b63bda","line":51,"in_reply_to":"3a961159_d95a3681","updated":"2015-01-16 17:17:35.000000000","message":"Yes, In a near future (in kilo yet) domain will be container of roles.","commit_id":"93711766faba2887306afb85bf664e8bfdbd8d98"},{"author":{"_account_id":8512,"name":"Matt Farina","email":"matt@mattfarina.com","username":"mattfarina"},"change_message_id":"b13330aeec224f354d9b70b4d22517c7b90b8b89","unresolved":false,"context_lines":[{"line_number":55,"context_line":"  hierarchy:"},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"** When creating a domain, keystone will also create a project"},{"line_number":58,"context_line":"   that has a matching id."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"** For all existing  domains, A sql migration will create a project with an id"},{"line_number":61,"context_line":"   that matches the domain_id."}],"source_content_type":"text/x-rst","patch_set":13,"id":"3a961159_81bad308","line":58,"updated":"2015-01-16 16:13:55.000000000","message":"How will resources from a domain project be accessible to sub-projects? For example, a domain sharing a glance image across all projects.","commit_id":"93711766faba2887306afb85bf664e8bfdbd8d98"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"700ea6cbdaa1c85629ab4710876233450316bfb8","unresolved":false,"context_lines":[{"line_number":55,"context_line":"  hierarchy:"},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"** When creating a domain, keystone will also create a project"},{"line_number":58,"context_line":"   that has a matching id."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"** For all existing  domains, A sql migration will create a project with an id"},{"line_number":61,"context_line":"   that matches the domain_id."}],"source_content_type":"text/x-rst","patch_set":13,"id":"3a961159_677ea26f","line":58,"in_reply_to":"3a961159_13428bab","updated":"2015-01-19 19:28:12.000000000","message":"Done","commit_id":"93711766faba2887306afb85bf664e8bfdbd8d98"},{"author":{"_account_id":10046,"name":"Henrique Truta","email":"henrique@lsd.ufcg.edu.br","username":"henriquetruta"},"change_message_id":"c1d3d4faf9da237f5a001cf0270aaeed5c054cdd","unresolved":false,"context_lines":[{"line_number":55,"context_line":"  hierarchy:"},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"** When creating a domain, keystone will also create a project"},{"line_number":58,"context_line":"   that has a matching id."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"** For all existing  domains, A sql migration will create a project with an id"},{"line_number":61,"context_line":"   that matches the domain_id."}],"source_content_type":"text/x-rst","patch_set":13,"id":"3a961159_13428bab","line":58,"in_reply_to":"3a961159_5290b74d","updated":"2015-01-19 14:18:03.000000000","message":"Shouldn\u0027t we say \"the same id\" instead of a \"matching id\"?","commit_id":"93711766faba2887306afb85bf664e8bfdbd8d98"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"04786edcd48309c4b950b4a198802ee664c436e2","unresolved":false,"context_lines":[{"line_number":55,"context_line":"  hierarchy:"},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"** When creating a domain, keystone will also create a project"},{"line_number":58,"context_line":"   that has a matching id."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"** For all existing  domains, A sql migration will create a project with an id"},{"line_number":61,"context_line":"   that matches the domain_id."}],"source_content_type":"text/x-rst","patch_set":13,"id":"3a961159_5290b74d","line":58,"in_reply_to":"3a961159_81bad308","updated":"2015-01-16 17:17:35.000000000","message":"For the other services, that not exists the hierarchical concept, so for now, we can\u0027t sharing resources like that. So glance, only see one project.\n\nOne of the next steps for HMT is extend for the other services, like Nova, Glance, Horizon...","commit_id":"93711766faba2887306afb85bf664e8bfdbd8d98"},{"author":{"_account_id":1941,"name":"Lin Hua Cheng","email":"os.lcheng@gmail.com","username":"lin-hua-cheng"},"change_message_id":"3fbb3b6b67b3c02b184ab0d916ce0ec56a198cf2","unresolved":false,"context_lines":[{"line_number":65,"context_line":"** A sql migration will initialize parent_project_id for any other projects"},{"line_number":66,"context_line":"   that do not have parent_project_id set to match their domain_id."},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"* The domains will only be created under another domain, never under a project;"},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"* Once the user creates a domain or updates a project to become a domain, this"},{"line_number":71,"context_line":"  property is immutable. In other words, if a project has became a domain,"}],"source_content_type":"text/x-rst","patch_set":13,"id":"3a961159_d96dd604","line":68,"updated":"2015-01-15 17:58:30.000000000","message":"This is a bit confusing, might need to rephrase a bit. \n\nSo you mean you can only create new domain under domain-projects (matching domain_id)?","commit_id":"93711766faba2887306afb85bf664e8bfdbd8d98"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"ba3908cbf3f6c77e706de1938a2311a32ce8d6df","unresolved":false,"context_lines":[{"line_number":65,"context_line":"** A sql migration will initialize parent_project_id for any other projects"},{"line_number":66,"context_line":"   that do not have parent_project_id set to match their domain_id."},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"* The domains will only be created under another domain, never under a project;"},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"* Once the user creates a domain or updates a project to become a domain, this"},{"line_number":71,"context_line":"  property is immutable. In other words, if a project has became a domain,"}],"source_content_type":"text/x-rst","patch_set":13,"id":"3a961159_7ebc9d6c","line":68,"in_reply_to":"3a961159_38722d4a","updated":"2015-01-16 18:47:10.000000000","message":"Ok, I\u0027ll rephrase this.","commit_id":"93711766faba2887306afb85bf664e8bfdbd8d98"},{"author":{"_account_id":1941,"name":"Lin Hua Cheng","email":"os.lcheng@gmail.com","username":"lin-hua-cheng"},"change_message_id":"d1d046289e88de07017c7f33c917fbb91edf805e","unresolved":false,"context_lines":[{"line_number":65,"context_line":"** A sql migration will initialize parent_project_id for any other projects"},{"line_number":66,"context_line":"   that do not have parent_project_id set to match their domain_id."},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"* The domains will only be created under another domain, never under a project;"},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"* Once the user creates a domain or updates a project to become a domain, this"},{"line_number":71,"context_line":"  property is immutable. In other words, if a project has became a domain,"}],"source_content_type":"text/x-rst","patch_set":13,"id":"3a961159_38722d4a","line":68,"in_reply_to":"3a961159_d2d66726","updated":"2015-01-16 17:39:30.000000000","message":"Okay, sounds right. Might need to rephrase it for readability.","commit_id":"93711766faba2887306afb85bf664e8bfdbd8d98"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"04786edcd48309c4b950b4a198802ee664c436e2","unresolved":false,"context_lines":[{"line_number":65,"context_line":"** A sql migration will initialize parent_project_id for any other projects"},{"line_number":66,"context_line":"   that do not have parent_project_id set to match their domain_id."},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"* The domains will only be created under another domain, never under a project;"},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"* Once the user creates a domain or updates a project to become a domain, this"},{"line_number":71,"context_line":"  property is immutable. In other words, if a project has became a domain,"}],"source_content_type":"text/x-rst","patch_set":13,"id":"3a961159_d2d66726","line":68,"in_reply_to":"3a961159_d96dd604","updated":"2015-01-16 17:17:35.000000000","message":"Yes.","commit_id":"93711766faba2887306afb85bf664e8bfdbd8d98"},{"author":{"_account_id":1941,"name":"Lin Hua Cheng","email":"os.lcheng@gmail.com","username":"lin-hua-cheng"},"change_message_id":"3fbb3b6b67b3c02b184ab0d916ce0ec56a198cf2","unresolved":false,"context_lines":[{"line_number":67,"context_line":""},{"line_number":68,"context_line":"* The domains will only be created under another domain, never under a project;"},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"* Once the user creates a domain or updates a project to become a domain, this"},{"line_number":71,"context_line":"  property is immutable. In other words, if a project has became a domain,"},{"line_number":72,"context_line":"  it will not be possible to rollback this change."},{"line_number":73,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"3a961159_d93b16e8","line":70,"updated":"2015-01-15 17:58:30.000000000","message":"\"updates a project to become a domain\" do you mean promote a project to become a domain?  When would this happen?","commit_id":"93711766faba2887306afb85bf664e8bfdbd8d98"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"04786edcd48309c4b950b4a198802ee664c436e2","unresolved":false,"context_lines":[{"line_number":67,"context_line":""},{"line_number":68,"context_line":"* The domains will only be created under another domain, never under a project;"},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"* Once the user creates a domain or updates a project to become a domain, this"},{"line_number":71,"context_line":"  property is immutable. In other words, if a project has became a domain,"},{"line_number":72,"context_line":"  it will not be possible to rollback this change."},{"line_number":73,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"3a961159_721693f3","line":70,"in_reply_to":"3a961159_d93b16e8","updated":"2015-01-16 17:17:35.000000000","message":"When I already have a project in Keystone, and uptade this project ( set the flag domain-ness to True) to behavior like a domain.","commit_id":"93711766faba2887306afb85bf664e8bfdbd8d98"},{"author":{"_account_id":1941,"name":"Lin Hua Cheng","email":"os.lcheng@gmail.com","username":"lin-hua-cheng"},"change_message_id":"3fbb3b6b67b3c02b184ab0d916ce0ec56a198cf2","unresolved":false,"context_lines":[{"line_number":72,"context_line":"  it will not be possible to rollback this change."},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"* Regarding role assignments management, it will be possible to use the"},{"line_number":75,"context_line":"  inherited role assignments to manage the grants beetween user/groups and the"},{"line_number":76,"context_line":"  project hierarchy."},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"Alternatives"}],"source_content_type":"text/x-rst","patch_set":13,"id":"3a961159_79178254","line":75,"updated":"2015-01-15 17:58:30.000000000","message":"beetween -\u003e between","commit_id":"93711766faba2887306afb85bf664e8bfdbd8d98"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"04786edcd48309c4b950b4a198802ee664c436e2","unresolved":false,"context_lines":[{"line_number":72,"context_line":"  it will not be possible to rollback this change."},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"* Regarding role assignments management, it will be possible to use the"},{"line_number":75,"context_line":"  inherited role assignments to manage the grants beetween user/groups and the"},{"line_number":76,"context_line":"  project hierarchy."},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"Alternatives"}],"source_content_type":"text/x-rst","patch_set":13,"id":"3a961159_32f96bc8","line":75,"in_reply_to":"3a961159_79178254","updated":"2015-01-16 17:17:35.000000000","message":"Done","commit_id":"93711766faba2887306afb85bf664e8bfdbd8d98"},{"author":{"_account_id":1941,"name":"Lin Hua Cheng","email":"os.lcheng@gmail.com","username":"lin-hua-cheng"},"change_message_id":"3fbb3b6b67b3c02b184ab0d916ce0ec56a198cf2","unresolved":false,"context_lines":[{"line_number":94,"context_line":"---------------------"},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"Python-keystoneclient must support creating and updating projects that behave"},{"line_number":97,"context_line":"as a domain."},{"line_number":98,"context_line":""},{"line_number":99,"context_line":"Performance Impact"},{"line_number":100,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":13,"id":"3a961159_f90a9225","line":97,"updated":"2015-01-15 17:58:30.000000000","message":"update python-openstackclient too?","commit_id":"93711766faba2887306afb85bf664e8bfdbd8d98"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"04786edcd48309c4b950b4a198802ee664c436e2","unresolved":false,"context_lines":[{"line_number":94,"context_line":"---------------------"},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"Python-keystoneclient must support creating and updating projects that behave"},{"line_number":97,"context_line":"as a domain."},{"line_number":98,"context_line":""},{"line_number":99,"context_line":"Performance Impact"},{"line_number":100,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":13,"id":"3a961159_120f0fe1","line":97,"in_reply_to":"3a961159_f90a9225","updated":"2015-01-16 17:17:35.000000000","message":"Yes, but this out of scope of this spec.","commit_id":"93711766faba2887306afb85bf664e8bfdbd8d98"},{"author":{"_account_id":10046,"name":"Henrique Truta","email":"henrique@lsd.ufcg.edu.br","username":"henriquetruta"},"change_message_id":"c1d3d4faf9da237f5a001cf0270aaeed5c054cdd","unresolved":false,"context_lines":[{"line_number":138,"context_line":"   fail)"},{"line_number":139,"context_line":""},{"line_number":140,"context_line":"2. The list domains v3 API call must show only top level (root) projects for"},{"line_number":141,"context_line":"   compatability;"},{"line_number":142,"context_line":""},{"line_number":143,"context_line":"3. When transforming a project into a domain, there are some necessary checks:"},{"line_number":144,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"3a961159_d31e43bc","line":141,"updated":"2015-01-19 14:18:03.000000000","message":"compatibility","commit_id":"93711766faba2887306afb85bf664e8bfdbd8d98"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"700ea6cbdaa1c85629ab4710876233450316bfb8","unresolved":false,"context_lines":[{"line_number":138,"context_line":"   fail)"},{"line_number":139,"context_line":""},{"line_number":140,"context_line":"2. The list domains v3 API call must show only top level (root) projects for"},{"line_number":141,"context_line":"   compatability;"},{"line_number":142,"context_line":""},{"line_number":143,"context_line":"3. When transforming a project into a domain, there are some necessary checks:"},{"line_number":144,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"3a961159_e791b29c","line":141,"in_reply_to":"3a961159_d31e43bc","updated":"2015-01-19 19:28:12.000000000","message":"Done","commit_id":"93711766faba2887306afb85bf664e8bfdbd8d98"},{"author":{"_account_id":10046,"name":"Henrique Truta","email":"henrique@lsd.ufcg.edu.br","username":"henriquetruta"},"change_message_id":"c1d3d4faf9da237f5a001cf0270aaeed5c054cdd","unresolved":false,"context_lines":[{"line_number":140,"context_line":"2. The list domains v3 API call must show only top level (root) projects for"},{"line_number":141,"context_line":"   compatability;"},{"line_number":142,"context_line":""},{"line_number":143,"context_line":"3. When transforming a project into a domain, there are some necessary checks:"},{"line_number":144,"context_line":""},{"line_number":145,"context_line":"* Do not allow if there is already a domain with the same name"},{"line_number":146,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"3a961159_f3725f11","line":143,"updated":"2015-01-19 14:18:03.000000000","message":"Rephrase to: When transforming a project into a domain, Keystone won\u0027t allow it, if there is already a domain with the same name.","commit_id":"93711766faba2887306afb85bf664e8bfdbd8d98"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"700ea6cbdaa1c85629ab4710876233450316bfb8","unresolved":false,"context_lines":[{"line_number":140,"context_line":"2. The list domains v3 API call must show only top level (root) projects for"},{"line_number":141,"context_line":"   compatability;"},{"line_number":142,"context_line":""},{"line_number":143,"context_line":"3. When transforming a project into a domain, there are some necessary checks:"},{"line_number":144,"context_line":""},{"line_number":145,"context_line":"* Do not allow if there is already a domain with the same name"},{"line_number":146,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"3a961159_078f9e77","line":143,"in_reply_to":"3a961159_f3725f11","updated":"2015-01-19 19:28:12.000000000","message":"Done","commit_id":"93711766faba2887306afb85bf664e8bfdbd8d98"},{"author":{"_account_id":10046,"name":"Henrique Truta","email":"henrique@lsd.ufcg.edu.br","username":"henriquetruta"},"change_message_id":"c1d3d4faf9da237f5a001cf0270aaeed5c054cdd","unresolved":false,"context_lines":[{"line_number":148,"context_line":"   flag active, a dual scoped token will be provided (it will reference the"},{"line_number":149,"context_line":"   project which holds that domain). Additionally, the project and domain have"},{"line_number":150,"context_line":"   the same ID, which means that role assignments will be applied for a single"},{"line_number":151,"context_line":"   entity, that will act like domain and project simultaneously."},{"line_number":152,"context_line":""},{"line_number":153,"context_line":"Response:"},{"line_number":154,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"3a961159_339147f8","line":151,"updated":"2015-01-19 14:18:03.000000000","message":"There are two topics here. The token and the role assignment. I think we should break this in two topics.","commit_id":"93711766faba2887306afb85bf664e8bfdbd8d98"},{"author":{"_account_id":10046,"name":"Henrique Truta","email":"henrique@lsd.ufcg.edu.br","username":"henriquetruta"},"change_message_id":"c1d3d4faf9da237f5a001cf0270aaeed5c054cdd","unresolved":false,"context_lines":[{"line_number":228,"context_line":"  in the hierarchy for users and groups, for a better usability to manage the"},{"line_number":229,"context_line":"  access control for the users and groups, we recomend the use of inherited"},{"line_number":230,"context_line":"  roles assignments implementation, so you can grant a role to a user/group in"},{"line_number":231,"context_line":"  a project/domain and inherited this assignment for the subtree."},{"line_number":232,"context_line":"  Exists a spec related to domain roles, that can improve this role management"},{"line_number":233,"context_line":"  in Hierarchical Multitenancy: \u003chttps://review.openstack.org/#/c/133855\u003e`_"},{"line_number":234,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"3a961159_33c30708","line":231,"updated":"2015-01-19 14:18:03.000000000","message":"along the subtree","commit_id":"93711766faba2887306afb85bf664e8bfdbd8d98"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"700ea6cbdaa1c85629ab4710876233450316bfb8","unresolved":false,"context_lines":[{"line_number":228,"context_line":"  in the hierarchy for users and groups, for a better usability to manage the"},{"line_number":229,"context_line":"  access control for the users and groups, we recomend the use of inherited"},{"line_number":230,"context_line":"  roles assignments implementation, so you can grant a role to a user/group in"},{"line_number":231,"context_line":"  a project/domain and inherited this assignment for the subtree."},{"line_number":232,"context_line":"  Exists a spec related to domain roles, that can improve this role management"},{"line_number":233,"context_line":"  in Hierarchical Multitenancy: \u003chttps://review.openstack.org/#/c/133855\u003e`_"},{"line_number":234,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"3a961159_278c9a80","line":231,"in_reply_to":"3a961159_33c30708","updated":"2015-01-19 19:28:12.000000000","message":"Done","commit_id":"93711766faba2887306afb85bf664e8bfdbd8d98"},{"author":{"_account_id":10046,"name":"Henrique Truta","email":"henrique@lsd.ufcg.edu.br","username":"henriquetruta"},"change_message_id":"c1d3d4faf9da237f5a001cf0270aaeed5c054cdd","unresolved":false,"context_lines":[{"line_number":229,"context_line":"  access control for the users and groups, we recomend the use of inherited"},{"line_number":230,"context_line":"  roles assignments implementation, so you can grant a role to a user/group in"},{"line_number":231,"context_line":"  a project/domain and inherited this assignment for the subtree."},{"line_number":232,"context_line":"  Exists a spec related to domain roles, that can improve this role management"},{"line_number":233,"context_line":"  in Hierarchical Multitenancy: \u003chttps://review.openstack.org/#/c/133855\u003e`_"},{"line_number":234,"context_line":""},{"line_number":235,"context_line":"Dependencies"}],"source_content_type":"text/x-rst","patch_set":13,"id":"3a961159_d34c83cc","line":232,"updated":"2015-01-19 14:18:03.000000000","message":"There is a spec","commit_id":"93711766faba2887306afb85bf664e8bfdbd8d98"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"700ea6cbdaa1c85629ab4710876233450316bfb8","unresolved":false,"context_lines":[{"line_number":229,"context_line":"  access control for the users and groups, we recomend the use of inherited"},{"line_number":230,"context_line":"  roles assignments implementation, so you can grant a role to a user/group in"},{"line_number":231,"context_line":"  a project/domain and inherited this assignment for the subtree."},{"line_number":232,"context_line":"  Exists a spec related to domain roles, that can improve this role management"},{"line_number":233,"context_line":"  in Hierarchical Multitenancy: \u003chttps://review.openstack.org/#/c/133855\u003e`_"},{"line_number":234,"context_line":""},{"line_number":235,"context_line":"Dependencies"}],"source_content_type":"text/x-rst","patch_set":13,"id":"3a961159_4789a66e","line":232,"in_reply_to":"3a961159_d34c83cc","updated":"2015-01-19 19:28:12.000000000","message":"Done","commit_id":"93711766faba2887306afb85bf664e8bfdbd8d98"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"e5c43142cb4261daee6c44c0e7912cd2ebd514ab","unresolved":false,"context_lines":[{"line_number":36,"context_line":"Joe at WidgetMaster, and Sam at SuperDevShop. Joe and Sam have multiple QA and"},{"line_number":37,"context_line":"Development teams with many users. They need the ability to create users,"},{"line_number":38,"context_line":"projects, and quotas as well as the ability to list and delete resources across"},{"line_number":39,"context_line":"WidgetMaster. Martha needs to be able to set the quotas for both WidgetMaster"},{"line_number":40,"context_line":"and SuperDevShop. She also needs to ensure that Joe and Sam cannot see or"},{"line_number":41,"context_line":"manipulate anything owned by each other."},{"line_number":42,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a961159_54d4e7e8","line":39,"updated":"2015-01-20 03:29:43.000000000","message":"Maybe \u0027across they enterprises\u0027, because \u0027across WidgetMaster\u0027 is not correct since we are talking about they (Joe and Sam, from different organizations)","commit_id":"e8a4b2d6d9900e7bc42786cd90a2721ce467d1cc"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"0925f7b50362a32b1592a2a1825c9ade1b637c85","unresolved":false,"context_lines":[{"line_number":36,"context_line":"Joe at WidgetMaster, and Sam at SuperDevShop. Joe and Sam have multiple QA and"},{"line_number":37,"context_line":"Development teams with many users. They need the ability to create users,"},{"line_number":38,"context_line":"projects, and quotas as well as the ability to list and delete resources across"},{"line_number":39,"context_line":"WidgetMaster. Martha needs to be able to set the quotas for both WidgetMaster"},{"line_number":40,"context_line":"and SuperDevShop. She also needs to ensure that Joe and Sam cannot see or"},{"line_number":41,"context_line":"manipulate anything owned by each other."},{"line_number":42,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a961159_414df9c4","line":39,"in_reply_to":"3a961159_54d4e7e8","updated":"2015-01-20 14:45:38.000000000","message":"Done","commit_id":"e8a4b2d6d9900e7bc42786cd90a2721ce467d1cc"},{"author":{"_account_id":10046,"name":"Henrique Truta","email":"henrique@lsd.ufcg.edu.br","username":"henriquetruta"},"change_message_id":"13b1bcd9be9edf603a0e05b564271a2140ba741b","unresolved":false,"context_lines":[{"line_number":36,"context_line":"Joe at WidgetMaster, and Sam at SuperDevShop. Joe and Sam have multiple QA and"},{"line_number":37,"context_line":"Development teams with many users. They need the ability to create users,"},{"line_number":38,"context_line":"projects, and quotas as well as the ability to list and delete resources across"},{"line_number":39,"context_line":"WidgetMaster. Martha needs to be able to set the quotas for both WidgetMaster"},{"line_number":40,"context_line":"and SuperDevShop. She also needs to ensure that Joe and Sam cannot see or"},{"line_number":41,"context_line":"manipulate anything owned by each other."},{"line_number":42,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a961159_fc9a0a61","line":39,"in_reply_to":"3a961159_54d4e7e8","updated":"2015-01-20 14:34:42.000000000","message":"That\u0027s right. Just put \"across their enterprises\".","commit_id":"e8a4b2d6d9900e7bc42786cd90a2721ce467d1cc"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"e5c43142cb4261daee6c44c0e7912cd2ebd514ab","unresolved":false,"context_lines":[{"line_number":57,"context_line":"** When creating a domain, keystone will also create a project"},{"line_number":58,"context_line":"   that has the same id."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"** For all existing  domains, A sql migration will create a project with an id"},{"line_number":61,"context_line":"   that matches the domain_id."},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"** Domains are projects where its id matches its domain_id."}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a961159_14f17f96","line":60,"updated":"2015-01-20 03:29:43.000000000","message":"nit: remove double space between \u0027existing  domains\u0027\n\ns/A/a","commit_id":"e8a4b2d6d9900e7bc42786cd90a2721ce467d1cc"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"0925f7b50362a32b1592a2a1825c9ade1b637c85","unresolved":false,"context_lines":[{"line_number":57,"context_line":"** When creating a domain, keystone will also create a project"},{"line_number":58,"context_line":"   that has the same id."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"** For all existing  domains, A sql migration will create a project with an id"},{"line_number":61,"context_line":"   that matches the domain_id."},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"** Domains are projects where its id matches its domain_id."}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a961159_614af5ae","line":60,"in_reply_to":"3a961159_14f17f96","updated":"2015-01-20 14:45:38.000000000","message":"Done","commit_id":"e8a4b2d6d9900e7bc42786cd90a2721ce467d1cc"},{"author":{"_account_id":10046,"name":"Henrique Truta","email":"henrique@lsd.ufcg.edu.br","username":"henriquetruta"},"change_message_id":"13b1bcd9be9edf603a0e05b564271a2140ba741b","unresolved":false,"context_lines":[{"line_number":60,"context_line":"** For all existing  domains, A sql migration will create a project with an id"},{"line_number":61,"context_line":"   that matches the domain_id."},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"** Domains are projects where its id matches its domain_id."},{"line_number":64,"context_line":""},{"line_number":65,"context_line":"** A sql migration will initialize parent_project_id for any other projects"},{"line_number":66,"context_line":"   that do not have parent_project_id set to match their domain_id."}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a961159_7c51ba2f","line":63,"updated":"2015-01-20 14:34:42.000000000","message":"Maybe rephrase to: \"Domains are conceptually projects with the same id of its domain_id.\"","commit_id":"e8a4b2d6d9900e7bc42786cd90a2721ce467d1cc"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"0925f7b50362a32b1592a2a1825c9ade1b637c85","unresolved":false,"context_lines":[{"line_number":60,"context_line":"** For all existing  domains, A sql migration will create a project with an id"},{"line_number":61,"context_line":"   that matches the domain_id."},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"** Domains are projects where its id matches its domain_id."},{"line_number":64,"context_line":""},{"line_number":65,"context_line":"** A sql migration will initialize parent_project_id for any other projects"},{"line_number":66,"context_line":"   that do not have parent_project_id set to match their domain_id."}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a961159_2262ac3d","line":63,"in_reply_to":"3a961159_7c51ba2f","updated":"2015-01-20 14:45:38.000000000","message":"Done","commit_id":"e8a4b2d6d9900e7bc42786cd90a2721ce467d1cc"},{"author":{"_account_id":10046,"name":"Henrique Truta","email":"henrique@lsd.ufcg.edu.br","username":"henriquetruta"},"change_message_id":"13b1bcd9be9edf603a0e05b564271a2140ba741b","unresolved":false,"context_lines":[{"line_number":66,"context_line":"   that do not have parent_project_id set to match their domain_id."},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"* The domains will only be created under another domain i.e. a project that"},{"line_number":69,"context_line":"  behavior like a domain, never under a project with the domain-ness flag"},{"line_number":70,"context_line":"  disable;"},{"line_number":71,"context_line":""},{"line_number":72,"context_line":"* Once the user creates a domain or updates a project to become a domain, this"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a961159_9c14a651","line":69,"updated":"2015-01-20 14:34:42.000000000","message":"s/behavior/behaves","commit_id":"e8a4b2d6d9900e7bc42786cd90a2721ce467d1cc"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"0925f7b50362a32b1592a2a1825c9ade1b637c85","unresolved":false,"context_lines":[{"line_number":66,"context_line":"   that do not have parent_project_id set to match their domain_id."},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"* The domains will only be created under another domain i.e. a project that"},{"line_number":69,"context_line":"  behavior like a domain, never under a project with the domain-ness flag"},{"line_number":70,"context_line":"  disable;"},{"line_number":71,"context_line":""},{"line_number":72,"context_line":"* Once the user creates a domain or updates a project to become a domain, this"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a961159_e270a40a","line":69,"in_reply_to":"3a961159_9c14a651","updated":"2015-01-20 14:45:38.000000000","message":"Done","commit_id":"e8a4b2d6d9900e7bc42786cd90a2721ce467d1cc"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"e5c43142cb4261daee6c44c0e7912cd2ebd514ab","unresolved":false,"context_lines":[{"line_number":67,"context_line":""},{"line_number":68,"context_line":"* The domains will only be created under another domain i.e. a project that"},{"line_number":69,"context_line":"  behavior like a domain, never under a project with the domain-ness flag"},{"line_number":70,"context_line":"  disable;"},{"line_number":71,"context_line":""},{"line_number":72,"context_line":"* Once the user creates a domain or updates a project to become a domain, this"},{"line_number":73,"context_line":"  property is immutable. In other words, if a project has became a domain,"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a961159_b4318b5b","line":70,"updated":"2015-01-20 03:29:43.000000000","message":"s/disable/disabled","commit_id":"e8a4b2d6d9900e7bc42786cd90a2721ce467d1cc"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"0925f7b50362a32b1592a2a1825c9ade1b637c85","unresolved":false,"context_lines":[{"line_number":67,"context_line":""},{"line_number":68,"context_line":"* The domains will only be created under another domain i.e. a project that"},{"line_number":69,"context_line":"  behavior like a domain, never under a project with the domain-ness flag"},{"line_number":70,"context_line":"  disable;"},{"line_number":71,"context_line":""},{"line_number":72,"context_line":"* Once the user creates a domain or updates a project to become a domain, this"},{"line_number":73,"context_line":"  property is immutable. In other words, if a project has became a domain,"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a961159_01d3f1d5","line":70,"in_reply_to":"3a961159_b4318b5b","updated":"2015-01-20 14:45:38.000000000","message":"Done","commit_id":"e8a4b2d6d9900e7bc42786cd90a2721ce467d1cc"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"e5c43142cb4261daee6c44c0e7912cd2ebd514ab","unresolved":false,"context_lines":[{"line_number":75,"context_line":""},{"line_number":76,"context_line":"* Regarding role assignments management, it will be possible to use the"},{"line_number":77,"context_line":"  inherited role assignments to manage the grants between user/groups and the"},{"line_number":78,"context_line":"  project hierarchy."},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"Alternatives"},{"line_number":81,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a961159_14d41fba","line":78,"updated":"2015-01-20 03:29:43.000000000","message":"Most of the points described in this list are repeated on the work items. I think you should consider writing this in a paragraph form, to explain better what is being proposed.","commit_id":"e8a4b2d6d9900e7bc42786cd90a2721ce467d1cc"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"e5c43142cb4261daee6c44c0e7912cd2ebd514ab","unresolved":false,"context_lines":[{"line_number":111,"context_line":"Developer Impact"},{"line_number":112,"context_line":"----------------"},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"* When a user requests a domain scoped token, we will send a dual scoped token"},{"line_number":115,"context_line":"  for domain and project."},{"line_number":116,"context_line":""},{"line_number":117,"context_line":"Implementation"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a961159_f43a3334","line":114,"updated":"2015-01-20 03:29:43.000000000","message":"s/we/keystone","commit_id":"e8a4b2d6d9900e7bc42786cd90a2721ce467d1cc"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"0925f7b50362a32b1592a2a1825c9ade1b637c85","unresolved":false,"context_lines":[{"line_number":111,"context_line":"Developer Impact"},{"line_number":112,"context_line":"----------------"},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"* When a user requests a domain scoped token, we will send a dual scoped token"},{"line_number":115,"context_line":"  for domain and project."},{"line_number":116,"context_line":""},{"line_number":117,"context_line":"Implementation"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a961159_c1ef2985","line":114,"in_reply_to":"3a961159_f43a3334","updated":"2015-01-20 14:45:38.000000000","message":"Done","commit_id":"e8a4b2d6d9900e7bc42786cd90a2721ce467d1cc"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"e5c43142cb4261daee6c44c0e7912cd2ebd514ab","unresolved":false,"context_lines":[{"line_number":137,"context_line":"1. \"Domain is a project\";"},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"* Possible issue: project with the same name of a domain (the migration would"},{"line_number":140,"context_line":"   fail)"},{"line_number":141,"context_line":""},{"line_number":142,"context_line":"2. The list domains v3 API call must show only top level (root) projects for"},{"line_number":143,"context_line":"   compatibility;"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a961159_54706708","line":140,"updated":"2015-01-20 03:29:43.000000000","message":"Could you explain better why the migration should fail in this case?\n\nI think it is because the migration will try to create, for each domain, a project with the same. If a project with the same name of an existing domain exists, the migration will the fail trying to create a duplicate entry on the project table.","commit_id":"e8a4b2d6d9900e7bc42786cd90a2721ce467d1cc"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"e5c43142cb4261daee6c44c0e7912cd2ebd514ab","unresolved":false,"context_lines":[{"line_number":139,"context_line":"* Possible issue: project with the same name of a domain (the migration would"},{"line_number":140,"context_line":"   fail)"},{"line_number":141,"context_line":""},{"line_number":142,"context_line":"2. The list domains v3 API call must show only top level (root) projects for"},{"line_number":143,"context_line":"   compatibility;"},{"line_number":144,"context_line":""},{"line_number":145,"context_line":"3. When transforming a project into a domain, Keystone won\u0027t allow it, if there"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a961159_b408ab81","line":142,"updated":"2015-01-20 03:29:43.000000000","message":"s/projects/domain-ness projects","commit_id":"e8a4b2d6d9900e7bc42786cd90a2721ce467d1cc"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"0925f7b50362a32b1592a2a1825c9ade1b637c85","unresolved":false,"context_lines":[{"line_number":139,"context_line":"* Possible issue: project with the same name of a domain (the migration would"},{"line_number":140,"context_line":"   fail)"},{"line_number":141,"context_line":""},{"line_number":142,"context_line":"2. The list domains v3 API call must show only top level (root) projects for"},{"line_number":143,"context_line":"   compatibility;"},{"line_number":144,"context_line":""},{"line_number":145,"context_line":"3. When transforming a project into a domain, Keystone won\u0027t allow it, if there"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a961159_e10ee53c","line":142,"in_reply_to":"3a961159_b408ab81","updated":"2015-01-20 14:45:38.000000000","message":"Done","commit_id":"e8a4b2d6d9900e7bc42786cd90a2721ce467d1cc"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"e5c43142cb4261daee6c44c0e7912cd2ebd514ab","unresolved":false,"context_lines":[{"line_number":143,"context_line":"   compatibility;"},{"line_number":144,"context_line":""},{"line_number":145,"context_line":"3. When transforming a project into a domain, Keystone won\u0027t allow it, if there"},{"line_number":146,"context_line":"   is already a domain with the same name."},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"4. When a domain scoped token is requested for a project with the domain-ness"},{"line_number":149,"context_line":"   flag active, a dual scoped token will be provided (it will reference the"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a961159_144dffc5","line":146,"updated":"2015-01-20 03:29:43.000000000","message":"Maybe rephrasing this:\n\nWhen transforming a project into a domain, the absence of a domain with the same name is a prerequisite.","commit_id":"e8a4b2d6d9900e7bc42786cd90a2721ce467d1cc"},{"author":{"_account_id":10046,"name":"Henrique Truta","email":"henrique@lsd.ufcg.edu.br","username":"henriquetruta"},"change_message_id":"13b1bcd9be9edf603a0e05b564271a2140ba741b","unresolved":false,"context_lines":[{"line_number":143,"context_line":"   compatibility;"},{"line_number":144,"context_line":""},{"line_number":145,"context_line":"3. When transforming a project into a domain, Keystone won\u0027t allow it, if there"},{"line_number":146,"context_line":"   is already a domain with the same name."},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"4. When a domain scoped token is requested for a project with the domain-ness"},{"line_number":149,"context_line":"   flag active, a dual scoped token will be provided (it will reference the"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a961159_a28e9c30","line":146,"in_reply_to":"3a961159_144dffc5","updated":"2015-01-20 14:34:42.000000000","message":"Disagree. Maybe \"When transforming a project into a domain, Keystone will block it in case a domain with the project name already exists.\"","commit_id":"e8a4b2d6d9900e7bc42786cd90a2721ce467d1cc"},{"author":{"_account_id":10046,"name":"Henrique Truta","email":"henrique@lsd.ufcg.edu.br","username":"henriquetruta"},"change_message_id":"13b1bcd9be9edf603a0e05b564271a2140ba741b","unresolved":false,"context_lines":[{"line_number":146,"context_line":"   is already a domain with the same name."},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"4. When a domain scoped token is requested for a project with the domain-ness"},{"line_number":149,"context_line":"   flag active, a dual scoped token will be provided (it will reference the"},{"line_number":150,"context_line":"   project which holds that domain). Additionally, the project and domain have"},{"line_number":151,"context_line":"   the same ID, which means that role assignments will be applied for a single"},{"line_number":152,"context_line":"   entity, that will act like domain and project simultaneously."}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a961159_c2b56833","line":149,"updated":"2015-01-20 14:34:42.000000000","message":"\"...will be provided, referencing the project which holds that domain.\"","commit_id":"e8a4b2d6d9900e7bc42786cd90a2721ce467d1cc"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"0925f7b50362a32b1592a2a1825c9ade1b637c85","unresolved":false,"context_lines":[{"line_number":146,"context_line":"   is already a domain with the same name."},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"4. When a domain scoped token is requested for a project with the domain-ness"},{"line_number":149,"context_line":"   flag active, a dual scoped token will be provided (it will reference the"},{"line_number":150,"context_line":"   project which holds that domain). Additionally, the project and domain have"},{"line_number":151,"context_line":"   the same ID, which means that role assignments will be applied for a single"},{"line_number":152,"context_line":"   entity, that will act like domain and project simultaneously."}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a961159_623d94dd","line":149,"in_reply_to":"3a961159_c2b56833","updated":"2015-01-20 14:45:38.000000000","message":"Done","commit_id":"e8a4b2d6d9900e7bc42786cd90a2721ce467d1cc"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"e5c43142cb4261daee6c44c0e7912cd2ebd514ab","unresolved":false,"context_lines":[{"line_number":150,"context_line":"   project which holds that domain). Additionally, the project and domain have"},{"line_number":151,"context_line":"   the same ID, which means that role assignments will be applied for a single"},{"line_number":152,"context_line":"   entity, that will act like domain and project simultaneously."},{"line_number":153,"context_line":""},{"line_number":154,"context_line":"Response:"},{"line_number":155,"context_line":""},{"line_number":156,"context_line":"::"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a961159_344afbad","line":153,"updated":"2015-01-20 03:29:43.000000000","message":"Maybe adding a Request: here, in addition to the Response below.","commit_id":"e8a4b2d6d9900e7bc42786cd90a2721ce467d1cc"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"0925f7b50362a32b1592a2a1825c9ade1b637c85","unresolved":false,"context_lines":[{"line_number":150,"context_line":"   project which holds that domain). Additionally, the project and domain have"},{"line_number":151,"context_line":"   the same ID, which means that role assignments will be applied for a single"},{"line_number":152,"context_line":"   entity, that will act like domain and project simultaneously."},{"line_number":153,"context_line":""},{"line_number":154,"context_line":"Response:"},{"line_number":155,"context_line":""},{"line_number":156,"context_line":"::"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a961159_bc2c0203","line":153,"in_reply_to":"3a961159_344afbad","updated":"2015-01-20 14:45:38.000000000","message":"Done","commit_id":"e8a4b2d6d9900e7bc42786cd90a2721ce467d1cc"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"e5c43142cb4261daee6c44c0e7912cd2ebd514ab","unresolved":false,"context_lines":[{"line_number":229,"context_line":"  in the hierarchy for users and groups, for a better usability to manage the"},{"line_number":230,"context_line":"  access control for the users and groups, we recomend the use of inherited"},{"line_number":231,"context_line":"  roles assignments implementation, so you can grant a role to a user/group in"},{"line_number":232,"context_line":"  a project/domain and inherited this assignment along the subtree."},{"line_number":233,"context_line":"  There is a spec related to domain roles, that can improve this role"},{"line_number":234,"context_line":"  management in Hierarchical Multitenancy:"},{"line_number":235,"context_line":"  \u003chttps://review.openstack.org/#/c/133855\u003e`_"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a961159_74eac378","line":232,"updated":"2015-01-20 03:29:43.000000000","message":"s/inherited/inherit","commit_id":"e8a4b2d6d9900e7bc42786cd90a2721ce467d1cc"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"0925f7b50362a32b1592a2a1825c9ade1b637c85","unresolved":false,"context_lines":[{"line_number":229,"context_line":"  in the hierarchy for users and groups, for a better usability to manage the"},{"line_number":230,"context_line":"  access control for the users and groups, we recomend the use of inherited"},{"line_number":231,"context_line":"  roles assignments implementation, so you can grant a role to a user/group in"},{"line_number":232,"context_line":"  a project/domain and inherited this assignment along the subtree."},{"line_number":233,"context_line":"  There is a spec related to domain roles, that can improve this role"},{"line_number":234,"context_line":"  management in Hierarchical Multitenancy:"},{"line_number":235,"context_line":"  \u003chttps://review.openstack.org/#/c/133855\u003e`_"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a961159_9c758602","line":232,"in_reply_to":"3a961159_74eac378","updated":"2015-01-20 14:45:38.000000000","message":"Done","commit_id":"e8a4b2d6d9900e7bc42786cd90a2721ce467d1cc"},{"author":{"_account_id":9142,"name":"Samuel de Medeiros Queiroz","email":"samueldmq@lsd.ufcg.edu.br","username":"samuel-z","inactive":true},"change_message_id":"e5c43142cb4261daee6c44c0e7912cd2ebd514ab","unresolved":false,"context_lines":[{"line_number":230,"context_line":"  access control for the users and groups, we recomend the use of inherited"},{"line_number":231,"context_line":"  roles assignments implementation, so you can grant a role to a user/group in"},{"line_number":232,"context_line":"  a project/domain and inherited this assignment along the subtree."},{"line_number":233,"context_line":"  There is a spec related to domain roles, that can improve this role"},{"line_number":234,"context_line":"  management in Hierarchical Multitenancy:"},{"line_number":235,"context_line":"  \u003chttps://review.openstack.org/#/c/133855\u003e`_"},{"line_number":236,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a961159_54f5c74f","line":233,"updated":"2015-01-20 03:29:43.000000000","message":"You were talking about inherited roles. Now you start talking about domain roles, maybe you should add \u0027In addition, there is a spec...\u0027 at the start of this sentence.","commit_id":"e8a4b2d6d9900e7bc42786cd90a2721ce467d1cc"},{"author":{"_account_id":10046,"name":"Henrique Truta","email":"henrique@lsd.ufcg.edu.br","username":"henriquetruta"},"change_message_id":"13b1bcd9be9edf603a0e05b564271a2140ba741b","unresolved":false,"context_lines":[{"line_number":230,"context_line":"  access control for the users and groups, we recomend the use of inherited"},{"line_number":231,"context_line":"  roles assignments implementation, so you can grant a role to a user/group in"},{"line_number":232,"context_line":"  a project/domain and inherited this assignment along the subtree."},{"line_number":233,"context_line":"  There is a spec related to domain roles, that can improve this role"},{"line_number":234,"context_line":"  management in Hierarchical Multitenancy:"},{"line_number":235,"context_line":"  \u003chttps://review.openstack.org/#/c/133855\u003e`_"},{"line_number":236,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a961159_0285b009","line":233,"in_reply_to":"3a961159_54f5c74f","updated":"2015-01-20 14:34:42.000000000","message":"Agreed","commit_id":"e8a4b2d6d9900e7bc42786cd90a2721ce467d1cc"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"0925f7b50362a32b1592a2a1825c9ade1b637c85","unresolved":false,"context_lines":[{"line_number":230,"context_line":"  access control for the users and groups, we recomend the use of inherited"},{"line_number":231,"context_line":"  roles assignments implementation, so you can grant a role to a user/group in"},{"line_number":232,"context_line":"  a project/domain and inherited this assignment along the subtree."},{"line_number":233,"context_line":"  There is a spec related to domain roles, that can improve this role"},{"line_number":234,"context_line":"  management in Hierarchical Multitenancy:"},{"line_number":235,"context_line":"  \u003chttps://review.openstack.org/#/c/133855\u003e`_"},{"line_number":236,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a961159_bc7a42ee","line":233,"in_reply_to":"3a961159_54f5c74f","updated":"2015-01-20 14:45:38.000000000","message":"Done","commit_id":"e8a4b2d6d9900e7bc42786cd90a2721ce467d1cc"},{"author":{"_account_id":5707,"name":"Henry Nash","email":"henryn@linux.vnet.ibm.com","username":"henry-nash"},"change_message_id":"072904e221b4d221308ab162fcf64a2dcb8f5f8e","unresolved":false,"context_lines":[{"line_number":24,"context_line":"* Resellers"},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"**Actors**"},{"line_number":27,"context_line":""},{"line_number":28,"context_line":"* Martha - Owner of ProductionIT"},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"* Joe - Development Manager from WidgetMaster"}],"source_content_type":"text/x-rst","patch_set":16,"id":"3a961159_8b3b7b38","line":27,"updated":"2015-01-20 15:51:39.000000000","message":"We should list the actual cloud from which Martha is reselling","commit_id":"b92a0bb2ae19c3678a3ad18272898fd1c7df090c"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"9d7519d42193d9b2cf1044fa7cd7ad0b7fd43330","unresolved":false,"context_lines":[{"line_number":24,"context_line":"* Resellers"},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"**Actors**"},{"line_number":27,"context_line":""},{"line_number":28,"context_line":"* Martha - Owner of ProductionIT"},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"* Joe - Development Manager from WidgetMaster"}],"source_content_type":"text/x-rst","patch_set":16,"id":"3a961159_36ad8a85","line":27,"in_reply_to":"3a961159_8b3b7b38","updated":"2015-01-20 16:18:21.000000000","message":"Ok, I\u0027ll add a new actor referencing to the cloud owner, that martha is reselling.","commit_id":"b92a0bb2ae19c3678a3ad18272898fd1c7df090c"},{"author":{"_account_id":1228,"name":"Joe Savak","email":"jsavak@gmail.com","username":"jsavak"},"change_message_id":"391d4338bf25c79598ea4b34e4cc6c86215c4683","unresolved":false,"context_lines":[{"line_number":39,"context_line":"they enterprises. Martha needs to be able to set the quotas for both"},{"line_number":40,"context_line":"WidgetMaster and SuperDevShop. She also needs to ensure that Joe and Sam cannot"},{"line_number":41,"context_line":"see or manipulate anything owned by each other."},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"Proposed Change"},{"line_number":44,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":45,"context_line":""}],"source_content_type":"text/x-rst","patch_set":16,"id":"3a961159_f67ea26c","line":42,"updated":"2015-01-20 16:08:27.000000000","message":"Do we allow Martha to see or manipulate anything owned by Sam and/or Joe? Or do those end-users need to contact the cloud service provider for direct support? Or should it be flexible (based on policy) \u003c-- preferred.","commit_id":"b92a0bb2ae19c3678a3ad18272898fd1c7df090c"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"9d7519d42193d9b2cf1044fa7cd7ad0b7fd43330","unresolved":false,"context_lines":[{"line_number":39,"context_line":"they enterprises. Martha needs to be able to set the quotas for both"},{"line_number":40,"context_line":"WidgetMaster and SuperDevShop. She also needs to ensure that Joe and Sam cannot"},{"line_number":41,"context_line":"see or manipulate anything owned by each other."},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"Proposed Change"},{"line_number":44,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":45,"context_line":""}],"source_content_type":"text/x-rst","patch_set":16,"id":"3a961159_b64a5aab","line":42,"in_reply_to":"3a961159_f67ea26c","updated":"2015-01-20 16:18:21.000000000","message":"Joe, its depends of the role visibility. by default Martha can NOT see or manipulate the resources owned by Sam or Joe, but we pretend provide a new inherited role assignment for domains -\u003e projets domain-ness  (today inherited role assignments its just for domain -\u003e projects and project -\u003e subprojects). So, the role assigned to Martha can be inherited to WidgetMaster and SuperDevShop.\n\nIn a future, we can use domain roles to provide this visibility.","commit_id":"b92a0bb2ae19c3678a3ad18272898fd1c7df090c"},{"author":{"_account_id":5707,"name":"Henry Nash","email":"henryn@linux.vnet.ibm.com","username":"henry-nash"},"change_message_id":"fbcf59c94675133aa868971d42df46d29b3a87ec","unresolved":false,"context_lines":[{"line_number":55,"context_line":"  hierarchy:"},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"** When creating a domain, keystone will also create a project"},{"line_number":58,"context_line":"   that has the same id."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"** For all existing domains, a sql migration will create a project with an id"},{"line_number":61,"context_line":"   that matches the domain_id."}],"source_content_type":"text/x-rst","patch_set":16,"id":"3a961159_36ce6a2e","line":58,"updated":"2015-01-20 16:18:10.000000000","message":"Discussion from mid cycle is that we should not have two shadow tables....we should merge everything into the projects table","commit_id":"b92a0bb2ae19c3678a3ad18272898fd1c7df090c"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"72573a0612242261375c874e09ad3ba63eb290d9","unresolved":false,"context_lines":[{"line_number":55,"context_line":"  hierarchy:"},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"** When creating a domain, keystone will also create a project"},{"line_number":58,"context_line":"   that has the same id."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"** For all existing domains, a sql migration will create a project with an id"},{"line_number":61,"context_line":"   that matches the domain_id."}],"source_content_type":"text/x-rst","patch_set":16,"id":"3a961159_7621d2b4","line":58,"in_reply_to":"3a961159_36ce6a2e","updated":"2015-01-20 16:20:30.000000000","message":"Sure, we pretend to drop the domain table after the migration.","commit_id":"b92a0bb2ae19c3678a3ad18272898fd1c7df090c"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"6a2b1f8365c39416a9d241f2ac051bcb5e61b16e","unresolved":false,"context_lines":[{"line_number":55,"context_line":"  hierarchy:"},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"** When creating a domain, keystone will also create a project"},{"line_number":58,"context_line":"   that has the same id."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"** For all existing domains, a sql migration will create a project with an id"},{"line_number":61,"context_line":"   that matches the domain_id."}],"source_content_type":"text/x-rst","patch_set":16,"id":"3a961159_f1d94c29","line":58,"in_reply_to":"3a961159_7621d2b4","updated":"2015-01-20 16:31:21.000000000","message":"s/pretend/intend","commit_id":"b92a0bb2ae19c3678a3ad18272898fd1c7df090c"},{"author":{"_account_id":6460,"name":"Brad Topol","email":"btopol@us.ibm.com","username":"btopol"},"change_message_id":"2acbd7a8385b84fc3e3e782f52b4a24ad6251a79","unresolved":false,"context_lines":[{"line_number":57,"context_line":"** When creating a domain, keystone will also create a project"},{"line_number":58,"context_line":"   that has the same id."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"** For all existing domains, a sql migration will create a project with an id"},{"line_number":61,"context_line":"   that matches the domain_id."},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"** Domains are conceptually projects with the same id of its domain_id."}],"source_content_type":"text/x-rst","patch_set":16,"id":"3a961159_7691d252","line":60,"updated":"2015-01-20 16:10:40.000000000","message":"Need to worry about namespace clashing and Id clashing.  Need a rewrite to address","commit_id":"b92a0bb2ae19c3678a3ad18272898fd1c7df090c"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"9d7519d42193d9b2cf1044fa7cd7ad0b7fd43330","unresolved":false,"context_lines":[{"line_number":57,"context_line":"** When creating a domain, keystone will also create a project"},{"line_number":58,"context_line":"   that has the same id."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"** For all existing domains, a sql migration will create a project with an id"},{"line_number":61,"context_line":"   that matches the domain_id."},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"** Domains are conceptually projects with the same id of its domain_id."}],"source_content_type":"text/x-rst","patch_set":16,"id":"3a961159_b6e17a9d","line":60,"in_reply_to":"3a961159_7691d252","updated":"2015-01-20 16:18:21.000000000","message":"ok, I\u0027ll rephrase this part.","commit_id":"b92a0bb2ae19c3678a3ad18272898fd1c7df090c"},{"author":{"_account_id":5707,"name":"Henry Nash","email":"henryn@linux.vnet.ibm.com","username":"henry-nash"},"change_message_id":"fbcf59c94675133aa868971d42df46d29b3a87ec","unresolved":false,"context_lines":[{"line_number":76,"context_line":"* Regarding role assignments management, it will be possible to use the"},{"line_number":77,"context_line":"  inherited role assignments to manage the grants between user/groups and the"},{"line_number":78,"context_line":"  project hierarchy."},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"Alternatives"},{"line_number":81,"context_line":"------------"},{"line_number":82,"context_line":""}],"source_content_type":"text/x-rst","patch_set":16,"id":"3a961159_369caa0e","line":79,"updated":"2015-01-20 16:18:10.000000000","message":"we should explicit say what resource visibility will exist once this is merged (i.e. Joe can\u0027t see Martha\u0027s users, unless she gives him a role on her domain, and vice versa)","commit_id":"b92a0bb2ae19c3678a3ad18272898fd1c7df090c"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"72573a0612242261375c874e09ad3ba63eb290d9","unresolved":false,"context_lines":[{"line_number":76,"context_line":"* Regarding role assignments management, it will be possible to use the"},{"line_number":77,"context_line":"  inherited role assignments to manage the grants between user/groups and the"},{"line_number":78,"context_line":"  project hierarchy."},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"Alternatives"},{"line_number":81,"context_line":"------------"},{"line_number":82,"context_line":""}],"source_content_type":"text/x-rst","patch_set":16,"id":"3a961159_311d9463","line":79,"in_reply_to":"3a961159_369caa0e","updated":"2015-01-20 16:20:30.000000000","message":"Ok, i\u0027ll do that.","commit_id":"b92a0bb2ae19c3678a3ad18272898fd1c7df090c"},{"author":{"_account_id":6460,"name":"Brad Topol","email":"btopol@us.ibm.com","username":"btopol"},"change_message_id":"487110e90ab0707b5abfc7dd376ba7ad58561fee","unresolved":false,"context_lines":[{"line_number":33,"context_line":""},{"line_number":34,"context_line":"* Sam - Development Manager from SuperDevShop"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Alex are owner of a cloud and Martha provides IT services to multiple"},{"line_number":37,"context_line":"enterprise clients using resources that she bought from Alex. She would like to"},{"line_number":38,"context_line":"offer cloud services to Joe at WidgetMaster, and Sam at SuperDevShop. Joe and"},{"line_number":39,"context_line":"Sam have multiple QA and Development teams with many users. They need the"}],"source_content_type":"text/x-rst","patch_set":17,"id":"1a930d6b_be4de174","line":36,"updated":"2015-01-21 17:58:33.000000000","message":"typo: \"Alex are owner\" should be \"Alex is an owner\"","commit_id":"dd0afcbc07c20906df331132d77589afab8af3c9"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"1f2752a167927d2c1fe9444391c4b30594c4fdb5","unresolved":false,"context_lines":[{"line_number":33,"context_line":""},{"line_number":34,"context_line":"* Sam - Development Manager from SuperDevShop"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Alex are owner of a cloud and Martha provides IT services to multiple"},{"line_number":37,"context_line":"enterprise clients using resources that she bought from Alex. She would like to"},{"line_number":38,"context_line":"offer cloud services to Joe at WidgetMaster, and Sam at SuperDevShop. Joe and"},{"line_number":39,"context_line":"Sam have multiple QA and Development teams with many users. They need the"}],"source_content_type":"text/x-rst","patch_set":17,"id":"1a930d6b_a9c12d30","line":36,"in_reply_to":"1a930d6b_be4de174","updated":"2015-01-21 18:06:05.000000000","message":"Done","commit_id":"dd0afcbc07c20906df331132d77589afab8af3c9"},{"author":{"_account_id":6460,"name":"Brad Topol","email":"btopol@us.ibm.com","username":"btopol"},"change_message_id":"487110e90ab0707b5abfc7dd376ba7ad58561fee","unresolved":false,"context_lines":[{"line_number":38,"context_line":"offer cloud services to Joe at WidgetMaster, and Sam at SuperDevShop. Joe and"},{"line_number":39,"context_line":"Sam have multiple QA and Development teams with many users. They need the"},{"line_number":40,"context_line":"ability to create users, projects, and quotas as well as the ability to list"},{"line_number":41,"context_line":"and delete resources across they enterprises. Martha needs to be able to set"},{"line_number":42,"context_line":"the quotas for both WidgetMaster and SuperDevShop. She also needs to ensure"},{"line_number":43,"context_line":"that Joe and Sam cannot see or manipulate anything owned by each other."},{"line_number":44,"context_line":""}],"source_content_type":"text/x-rst","patch_set":17,"id":"1a930d6b_3e6811ba","line":41,"updated":"2015-01-21 17:58:33.000000000","message":"typo \"they\" should be \"their\"","commit_id":"dd0afcbc07c20906df331132d77589afab8af3c9"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"1f2752a167927d2c1fe9444391c4b30594c4fdb5","unresolved":false,"context_lines":[{"line_number":38,"context_line":"offer cloud services to Joe at WidgetMaster, and Sam at SuperDevShop. Joe and"},{"line_number":39,"context_line":"Sam have multiple QA and Development teams with many users. They need the"},{"line_number":40,"context_line":"ability to create users, projects, and quotas as well as the ability to list"},{"line_number":41,"context_line":"and delete resources across they enterprises. Martha needs to be able to set"},{"line_number":42,"context_line":"the quotas for both WidgetMaster and SuperDevShop. She also needs to ensure"},{"line_number":43,"context_line":"that Joe and Sam cannot see or manipulate anything owned by each other."},{"line_number":44,"context_line":""}],"source_content_type":"text/x-rst","patch_set":17,"id":"1a930d6b_c9dd9916","line":41,"in_reply_to":"1a930d6b_3e6811ba","updated":"2015-01-21 18:06:05.000000000","message":"Done","commit_id":"dd0afcbc07c20906df331132d77589afab8af3c9"},{"author":{"_account_id":6460,"name":"Brad Topol","email":"btopol@us.ibm.com","username":"btopol"},"change_message_id":"487110e90ab0707b5abfc7dd376ba7ad58561fee","unresolved":false,"context_lines":[{"line_number":41,"context_line":"and delete resources across they enterprises. Martha needs to be able to set"},{"line_number":42,"context_line":"the quotas for both WidgetMaster and SuperDevShop. She also needs to ensure"},{"line_number":43,"context_line":"that Joe and Sam cannot see or manipulate anything owned by each other."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"Proposed Change"},{"line_number":46,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":47,"context_line":""}],"source_content_type":"text/x-rst","patch_set":17,"id":"1a930d6b_9e8d857e","line":44,"updated":"2015-01-21 17:58:33.000000000","message":"Great problem description","commit_id":"dd0afcbc07c20906df331132d77589afab8af3c9"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"1f2752a167927d2c1fe9444391c4b30594c4fdb5","unresolved":false,"context_lines":[{"line_number":41,"context_line":"and delete resources across they enterprises. Martha needs to be able to set"},{"line_number":42,"context_line":"the quotas for both WidgetMaster and SuperDevShop. She also needs to ensure"},{"line_number":43,"context_line":"that Joe and Sam cannot see or manipulate anything owned by each other."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"Proposed Change"},{"line_number":46,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":47,"context_line":""}],"source_content_type":"text/x-rst","patch_set":17,"id":"1a930d6b_e9e255d4","line":44,"in_reply_to":"1a930d6b_9e8d857e","updated":"2015-01-21 18:06:05.000000000","message":"thanks :)","commit_id":"dd0afcbc07c20906df331132d77589afab8af3c9"},{"author":{"_account_id":6460,"name":"Brad Topol","email":"btopol@us.ibm.com","username":"btopol"},"change_message_id":"487110e90ab0707b5abfc7dd376ba7ad58561fee","unresolved":false,"context_lines":[{"line_number":64,"context_line":""},{"line_number":65,"context_line":"** Domains are conceptually projects with the same id of its domain_id."},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"** A sql migration will initialize parent_project_id for any other projects"},{"line_number":68,"context_line":"   that do not have parent_project_id set to match their domain_id, in this sql"},{"line_number":69,"context_line":"   migration we will drop the domain table."},{"line_number":70,"context_line":""}],"source_content_type":"text/x-rst","patch_set":17,"id":"1a930d6b_a9176dec","line":67,"updated":"2015-01-21 17:58:33.000000000","message":"A should be An","commit_id":"dd0afcbc07c20906df331132d77589afab8af3c9"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"1f2752a167927d2c1fe9444391c4b30594c4fdb5","unresolved":false,"context_lines":[{"line_number":64,"context_line":""},{"line_number":65,"context_line":"** Domains are conceptually projects with the same id of its domain_id."},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"** A sql migration will initialize parent_project_id for any other projects"},{"line_number":68,"context_line":"   that do not have parent_project_id set to match their domain_id, in this sql"},{"line_number":69,"context_line":"   migration we will drop the domain table."},{"line_number":70,"context_line":""}],"source_content_type":"text/x-rst","patch_set":17,"id":"1a930d6b_09e881b3","line":67,"in_reply_to":"1a930d6b_a9176dec","updated":"2015-01-21 18:06:05.000000000","message":"Done","commit_id":"dd0afcbc07c20906df331132d77589afab8af3c9"},{"author":{"_account_id":6460,"name":"Brad Topol","email":"btopol@us.ibm.com","username":"btopol"},"change_message_id":"487110e90ab0707b5abfc7dd376ba7ad58561fee","unresolved":false,"context_lines":[{"line_number":66,"context_line":""},{"line_number":67,"context_line":"** A sql migration will initialize parent_project_id for any other projects"},{"line_number":68,"context_line":"   that do not have parent_project_id set to match their domain_id, in this sql"},{"line_number":69,"context_line":"   migration we will drop the domain table."},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"* The domains will only be created under another domain i.e. a project that"},{"line_number":72,"context_line":"  behaves like a domain, never under a project with the domain-ness flag"}],"source_content_type":"text/x-rst","patch_set":17,"id":"1a930d6b_6948252e","line":69,"updated":"2015-01-21 17:58:33.000000000","message":"Need more detail on how you handle the ramifications of dropping the domain table. A little detail on what domain APIs need to be updated would be helpful. Even more important is understanding how dropping the domain will have some nasty impacts on the domain config files. Please follow up with Henry on this","commit_id":"dd0afcbc07c20906df331132d77589afab8af3c9"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"1f2752a167927d2c1fe9444391c4b30594c4fdb5","unresolved":false,"context_lines":[{"line_number":66,"context_line":""},{"line_number":67,"context_line":"** A sql migration will initialize parent_project_id for any other projects"},{"line_number":68,"context_line":"   that do not have parent_project_id set to match their domain_id, in this sql"},{"line_number":69,"context_line":"   migration we will drop the domain table."},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"* The domains will only be created under another domain i.e. a project that"},{"line_number":72,"context_line":"  behaves like a domain, never under a project with the domain-ness flag"}],"source_content_type":"text/x-rst","patch_set":17,"id":"1a930d6b_09ffa168","line":69,"in_reply_to":"1a930d6b_6948252e","updated":"2015-01-21 18:06:05.000000000","message":"Ok, I\u0027ll talk with Henry about this.","commit_id":"dd0afcbc07c20906df331132d77589afab8af3c9"},{"author":{"_account_id":6460,"name":"Brad Topol","email":"btopol@us.ibm.com","username":"btopol"},"change_message_id":"487110e90ab0707b5abfc7dd376ba7ad58561fee","unresolved":false,"context_lines":[{"line_number":67,"context_line":"** A sql migration will initialize parent_project_id for any other projects"},{"line_number":68,"context_line":"   that do not have parent_project_id set to match their domain_id, in this sql"},{"line_number":69,"context_line":"   migration we will drop the domain table."},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"* The domains will only be created under another domain i.e. a project that"},{"line_number":72,"context_line":"  behaves like a domain, never under a project with the domain-ness flag"},{"line_number":73,"context_line":"  disabled;"}],"source_content_type":"text/x-rst","patch_set":17,"id":"1a930d6b_a9692d8d","line":70,"updated":"2015-01-21 17:58:33.000000000","message":"Need to be more clear on how namespace clashing and Id clashing will be avoided. and how the repercussions of this will need to be addressed. Please talk with Henry.","commit_id":"dd0afcbc07c20906df331132d77589afab8af3c9"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"2b5b0ff1d9a17d6320c1e2ea82ada967b8ff95b3","unresolved":false,"context_lines":[{"line_number":67,"context_line":"** A sql migration will initialize parent_project_id for any other projects"},{"line_number":68,"context_line":"   that do not have parent_project_id set to match their domain_id, in this sql"},{"line_number":69,"context_line":"   migration we will drop the domain table."},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"* The domains will only be created under another domain i.e. a project that"},{"line_number":72,"context_line":"  behaves like a domain, never under a project with the domain-ness flag"},{"line_number":73,"context_line":"  disabled;"}],"source_content_type":"text/x-rst","patch_set":17,"id":"1a930d6b_d16d3b06","line":70,"in_reply_to":"1a930d6b_24f9e4e9","updated":"2015-01-22 00:19:22.000000000","message":"Ok.\n\nI discussed this problem with my team and we have a workaround for this situation. \n\nRegarding the name clashing: We think that we don\u0027t have a problem by having a project and a domain with the same name, because we always have a way do distinguish them, since in the Project Table, a domain will be a project with the same project_id and domain_id, and a project will be a project with differents project_id and domain_id. \n\nRegarding the id clashing: Due to the size and shape that the ID is generated, we know that is nearly impossible to happen this id clashing, but if we need to concern about that, we can generate a new domain_id, and update every foreign key, like in projects, groups and users. \n\nDid you think in another situation where this would cause problems that we need to consider?","commit_id":"dd0afcbc07c20906df331132d77589afab8af3c9"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"1f2752a167927d2c1fe9444391c4b30594c4fdb5","unresolved":false,"context_lines":[{"line_number":67,"context_line":"** A sql migration will initialize parent_project_id for any other projects"},{"line_number":68,"context_line":"   that do not have parent_project_id set to match their domain_id, in this sql"},{"line_number":69,"context_line":"   migration we will drop the domain table."},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"* The domains will only be created under another domain i.e. a project that"},{"line_number":72,"context_line":"  behaves like a domain, never under a project with the domain-ness flag"},{"line_number":73,"context_line":"  disabled;"}],"source_content_type":"text/x-rst","patch_set":17,"id":"1a930d6b_e965f545","line":70,"in_reply_to":"1a930d6b_a9692d8d","updated":"2015-01-21 18:06:05.000000000","message":"I thought Adam Young would explain this point, but I\u0027ll talk with Henry about this.\n\nThanks.","commit_id":"dd0afcbc07c20906df331132d77589afab8af3c9"},{"author":{"_account_id":5707,"name":"Henry Nash","email":"henryn@linux.vnet.ibm.com","username":"henry-nash"},"change_message_id":"50500c55f8582e6dbbb53f27ddf28d10e1dafdfa","unresolved":false,"context_lines":[{"line_number":67,"context_line":"** A sql migration will initialize parent_project_id for any other projects"},{"line_number":68,"context_line":"   that do not have parent_project_id set to match their domain_id, in this sql"},{"line_number":69,"context_line":"   migration we will drop the domain table."},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"* The domains will only be created under another domain i.e. a project that"},{"line_number":72,"context_line":"  behaves like a domain, never under a project with the domain-ness flag"},{"line_number":73,"context_line":"  disabled;"}],"source_content_type":"text/x-rst","patch_set":17,"id":"1a930d6b_3d51d7d8","line":70,"in_reply_to":"1a930d6b_aa23d103","updated":"2015-01-22 13:46:27.000000000","message":"ok, that\u0027s the mechanics....but we can\u0027t leave the two names clashing?  So which one do we change?","commit_id":"dd0afcbc07c20906df331132d77589afab8af3c9"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"c32d1ed72dac0e44eaa25d684cb54cb180885233","unresolved":false,"context_lines":[{"line_number":67,"context_line":"** A sql migration will initialize parent_project_id for any other projects"},{"line_number":68,"context_line":"   that do not have parent_project_id set to match their domain_id, in this sql"},{"line_number":69,"context_line":"   migration we will drop the domain table."},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"* The domains will only be created under another domain i.e. a project that"},{"line_number":72,"context_line":"  behaves like a domain, never under a project with the domain-ness flag"},{"line_number":73,"context_line":"  disabled;"}],"source_content_type":"text/x-rst","patch_set":17,"id":"1a930d6b_aa23d103","line":70,"in_reply_to":"1a930d6b_ca62ddd7","updated":"2015-01-22 02:21:57.000000000","message":"Rodrigo++","commit_id":"dd0afcbc07c20906df331132d77589afab8af3c9"},{"author":{"_account_id":11022,"name":"Rodrigo Duarte Sousa","email":"rodrigodsousa@gmail.com","username":"rodrigods"},"change_message_id":"26432412d082eb0848139572826410cab3943bac","unresolved":false,"context_lines":[{"line_number":67,"context_line":"** A sql migration will initialize parent_project_id for any other projects"},{"line_number":68,"context_line":"   that do not have parent_project_id set to match their domain_id, in this sql"},{"line_number":69,"context_line":"   migration we will drop the domain table."},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"* The domains will only be created under another domain i.e. a project that"},{"line_number":72,"context_line":"  behaves like a domain, never under a project with the domain-ness flag"},{"line_number":73,"context_line":"  disabled;"}],"source_content_type":"text/x-rst","patch_set":17,"id":"1a930d6b_ca62ddd7","line":70,"in_reply_to":"1a930d6b_d16d3b06","updated":"2015-01-22 01:49:09.000000000","message":"About name clashing, we can remove the name constraint before triggering the migration and recreate it after the migration ends.","commit_id":"dd0afcbc07c20906df331132d77589afab8af3c9"},{"author":{"_account_id":5707,"name":"Henry Nash","email":"henryn@linux.vnet.ibm.com","username":"henry-nash"},"change_message_id":"6b3a6c62a8fa4e4f0c5cc9124083a5d242ac90ed","unresolved":false,"context_lines":[{"line_number":67,"context_line":"** A sql migration will initialize parent_project_id for any other projects"},{"line_number":68,"context_line":"   that do not have parent_project_id set to match their domain_id, in this sql"},{"line_number":69,"context_line":"   migration we will drop the domain table."},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"* The domains will only be created under another domain i.e. a project that"},{"line_number":72,"context_line":"  behaves like a domain, never under a project with the domain-ness flag"},{"line_number":73,"context_line":"  disabled;"}],"source_content_type":"text/x-rst","patch_set":17,"id":"1a930d6b_24f9e4e9","line":70,"in_reply_to":"1a930d6b_e965f545","updated":"2015-01-21 18:19:50.000000000","message":"So the proposal was to rename the domain if there was a clash with a project. The problem with that is that IF we are using domain-specific config files, then the name of the file contains the domain name. Ouch!  Although we are deprecating the use of file base domain-specific configs (in place of storing this in SQL, accessible by REST)...but we need to support them for a couple of releases.","commit_id":"dd0afcbc07c20906df331132d77589afab8af3c9"},{"author":{"_account_id":5707,"name":"Henry Nash","email":"henryn@linux.vnet.ibm.com","username":"henry-nash"},"change_message_id":"d51630d2d2402375cc1e870a3e814895f96dd8e4","unresolved":false,"context_lines":[{"line_number":95,"context_line":"  \u003chttps://review.openstack.org/#/c/133855\u003e`_"},{"line_number":96,"context_line":""},{"line_number":97,"context_line":"* To keep compatibility, the list domains v3 API call will return only top"},{"line_number":98,"context_line":"  level domains (root domains)."},{"line_number":99,"context_line":""},{"line_number":100,"context_line":"Alternatives"},{"line_number":101,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":24,"id":"fa81d914_584b0d87","line":98,"updated":"2015-01-28 21:56:22.000000000","message":"Can we explain the rationale for this (i.e. for not including lower level domain).  Immediately after migration, we\u0027ll only have top level domains anyway - so that\u0027s not an issue. Part of my confusion is that we don\u0027t describe anywhere which API is used to set the domain-ness flag post migration.  Is it create_domain()?  In which case how do I give the parent_id (that\u0027s not part of the domain entity in the API today).  Is it in create_project()?  Either way, having created a domain...I think I\u0027d be surprised if it didn\u0027t show up when I listed domains.  How would I list sub-domains (i.e. child domains of a top level domain)?","commit_id":"d1f66494e20e2368b0e0d26d651993a139599109"},{"author":{"_account_id":11022,"name":"Rodrigo Duarte Sousa","email":"rodrigodsousa@gmail.com","username":"rodrigods"},"change_message_id":"0f81af5a78e8f5cff840c02de6b24c76b1456831","unresolved":false,"context_lines":[{"line_number":95,"context_line":"  \u003chttps://review.openstack.org/#/c/133855\u003e`_"},{"line_number":96,"context_line":""},{"line_number":97,"context_line":"* To keep compatibility, the list domains v3 API call will return only top"},{"line_number":98,"context_line":"  level domains (root domains)."},{"line_number":99,"context_line":""},{"line_number":100,"context_line":"Alternatives"},{"line_number":101,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":24,"id":"fa81d914_c8ab871b","line":98,"in_reply_to":"fa81d914_584b0d87","updated":"2015-01-29 14:23:03.000000000","message":"++\n\nthis was cited sometimes in the past but I agree with you and don\u0027t a reason why not listing subdmains is breaking the compatilibility.\n\nlet\u0027s discuss this today on IRC, but our proposal is to have something like:\n\n- Domain creation: the same endpoint we have today - POST /domains\n- Creating a subdomain (update the domain-ness flag): a regular project update - PATCH /projects/\u003cproject_id\u003e passing the domain-ness flag as active","commit_id":"d1f66494e20e2368b0e0d26d651993a139599109"},{"author":{"_account_id":5707,"name":"Henry Nash","email":"henryn@linux.vnet.ibm.com","username":"henry-nash"},"change_message_id":"d51630d2d2402375cc1e870a3e814895f96dd8e4","unresolved":false,"context_lines":[{"line_number":166,"context_line":"   flag active, a dual scoped token will be provided, referencing the project"},{"line_number":167,"context_line":"   which holds that domain. Additionally, the project and domain have the same"},{"line_number":168,"context_line":"   ID, which means that role assignments will be applied for a single entity,"},{"line_number":169,"context_line":"   that will act like domain and project simultaneously;"},{"line_number":170,"context_line":""},{"line_number":171,"context_line":"* Note: for root domains this behavior won\u0027t be possible, only domain scoped"},{"line_number":172,"context_line":"  tokens will be provided - the root project is not owned by the domain it"}],"source_content_type":"text/x-rst","patch_set":24,"id":"fa81d914_9b581f34","line":169,"updated":"2015-01-28 21:56:22.000000000","message":"is the bit about acting like both the required functionality, or just what we think we can\u0027t avoid? Even though a project and domain may share the same ID, an assignment knows whether it is for a project or a domain (it has a flag to differentiate),","commit_id":"d1f66494e20e2368b0e0d26d651993a139599109"},{"author":{"_account_id":11022,"name":"Rodrigo Duarte Sousa","email":"rodrigodsousa@gmail.com","username":"rodrigods"},"change_message_id":"0f81af5a78e8f5cff840c02de6b24c76b1456831","unresolved":false,"context_lines":[{"line_number":166,"context_line":"   flag active, a dual scoped token will be provided, referencing the project"},{"line_number":167,"context_line":"   which holds that domain. Additionally, the project and domain have the same"},{"line_number":168,"context_line":"   ID, which means that role assignments will be applied for a single entity,"},{"line_number":169,"context_line":"   that will act like domain and project simultaneously;"},{"line_number":170,"context_line":""},{"line_number":171,"context_line":"* Note: for root domains this behavior won\u0027t be possible, only domain scoped"},{"line_number":172,"context_line":"  tokens will be provided - the root project is not owned by the domain it"}],"source_content_type":"text/x-rst","patch_set":24,"id":"fa81d914_23bb64c5","line":169,"in_reply_to":"fa81d914_9b581f34","updated":"2015-01-29 14:23:03.000000000","message":"this is true, so what we thought here was to continue to respect the assignment type and have the possibility to ask for dual scoped tokens if the actor has both types of assignment in a project with the domain feature. The request to /auth/tokens would need to specify that is requesting a dual token somehow.\n\nanother related question, is if we have the following type of hierarchy:\n\n                                                                               \n               A                                                               \n                                                                               \n            /      \\                                                           \n                                                                               \n           /        \\                                                          \n                                                                               \n          C          B                                                         \n                                                                               \n        /              \\                                                       \n                                                                               \n       /                \\                                                      \n                                                                               \n      B                  A        \n\ntoday, we can specify a domain name in order to request a domain scoped token,\nhow can we get a token for both domains B (one that is child of A and the other who\nis child of C)?","commit_id":"d1f66494e20e2368b0e0d26d651993a139599109"},{"author":{"_account_id":1941,"name":"Lin Hua Cheng","email":"os.lcheng@gmail.com","username":"lin-hua-cheng"},"change_message_id":"e0559c154ddce8dd563a61b65392c49e15a3fc36","unresolved":false,"context_lines":[{"line_number":13,"context_line":""},{"line_number":14,"context_line":"OpenStack needs to grow support for hierarchical ownership of objects."},{"line_number":15,"context_line":"This enables the management of subsets of users and projects in a way that is"},{"line_number":16,"context_line":"much more comfortable for private clouds, besides giving to public cloud"},{"line_number":17,"context_line":"providers the option of reselling a piece of their cloud."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"Problem Description"}],"source_content_type":"text/x-rst","patch_set":25,"id":"fa81d914_74415fa8","line":16,"updated":"2015-01-30 18:32:13.000000000","message":"what does \"more comfortable\" means? Do you have a little more context of the use case for private cloud?","commit_id":"fe5b099a24d1825248af73b6b49a4278b1b7f90f"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"90f44ec928ef769d3c4bd85d04ee1665cc43c8ad","unresolved":false,"context_lines":[{"line_number":13,"context_line":""},{"line_number":14,"context_line":"OpenStack needs to grow support for hierarchical ownership of objects."},{"line_number":15,"context_line":"This enables the management of subsets of users and projects in a way that is"},{"line_number":16,"context_line":"much more comfortable for private clouds, besides giving to public cloud"},{"line_number":17,"context_line":"providers the option of reselling a piece of their cloud."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"Problem Description"}],"source_content_type":"text/x-rst","patch_set":25,"id":"da86d52c_29e2cdd5","line":16,"in_reply_to":"fa81d914_74415fa8","updated":"2015-01-30 19:41:38.000000000","message":"For \"more comfortable\" I want to say more ease to control my users and groups, since I can distribute my users in sub domains.\n\nA good use case for private cloud I think in a divisional departmental in a company, I can distribute my users in each subdivision in a company.","commit_id":"fe5b099a24d1825248af73b6b49a4278b1b7f90f"},{"author":{"_account_id":1941,"name":"Lin Hua Cheng","email":"os.lcheng@gmail.com","username":"lin-hua-cheng"},"change_message_id":"e0559c154ddce8dd563a61b65392c49e15a3fc36","unresolved":false,"context_lines":[{"line_number":37,"context_line":"enterprise clients using resources that she bought from Alex. She would like to"},{"line_number":38,"context_line":"offer cloud services to Joe at WidgetMaster, and Sam at SuperDevShop. Joe and"},{"line_number":39,"context_line":"Sam have multiple QA and Development teams with many users. They need the"},{"line_number":40,"context_line":"ability to create users, projects, and quotas as well as the ability to list"},{"line_number":41,"context_line":"and delete resources across their enterprises. Martha needs to be able to set"},{"line_number":42,"context_line":"the quotas for both WidgetMaster and SuperDevShop. She also needs to ensure"},{"line_number":43,"context_line":"that Joe and Sam cannot see or manipulate anything owned by each other."}],"source_content_type":"text/x-rst","patch_set":25,"id":"fa81d914_948893c6","line":40,"updated":"2015-01-30 18:32:13.000000000","message":"how about creating \"groups\" too?","commit_id":"fe5b099a24d1825248af73b6b49a4278b1b7f90f"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"90f44ec928ef769d3c4bd85d04ee1665cc43c8ad","unresolved":false,"context_lines":[{"line_number":37,"context_line":"enterprise clients using resources that she bought from Alex. She would like to"},{"line_number":38,"context_line":"offer cloud services to Joe at WidgetMaster, and Sam at SuperDevShop. Joe and"},{"line_number":39,"context_line":"Sam have multiple QA and Development teams with many users. They need the"},{"line_number":40,"context_line":"ability to create users, projects, and quotas as well as the ability to list"},{"line_number":41,"context_line":"and delete resources across their enterprises. Martha needs to be able to set"},{"line_number":42,"context_line":"the quotas for both WidgetMaster and SuperDevShop. She also needs to ensure"},{"line_number":43,"context_line":"that Joe and Sam cannot see or manipulate anything owned by each other."}],"source_content_type":"text/x-rst","patch_set":25,"id":"fa81d914_3928bf85","line":40,"in_reply_to":"fa81d914_948893c6","updated":"2015-01-30 19:41:38.000000000","message":"Ok, I will add groups in the example.","commit_id":"fe5b099a24d1825248af73b6b49a4278b1b7f90f"},{"author":{"_account_id":1941,"name":"Lin Hua Cheng","email":"os.lcheng@gmail.com","username":"lin-hua-cheng"},"change_message_id":"e0559c154ddce8dd563a61b65392c49e15a3fc36","unresolved":false,"context_lines":[{"line_number":41,"context_line":"and delete resources across their enterprises. Martha needs to be able to set"},{"line_number":42,"context_line":"the quotas for both WidgetMaster and SuperDevShop. She also needs to ensure"},{"line_number":43,"context_line":"that Joe and Sam cannot see or manipulate anything owned by each other."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"Proposed Change"},{"line_number":46,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":47,"context_line":""}],"source_content_type":"text/x-rst","patch_set":25,"id":"fa81d914_3443676d","line":44,"updated":"2015-01-30 18:32:13.000000000","message":"Would Alex be able to see the resources under WidgetMaster and SuperDevShop?","commit_id":"fe5b099a24d1825248af73b6b49a4278b1b7f90f"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"90f44ec928ef769d3c4bd85d04ee1665cc43c8ad","unresolved":false,"context_lines":[{"line_number":41,"context_line":"and delete resources across their enterprises. Martha needs to be able to set"},{"line_number":42,"context_line":"the quotas for both WidgetMaster and SuperDevShop. She also needs to ensure"},{"line_number":43,"context_line":"that Joe and Sam cannot see or manipulate anything owned by each other."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"Proposed Change"},{"line_number":46,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":47,"context_line":""}],"source_content_type":"text/x-rst","patch_set":25,"id":"fa81d914_19185b74","line":44,"in_reply_to":"fa81d914_3443676d","updated":"2015-01-30 19:41:38.000000000","message":"By default no, Alex can neither see nor manipulate the resources owned by Sam and Joe, unless she either explicitly has a role assignment in their domains","commit_id":"fe5b099a24d1825248af73b6b49a4278b1b7f90f"},{"author":{"_account_id":1941,"name":"Lin Hua Cheng","email":"os.lcheng@gmail.com","username":"lin-hua-cheng"},"change_message_id":"e0559c154ddce8dd563a61b65392c49e15a3fc36","unresolved":false,"context_lines":[{"line_number":68,"context_line":""},{"line_number":69,"context_line":"* A sql migration will create a USER_PROJECT and a GROUP_PROJECT role"},{"line_number":70,"context_line":"  assignment for each USER_DOMAIN/GROUP_DOMAIN existing one, after that, all"},{"line_number":71,"context_line":"  \\*_DOMAIN assignments will be removed."},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"* We are going to add the ``parent_id`` query parameter for both GET v3/domains"},{"line_number":74,"context_line":"  and v3/projects APIs. If it is not specified, these requests should return"}],"source_content_type":"text/x-rst","patch_set":25,"id":"fa81d914_761ec460","line":71,"updated":"2015-01-30 18:32:13.000000000","message":"Since the assignment now are on project, does this mean the Domain Role Assignment  is being un-supported now?","commit_id":"fe5b099a24d1825248af73b6b49a4278b1b7f90f"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"90f44ec928ef769d3c4bd85d04ee1665cc43c8ad","unresolved":false,"context_lines":[{"line_number":68,"context_line":""},{"line_number":69,"context_line":"* A sql migration will create a USER_PROJECT and a GROUP_PROJECT role"},{"line_number":70,"context_line":"  assignment for each USER_DOMAIN/GROUP_DOMAIN existing one, after that, all"},{"line_number":71,"context_line":"  \\*_DOMAIN assignments will be removed."},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"* We are going to add the ``parent_id`` query parameter for both GET v3/domains"},{"line_number":74,"context_line":"  and v3/projects APIs. If it is not specified, these requests should return"}],"source_content_type":"text/x-rst","patch_set":25,"id":"fa81d914_59a2d3fd","line":71,"in_reply_to":"fa81d914_761ec460","updated":"2015-01-30 19:41:38.000000000","message":"No, internally we are just change the type of the assignment, but we are not change anything in the Role Assignment API.","commit_id":"fe5b099a24d1825248af73b6b49a4278b1b7f90f"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"751e51733d37b5d98efba22f606cf91c7b8d5092","unresolved":false,"context_lines":[{"line_number":102,"context_line":"  related to domain roles, that can improve this role management in"},{"line_number":103,"context_line":"  Hierarchical Multitenancy. It is important to observe that the current"},{"line_number":104,"context_line":"  implementation of inherited role assignments consider **only** projects, role"},{"line_number":105,"context_line":"  assignments won\u0027t be inherited in a domain hierarchy."},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"* To create a non-root domain from an already existing project (i.e. update the"},{"line_number":108,"context_line":"  ``is_domain`` flag from a project) will be possible via both domains and"}],"source_content_type":"text/x-rst","patch_set":25,"id":"fa81d914_1434a391","line":105,"updated":"2015-01-30 18:07:54.000000000","message":"The initial discussion was that a break-point would be optional on a domain for inheritance [at the summit]. This would mean that some domains prevent inheritance and visibility, some do not.\n\nWe can add this feature to this spec as a minor enhancement after it is merged (should be a separate patch on top of this spec review).","commit_id":"fe5b099a24d1825248af73b6b49a4278b1b7f90f"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"90f44ec928ef769d3c4bd85d04ee1665cc43c8ad","unresolved":false,"context_lines":[{"line_number":102,"context_line":"  related to domain roles, that can improve this role management in"},{"line_number":103,"context_line":"  Hierarchical Multitenancy. It is important to observe that the current"},{"line_number":104,"context_line":"  implementation of inherited role assignments consider **only** projects, role"},{"line_number":105,"context_line":"  assignments won\u0027t be inherited in a domain hierarchy."},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"* To create a non-root domain from an already existing project (i.e. update the"},{"line_number":108,"context_line":"  ``is_domain`` flag from a project) will be possible via both domains and"}],"source_content_type":"text/x-rst","patch_set":25,"id":"da86d52c_49b461f2","line":105,"in_reply_to":"fa81d914_1434a391","updated":"2015-01-30 19:41:38.000000000","message":"Sure, We will implement this feature.","commit_id":"fe5b099a24d1825248af73b6b49a4278b1b7f90f"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"751e51733d37b5d98efba22f606cf91c7b8d5092","unresolved":false,"context_lines":[{"line_number":108,"context_line":"  ``is_domain`` flag from a project) will be possible via both domains and"},{"line_number":109,"context_line":"  projects APIs: POST v3/domains (create domain passing an ID from an existing"},{"line_number":110,"context_line":"  project) and PATCH v3/projects/\u003cproject_id\u003e (enabling the project"},{"line_number":111,"context_line":"  ``is_domain`` flag)."},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"* To create a new non-root domain (without a previous existing project), will"},{"line_number":114,"context_line":"  be possible via both domains and projects APIs: POST v3/domains (create"}],"source_content_type":"text/x-rst","patch_set":25,"id":"fa81d914_f4d54f1c","line":111,"updated":"2015-01-30 18:07:54.000000000","message":"Pick a single API to change a current project to domain. I believe we talked about the V3 DOMAIN API becoming more of compatibility with V3 pre-HMT than the way to do it. Creation of a domain via V3 API should remain the same as it is today (but creating the project, again for compatibility).","commit_id":"fe5b099a24d1825248af73b6b49a4278b1b7f90f"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"90f44ec928ef769d3c4bd85d04ee1665cc43c8ad","unresolved":false,"context_lines":[{"line_number":108,"context_line":"  ``is_domain`` flag from a project) will be possible via both domains and"},{"line_number":109,"context_line":"  projects APIs: POST v3/domains (create domain passing an ID from an existing"},{"line_number":110,"context_line":"  project) and PATCH v3/projects/\u003cproject_id\u003e (enabling the project"},{"line_number":111,"context_line":"  ``is_domain`` flag)."},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"* To create a new non-root domain (without a previous existing project), will"},{"line_number":114,"context_line":"  be possible via both domains and projects APIs: POST v3/domains (create"}],"source_content_type":"text/x-rst","patch_set":25,"id":"da86d52c_095ee9e9","line":111,"in_reply_to":"fa81d914_b9974f8f","updated":"2015-01-30 19:41:38.000000000","message":"Since we will not implement this update anymore, we will just create new domains.","commit_id":"fe5b099a24d1825248af73b6b49a4278b1b7f90f"},{"author":{"_account_id":5707,"name":"Henry Nash","email":"henryn@linux.vnet.ibm.com","username":"henry-nash"},"change_message_id":"94e4453e9f258ef102ec77d9432cd12ecd56c0fb","unresolved":false,"context_lines":[{"line_number":108,"context_line":"  ``is_domain`` flag from a project) will be possible via both domains and"},{"line_number":109,"context_line":"  projects APIs: POST v3/domains (create domain passing an ID from an existing"},{"line_number":110,"context_line":"  project) and PATCH v3/projects/\u003cproject_id\u003e (enabling the project"},{"line_number":111,"context_line":"  ``is_domain`` flag)."},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"* To create a new non-root domain (without a previous existing project), will"},{"line_number":114,"context_line":"  be possible via both domains and projects APIs: POST v3/domains (create"}],"source_content_type":"text/x-rst","patch_set":25,"id":"fa81d914_b9974f8f","line":111,"in_reply_to":"fa81d914_f4d54f1c","updated":"2015-01-30 19:04:27.000000000","message":"I agree - I don\u0027t think we want the POST v3/domains as a way of change a project into a domain...","commit_id":"fe5b099a24d1825248af73b6b49a4278b1b7f90f"},{"author":{"_account_id":5707,"name":"Henry Nash","email":"henryn@linux.vnet.ibm.com","username":"henry-nash"},"change_message_id":"6f52ed3e512e3d648a246b8c8098c5342848a0cf","unresolved":false,"context_lines":[{"line_number":113,"context_line":"* To create a new non-root domain (without a previous existing project), will"},{"line_number":114,"context_line":"  be possible via both domains and projects APIs: POST v3/domains (create"},{"line_number":115,"context_line":"  domain passing a parent_id from an existing domain) and POST v3/projects with"},{"line_number":116,"context_line":"  the ``is_domain`` flag enabled and passing a parent_id from an existing"},{"line_number":117,"context_line":"  domain."},{"line_number":118,"context_line":""},{"line_number":119,"context_line":""}],"source_content_type":"text/x-rst","patch_set":25,"id":"fa81d914_c2f7b457","line":116,"updated":"2015-01-30 14:30:13.000000000","message":"So what happens to projects below this (new) domain.  Imagine root level project A, with a project hierarchy underneath it. One of those 1st level projects (project X) is then updated with is_domain\u003dTrue.  What happens to the sub projects of X.  Are they now \"owned\"  by Domain X or A? I think conceptually, the answer is X.  But don\u0027t then all have domain_id\u003dA in each of their project records?  Would you recursively go through them and change them to X? I guess we\u0027d have to.","commit_id":"fe5b099a24d1825248af73b6b49a4278b1b7f90f"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"751e51733d37b5d98efba22f606cf91c7b8d5092","unresolved":false,"context_lines":[{"line_number":113,"context_line":"* To create a new non-root domain (without a previous existing project), will"},{"line_number":114,"context_line":"  be possible via both domains and projects APIs: POST v3/domains (create"},{"line_number":115,"context_line":"  domain passing a parent_id from an existing domain) and POST v3/projects with"},{"line_number":116,"context_line":"  the ``is_domain`` flag enabled and passing a parent_id from an existing"},{"line_number":117,"context_line":"  domain."},{"line_number":118,"context_line":""},{"line_number":119,"context_line":""}],"source_content_type":"text/x-rst","patch_set":25,"id":"fa81d914_b4c67766","line":116,"in_reply_to":"fa81d914_620e083d","updated":"2015-01-30 18:07:54.000000000","message":"Perhaps we should (initially) not allow conversion of project -\u003e domain to avoid this headache.","commit_id":"fe5b099a24d1825248af73b6b49a4278b1b7f90f"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"90f44ec928ef769d3c4bd85d04ee1665cc43c8ad","unresolved":false,"context_lines":[{"line_number":113,"context_line":"* To create a new non-root domain (without a previous existing project), will"},{"line_number":114,"context_line":"  be possible via both domains and projects APIs: POST v3/domains (create"},{"line_number":115,"context_line":"  domain passing a parent_id from an existing domain) and POST v3/projects with"},{"line_number":116,"context_line":"  the ``is_domain`` flag enabled and passing a parent_id from an existing"},{"line_number":117,"context_line":"  domain."},{"line_number":118,"context_line":""},{"line_number":119,"context_line":""}],"source_content_type":"text/x-rst","patch_set":25,"id":"da86d52c_c9e69144","line":116,"in_reply_to":"fa81d914_999c4b5f","updated":"2015-01-30 19:41:38.000000000","message":"Ok, i will remove this feature and we can discuss more about this later.","commit_id":"fe5b099a24d1825248af73b6b49a4278b1b7f90f"},{"author":{"_account_id":5707,"name":"Henry Nash","email":"henryn@linux.vnet.ibm.com","username":"henry-nash"},"change_message_id":"94e4453e9f258ef102ec77d9432cd12ecd56c0fb","unresolved":false,"context_lines":[{"line_number":113,"context_line":"* To create a new non-root domain (without a previous existing project), will"},{"line_number":114,"context_line":"  be possible via both domains and projects APIs: POST v3/domains (create"},{"line_number":115,"context_line":"  domain passing a parent_id from an existing domain) and POST v3/projects with"},{"line_number":116,"context_line":"  the ``is_domain`` flag enabled and passing a parent_id from an existing"},{"line_number":117,"context_line":"  domain."},{"line_number":118,"context_line":""},{"line_number":119,"context_line":""}],"source_content_type":"text/x-rst","patch_set":25,"id":"fa81d914_999c4b5f","line":116,"in_reply_to":"fa81d914_b4c67766","updated":"2015-01-30 19:04:27.000000000","message":"Maybe that is a good idea. Here\u0027s another scenario.  Imagine in the scenario I gave above, Domain A had a set of inherited roles assigned to it....which would inherit down to all the projects.  When we turn Project X into a domain, I think what would happen is that all the sub projects under X would suddenly \"lose\" all those inherited roles...since they are no longer owned by Domain A. I think that\u0027s the correct thing....it just may not be what the cloud provider is expecting.  This obvious relates to Morgan\u0027s comment above on break-points in the hierarchy.","commit_id":"fe5b099a24d1825248af73b6b49a4278b1b7f90f"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"371fe7bf7cb058517131411362a46bca03b49919","unresolved":false,"context_lines":[{"line_number":113,"context_line":"* To create a new non-root domain (without a previous existing project), will"},{"line_number":114,"context_line":"  be possible via both domains and projects APIs: POST v3/domains (create"},{"line_number":115,"context_line":"  domain passing a parent_id from an existing domain) and POST v3/projects with"},{"line_number":116,"context_line":"  the ``is_domain`` flag enabled and passing a parent_id from an existing"},{"line_number":117,"context_line":"  domain."},{"line_number":118,"context_line":""},{"line_number":119,"context_line":""}],"source_content_type":"text/x-rst","patch_set":25,"id":"fa81d914_620e083d","line":116,"in_reply_to":"fa81d914_c2f7b457","updated":"2015-01-30 14:43:11.000000000","message":"@Henry,\n\nYes, they will be owned by the domain X, We need to update the domain_id for every project below the hierarchy.","commit_id":"fe5b099a24d1825248af73b6b49a4278b1b7f90f"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"751e51733d37b5d98efba22f606cf91c7b8d5092","unresolved":false,"context_lines":[{"line_number":212,"context_line":"            }"},{"line_number":213,"context_line":"        }"},{"line_number":214,"context_line":"      }"},{"line_number":215,"context_line":"    }"},{"line_number":216,"context_line":""},{"line_number":217,"context_line":"Response:"},{"line_number":218,"context_line":""}],"source_content_type":"text/x-rst","patch_set":25,"id":"fa81d914_14a90391","line":215,"updated":"2015-01-30 18:07:54.000000000","message":"This needs to be proposed against the API docs not here in the spec.","commit_id":"fe5b099a24d1825248af73b6b49a4278b1b7f90f"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"4337abe1860ac9a3da125e13f14bb93e8cb3d3aa","unresolved":false,"context_lines":[{"line_number":212,"context_line":"            }"},{"line_number":213,"context_line":"        }"},{"line_number":214,"context_line":"      }"},{"line_number":215,"context_line":"    }"},{"line_number":216,"context_line":""},{"line_number":217,"context_line":"Response:"},{"line_number":218,"context_line":""}],"source_content_type":"text/x-rst","patch_set":25,"id":"fa81d914_d4712b45","line":215,"in_reply_to":"fa81d914_14a90391","updated":"2015-01-30 18:08:55.000000000","message":"Make sure to check with Steve Martinelli and mark these apis clearly as experimental in the docs.","commit_id":"fe5b099a24d1825248af73b6b49a4278b1b7f90f"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"90f44ec928ef769d3c4bd85d04ee1665cc43c8ad","unresolved":false,"context_lines":[{"line_number":212,"context_line":"            }"},{"line_number":213,"context_line":"        }"},{"line_number":214,"context_line":"      }"},{"line_number":215,"context_line":"    }"},{"line_number":216,"context_line":""},{"line_number":217,"context_line":"Response:"},{"line_number":218,"context_line":""}],"source_content_type":"text/x-rst","patch_set":25,"id":"fa81d914_79fcf772","line":215,"in_reply_to":"fa81d914_d4712b45","updated":"2015-01-30 19:41:38.000000000","message":"I just put this API changes here, to explain better what we intend to do here, but I\u0027ll send a API spec about this changes and I will explain that this API calls are experimental.","commit_id":"fe5b099a24d1825248af73b6b49a4278b1b7f90f"},{"author":{"_account_id":5707,"name":"Henry Nash","email":"henryn@linux.vnet.ibm.com","username":"henry-nash"},"change_message_id":"04038819493292488fa6fca49f0fdb858ab61a0e","unresolved":false,"context_lines":[{"line_number":308,"context_line":"        },"},{"line_number":309,"context_line":"        \"scope\": {"},{"line_number":310,"context_line":"            \"domain\": {"},{"line_number":311,"context_line":"                \"name\": \"A.C.B\""},{"line_number":312,"context_line":"            }"},{"line_number":313,"context_line":"        }"},{"line_number":314,"context_line":"      }"}],"source_content_type":"text/x-rst","patch_set":25,"id":"fa81d914_a2a80021","line":311,"updated":"2015-01-30 14:34:39.000000000","message":"is \u0027.\u0027 a reserver character and cannot already existing in domain or project names?","commit_id":"fe5b099a24d1825248af73b6b49a4278b1b7f90f"},{"author":{"_account_id":5707,"name":"Henry Nash","email":"henryn@linux.vnet.ibm.com","username":"henry-nash"},"change_message_id":"94e4453e9f258ef102ec77d9432cd12ecd56c0fb","unresolved":false,"context_lines":[{"line_number":308,"context_line":"        },"},{"line_number":309,"context_line":"        \"scope\": {"},{"line_number":310,"context_line":"            \"domain\": {"},{"line_number":311,"context_line":"                \"name\": \"A.C.B\""},{"line_number":312,"context_line":"            }"},{"line_number":313,"context_line":"        }"},{"line_number":314,"context_line":"      }"}],"source_content_type":"text/x-rst","patch_set":25,"id":"fa81d914_995b6bf5","line":311,"in_reply_to":"fa81d914_3d5b552f","updated":"2015-01-30 19:04:27.000000000","message":"my point is that it ideally would be reserved already...since what would you do with project/domain name that already contained \u0027.\u0027. I guess we\u0027d have support (internally) an escape character that we would insert before the \u0027.\u0027 on migration, and then strip off before we returned those names via the API. Of course the escape character would we need to be already reserved...so maybe this is a circular argument!","commit_id":"fe5b099a24d1825248af73b6b49a4278b1b7f90f"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"371fe7bf7cb058517131411362a46bca03b49919","unresolved":false,"context_lines":[{"line_number":308,"context_line":"        },"},{"line_number":309,"context_line":"        \"scope\": {"},{"line_number":310,"context_line":"            \"domain\": {"},{"line_number":311,"context_line":"                \"name\": \"A.C.B\""},{"line_number":312,"context_line":"            }"},{"line_number":313,"context_line":"        }"},{"line_number":314,"context_line":"      }"}],"source_content_type":"text/x-rst","patch_set":25,"id":"fa81d914_3d5b552f","line":311,"in_reply_to":"fa81d914_a2a80021","updated":"2015-01-30 14:43:11.000000000","message":"Probably we will need a reserver character, we can use \u0027.\u0027 or other character like \u0027/\u0027 or \u0027|\u0027.","commit_id":"fe5b099a24d1825248af73b6b49a4278b1b7f90f"},{"author":{"_account_id":1941,"name":"Lin Hua Cheng","email":"os.lcheng@gmail.com","username":"lin-hua-cheng"},"change_message_id":"e0559c154ddce8dd563a61b65392c49e15a3fc36","unresolved":false,"context_lines":[{"line_number":317,"context_line":""},{"line_number":318,"context_line":"5. Create a constraint to ensure that the parent of a domain will always be"},{"line_number":319,"context_line":"   another domain (in other words: ensure that we won\u0027t a create a domain under"},{"line_number":320,"context_line":"   a project);"},{"line_number":321,"context_line":""},{"line_number":322,"context_line":"6. Make the ``is_domain`` property immutable once it is enabled."},{"line_number":323,"context_line":""}],"source_content_type":"text/x-rst","patch_set":25,"id":"fa81d914_d6493032","line":320,"updated":"2015-01-30 18:32:13.000000000","message":"Would there be a uniqueness check of domain name? Are domain name still globally unique?  \n\nHow about sub domain name will it be unique within the scope of its top-level domain?","commit_id":"fe5b099a24d1825248af73b6b49a4278b1b7f90f"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"90f44ec928ef769d3c4bd85d04ee1665cc43c8ad","unresolved":false,"context_lines":[{"line_number":317,"context_line":""},{"line_number":318,"context_line":"5. Create a constraint to ensure that the parent of a domain will always be"},{"line_number":319,"context_line":"   another domain (in other words: ensure that we won\u0027t a create a domain under"},{"line_number":320,"context_line":"   a project);"},{"line_number":321,"context_line":""},{"line_number":322,"context_line":"6. Make the ``is_domain`` property immutable once it is enabled."},{"line_number":323,"context_line":""}],"source_content_type":"text/x-rst","patch_set":25,"id":"da86d52c_c9f13197","line":320,"in_reply_to":"fa81d914_d6493032","updated":"2015-01-30 19:41:38.000000000","message":"A domain name will be unique in the same hierarchy.","commit_id":"fe5b099a24d1825248af73b6b49a4278b1b7f90f"},{"author":{"_account_id":6460,"name":"Brad Topol","email":"btopol@us.ibm.com","username":"btopol"},"change_message_id":"3c52b0adf75d6451db45e8a0dfc133cd4e2e14ca","unresolved":false,"context_lines":[{"line_number":206,"context_line":"            }"},{"line_number":207,"context_line":"        }"},{"line_number":208,"context_line":"      }"},{"line_number":209,"context_line":"    }"},{"line_number":210,"context_line":""},{"line_number":211,"context_line":"Response:"},{"line_number":212,"context_line":""}],"source_content_type":"text/x-rst","patch_set":27,"id":"da86d52c_14c18780","line":209,"updated":"2015-02-01 21:41:49.000000000","message":"All these API changes really need to be removed. They need to be proposed against the API spec.  Its confusing to have them here and sets a bad precedent that we don\u0027t want others to see and copy :-)  If need be add a paragraph to describe your intentions but please remove from here as soon as you can.","commit_id":"d813b89db1e8d74efbb12cef0487e8135a14bf3c"},{"author":{"_account_id":11022,"name":"Rodrigo Duarte Sousa","email":"rodrigodsousa@gmail.com","username":"rodrigods"},"change_message_id":"6c95c507aa57fdc361050bc9d86806be178cb820","unresolved":false,"context_lines":[{"line_number":206,"context_line":"            }"},{"line_number":207,"context_line":"        }"},{"line_number":208,"context_line":"      }"},{"line_number":209,"context_line":"    }"},{"line_number":210,"context_line":""},{"line_number":211,"context_line":"Response:"},{"line_number":212,"context_line":""}],"source_content_type":"text/x-rst","patch_set":27,"id":"da86d52c_2e6aaa1a","line":209,"in_reply_to":"da86d52c_14c18780","updated":"2015-02-02 09:57:08.000000000","message":"Hi Brad, we added those API changes as base to explain the intent behind dual scoped tokens. We are aware about the need to add an API spec change itself and are not considering having its documented here, we were first seeking for feedback for the approach in order to validate other change like in the API.\n\nWe will submit the API spec changes today, thanks!","commit_id":"d813b89db1e8d74efbb12cef0487e8135a14bf3c"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"3ea414c11ccb9c8ceba3e4a68e17a642fa07e1f2","unresolved":false,"context_lines":[{"line_number":81,"context_line":"It is also important to note the following rules/restrictions:"},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"* The domains will only be created under another domain i.e. a project that"},{"line_number":84,"context_line":"  behaves like a domain, never under a project that has not the domain feature."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"* Regarding role assignments management, it will be possible to use the"},{"line_number":87,"context_line":"  inherited role assignments to manage the grants between user/groups and the"}],"source_content_type":"text/x-rst","patch_set":28,"id":"da86d52c_20bffcfc","line":84,"updated":"2015-02-02 20:15:11.000000000","message":"Lets make it explicit, like\n\nA project with the \"is_domain\" flag set to \"true\" can only be either a root project or a child project to a project who also have the \"is_domain\" flag set to \"true\". Moreover, the \"is_domain\" flag is immutable.","commit_id":"c5410496f9a3ca642e97699a71e5c531e7ec0000"},{"author":{"_account_id":11022,"name":"Rodrigo Duarte Sousa","email":"rodrigodsousa@gmail.com","username":"rodrigods"},"change_message_id":"31d9aad4d62b6e5a9a852061d5e409fc9d1107f4","unresolved":false,"context_lines":[{"line_number":81,"context_line":"It is also important to note the following rules/restrictions:"},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"* The domains will only be created under another domain i.e. a project that"},{"line_number":84,"context_line":"  behaves like a domain, never under a project that has not the domain feature."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"* Regarding role assignments management, it will be possible to use the"},{"line_number":87,"context_line":"  inherited role assignments to manage the grants between user/groups and the"}],"source_content_type":"text/x-rst","patch_set":28,"id":"da86d52c_ba2158a1","line":84,"in_reply_to":"da86d52c_20bffcfc","updated":"2015-02-02 20:20:25.000000000","message":"++","commit_id":"c5410496f9a3ca642e97699a71e5c531e7ec0000"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"6083a0ed0fb8293cb2728d0c199abdcead15ec71","unresolved":false,"context_lines":[{"line_number":81,"context_line":"It is also important to note the following rules/restrictions:"},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"* The domains will only be created under another domain i.e. a project that"},{"line_number":84,"context_line":"  behaves like a domain, never under a project that has not the domain feature."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"* Regarding role assignments management, it will be possible to use the"},{"line_number":87,"context_line":"  inherited role assignments to manage the grants between user/groups and the"}],"source_content_type":"text/x-rst","patch_set":28,"id":"da86d52c_4185b6ce","line":84,"in_reply_to":"da86d52c_540ae421","updated":"2015-02-03 12:16:08.000000000","message":"Great, I\u0027ll fix that and I\u0027ll ping you in #openstack-keystone","commit_id":"c5410496f9a3ca642e97699a71e5c531e7ec0000"},{"author":{"_account_id":6460,"name":"Brad Topol","email":"btopol@us.ibm.com","username":"btopol"},"change_message_id":"4bbbb4683c68c71e55939bd35514295506c7f40e","unresolved":false,"context_lines":[{"line_number":81,"context_line":"It is also important to note the following rules/restrictions:"},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"* The domains will only be created under another domain i.e. a project that"},{"line_number":84,"context_line":"  behaves like a domain, never under a project that has not the domain feature."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"* Regarding role assignments management, it will be possible to use the"},{"line_number":87,"context_line":"  inherited role assignments to manage the grants between user/groups and the"}],"source_content_type":"text/x-rst","patch_set":28,"id":"da86d52c_540ae421","line":84,"in_reply_to":"da86d52c_ba2158a1","updated":"2015-02-03 05:23:15.000000000","message":"Once you take care of Guang-yee\u0027s comment I am a +2","commit_id":"c5410496f9a3ca642e97699a71e5c531e7ec0000"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"3ea414c11ccb9c8ceba3e4a68e17a642fa07e1f2","unresolved":false,"context_lines":[{"line_number":90,"context_line":"  the resources owned by Sam and Joe, unless she either explicitly has a role"},{"line_number":91,"context_line":"  assignment in their domains or has an inherited role assignment in"},{"line_number":92,"context_line":"  ProductionIT. In the same way Joe and Sam can not see anything owned by"},{"line_number":93,"context_line":"  Martha unless she gives them a role on her domain."},{"line_number":94,"context_line":""},{"line_number":95,"context_line":"* Note that today we can use the current role assignments mechanism to grant"},{"line_number":96,"context_line":"  roles in the hierarchy for users and groups, for a better usability to manage"}],"source_content_type":"text/x-rst","patch_set":28,"id":"da86d52c_8664404a","line":93,"updated":"2015-02-02 20:15:11.000000000","message":"So the \"inhered to projects\" role assignment will propagate all the way down the tree? Including the ones with \"is_domain\" set to \"true\"?","commit_id":"c5410496f9a3ca642e97699a71e5c531e7ec0000"},{"author":{"_account_id":11022,"name":"Rodrigo Duarte Sousa","email":"rodrigodsousa@gmail.com","username":"rodrigods"},"change_message_id":"31d9aad4d62b6e5a9a852061d5e409fc9d1107f4","unresolved":false,"context_lines":[{"line_number":90,"context_line":"  the resources owned by Sam and Joe, unless she either explicitly has a role"},{"line_number":91,"context_line":"  assignment in their domains or has an inherited role assignment in"},{"line_number":92,"context_line":"  ProductionIT. In the same way Joe and Sam can not see anything owned by"},{"line_number":93,"context_line":"  Martha unless she gives them a role on her domain."},{"line_number":94,"context_line":""},{"line_number":95,"context_line":"* Note that today we can use the current role assignments mechanism to grant"},{"line_number":96,"context_line":"  roles in the hierarchy for users and groups, for a better usability to manage"}],"source_content_type":"text/x-rst","patch_set":28,"id":"da86d52c_3a1e4864","line":93,"in_reply_to":"da86d52c_8664404a","updated":"2015-02-02 20:20:25.000000000","message":"they won\u0027t, see the point below","commit_id":"c5410496f9a3ca642e97699a71e5c531e7ec0000"},{"author":{"_account_id":1941,"name":"Lin Hua Cheng","email":"os.lcheng@gmail.com","username":"lin-hua-cheng"},"change_message_id":"a1a5b10986c61800af33442bcc2b68502e2ebf29","unresolved":false,"context_lines":[{"line_number":68,"context_line":"    parent_id set to match their domain_id"},{"line_number":69,"context_line":""},{"line_number":70,"context_line":" ** Ceate a USER-PROJECT and a GROUP-PROJECT role assignment for each"},{"line_number":71,"context_line":"    USER-DOMAIN/GROUP-DOMAIN existing"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":" ** Delete all domain assignments."},{"line_number":74,"context_line":""}],"source_content_type":"text/x-rst","patch_set":29,"id":"da86d52c_65018f04","line":71,"updated":"2015-02-05 04:50:26.000000000","message":"does this mean domain and project role assignments are now the same?\n\nIf those assignment will still be treated separately, would there be an indicator needed in the role assignment table?","commit_id":"18d6094ec9e70215021f84d4176675c52353f814"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"5b321f956f637d05b3e6c6d3db21e691257c01b4","unresolved":false,"context_lines":[{"line_number":68,"context_line":"    parent_id set to match their domain_id"},{"line_number":69,"context_line":""},{"line_number":70,"context_line":" ** Ceate a USER-PROJECT and a GROUP-PROJECT role assignment for each"},{"line_number":71,"context_line":"    USER-DOMAIN/GROUP-DOMAIN existing"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":" ** Delete all domain assignments."},{"line_number":74,"context_line":""}],"source_content_type":"text/x-rst","patch_set":29,"id":"da86d52c_c47a2287","line":71,"in_reply_to":"da86d52c_095d3379","updated":"2015-02-05 17:54:35.000000000","message":"Hi @Lin, I just think that we can clarify this in the API spec ( https://review.openstack.org/#/c/153007/) , since that is the official documentation, and we can explain better this using the API calls as reference. Sounds good for you?","commit_id":"18d6094ec9e70215021f84d4176675c52353f814"},{"author":{"_account_id":1941,"name":"Lin Hua Cheng","email":"os.lcheng@gmail.com","username":"lin-hua-cheng"},"change_message_id":"9ff28be3ac071686085fb1db6c29f7382e074a21","unresolved":false,"context_lines":[{"line_number":68,"context_line":"    parent_id set to match their domain_id"},{"line_number":69,"context_line":""},{"line_number":70,"context_line":" ** Ceate a USER-PROJECT and a GROUP-PROJECT role assignment for each"},{"line_number":71,"context_line":"    USER-DOMAIN/GROUP-DOMAIN existing"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":" ** Delete all domain assignments."},{"line_number":74,"context_line":""}],"source_content_type":"text/x-rst","patch_set":29,"id":"da86d52c_095d3379","line":71,"in_reply_to":"da86d52c_2ace762e","updated":"2015-02-05 17:47:44.000000000","message":"@Henry: Regarding your point 2), if all queries would yield the same result. That means the two roles assignment would still be there, but they don\u0027t work the same way (not really backward compatible).  The separation of roles between domain and project role assignment is not there.   \n\nIf we are going with that approach, I believe this deserves to be mentioned in the specs. It would benefit someone unfamiliar to understand the big picture of the changes, so they don\u0027t have to read all the comments in this patch :)\n\n@Rodrigo: If the user have to create separate roles for domain and project roles, the data migration script would not handle that since it will just join all roles.  I think this also needs to be describe in the spec.","commit_id":"18d6094ec9e70215021f84d4176675c52353f814"},{"author":{"_account_id":5707,"name":"Henry Nash","email":"henryn@linux.vnet.ibm.com","username":"henry-nash"},"change_message_id":"4b1d925cf3b7e9ffec185c01994aceffb1c24a70","unresolved":false,"context_lines":[{"line_number":68,"context_line":"    parent_id set to match their domain_id"},{"line_number":69,"context_line":""},{"line_number":70,"context_line":" ** Ceate a USER-PROJECT and a GROUP-PROJECT role assignment for each"},{"line_number":71,"context_line":"    USER-DOMAIN/GROUP-DOMAIN existing"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":" ** Delete all domain assignments."},{"line_number":74,"context_line":""}],"source_content_type":"text/x-rst","patch_set":29,"id":"da86d52c_fb98b71d","line":71,"in_reply_to":"da86d52c_65018f04","updated":"2015-02-05 12:12:02.000000000","message":"So this is the area I am still a little uneasy about, but can\u0027t actually come up with an issue with what is proposed.  Since domains are now projects...there is no effective different between a role (inherited or otherwise) placed on a project (where is_domain\u003dTrue) and a domain assignment in the current model. Both only affect the sub-projects of the entity they are placed on.\n\nA few clarifications we need to make:\n\n1) Is explicitly assigning a role to a domain (using the role assignment API) still supported.  The answer must be YES for backward compatibility.\n\n2) Assuming 1), as well as the migration case, all the following should give me the same answer (for a project that has is_domain\u003dTrue)\n\n* GET /role_assignments?user_id\u003d{user_id}\u0026domain_id\u003d{project_id}\n* GET /domains/{project_id}/users/{user_id}/roles\n* GET /role_assignments?user_id\u003d{user_id}\u0026project_id\u003d{project_id}\n* GET /projects/{project_id}/users/{user_id}/roles\n\n3) I *think* that because in the current model the type of assignment (i.e. USER_PROJECT or USER_DOMAIN) is simply dictated by which API was called to assign it, then we are safe with merging these two (and the GROUP equivalents)...although I still twitch slightly at the idea...but can\u0027t think of a good reason why this is a bad thing, so no sure we should hold up this spec.","commit_id":"18d6094ec9e70215021f84d4176675c52353f814"},{"author":{"_account_id":11022,"name":"Rodrigo Duarte Sousa","email":"rodrigodsousa@gmail.com","username":"rodrigods"},"change_message_id":"675a0e47df106df1863610db97693f21685b0bee","unresolved":false,"context_lines":[{"line_number":68,"context_line":"    parent_id set to match their domain_id"},{"line_number":69,"context_line":""},{"line_number":70,"context_line":" ** Ceate a USER-PROJECT and a GROUP-PROJECT role assignment for each"},{"line_number":71,"context_line":"    USER-DOMAIN/GROUP-DOMAIN existing"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":" ** Delete all domain assignments."},{"line_number":74,"context_line":""}],"source_content_type":"text/x-rst","patch_set":29,"id":"da86d52c_2ace762e","line":71,"in_reply_to":"da86d52c_aacfc654","updated":"2015-02-05 12:54:42.000000000","message":"Besides that, if an operator wants to split responsibilities (project -\u003e handle resources, domain -\u003e handle identity) it is possible by creating two different roles (domain_admin and project_admin) and properly using them in the policy file","commit_id":"18d6094ec9e70215021f84d4176675c52353f814"},{"author":{"_account_id":11022,"name":"Rodrigo Duarte Sousa","email":"rodrigodsousa@gmail.com","username":"rodrigods"},"change_message_id":"a919eb1e931316865f79132d4534ec112d47ccab","unresolved":false,"context_lines":[{"line_number":68,"context_line":"    parent_id set to match their domain_id"},{"line_number":69,"context_line":""},{"line_number":70,"context_line":" ** Ceate a USER-PROJECT and a GROUP-PROJECT role assignment for each"},{"line_number":71,"context_line":"    USER-DOMAIN/GROUP-DOMAIN existing"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":" ** Delete all domain assignments."},{"line_number":74,"context_line":""}],"source_content_type":"text/x-rst","patch_set":29,"id":"da86d52c_aacfc654","line":71,"in_reply_to":"da86d52c_b6a9f625","updated":"2015-02-05 12:48:36.000000000","message":"Actually, doesn\u0027t make sense to deny a project operation to a project entity... And regarding giving \"domain\" powers via a project call, it is expected isn\u0027t? Since our current plan is to merge both entities and their APIs.","commit_id":"18d6094ec9e70215021f84d4176675c52353f814"},{"author":{"_account_id":11022,"name":"Rodrigo Duarte Sousa","email":"rodrigodsousa@gmail.com","username":"rodrigods"},"change_message_id":"afa087c8279acbbca4fca52b668b2dcff75062c1","unresolved":false,"context_lines":[{"line_number":68,"context_line":"    parent_id set to match their domain_id"},{"line_number":69,"context_line":""},{"line_number":70,"context_line":" ** Ceate a USER-PROJECT and a GROUP-PROJECT role assignment for each"},{"line_number":71,"context_line":"    USER-DOMAIN/GROUP-DOMAIN existing"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":" ** Delete all domain assignments."},{"line_number":74,"context_line":""}],"source_content_type":"text/x-rst","patch_set":29,"id":"da86d52c_b6a9f625","line":71,"in_reply_to":"da86d52c_b6e496ac","updated":"2015-02-05 12:31:04.000000000","message":"Yes, that is what I\u0027d expect... Otherwise you wouldn\u0027t know if you are giving domain or project powers to a user.","commit_id":"18d6094ec9e70215021f84d4176675c52353f814"},{"author":{"_account_id":1941,"name":"Lin Hua Cheng","email":"os.lcheng@gmail.com","username":"lin-hua-cheng"},"change_message_id":"93da8896bb1f256b20958f03a653587bb41aa9f3","unresolved":false,"context_lines":[{"line_number":68,"context_line":"    parent_id set to match their domain_id"},{"line_number":69,"context_line":""},{"line_number":70,"context_line":" ** Ceate a USER-PROJECT and a GROUP-PROJECT role assignment for each"},{"line_number":71,"context_line":"    USER-DOMAIN/GROUP-DOMAIN existing"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":" ** Delete all domain assignments."},{"line_number":74,"context_line":""}],"source_content_type":"text/x-rst","patch_set":29,"id":"da86d52c_c4c06252","line":71,"in_reply_to":"da86d52c_c47a2287","updated":"2015-02-05 18:01:42.000000000","message":"I am fine with that, as long as it is documented somewhere. :)","commit_id":"18d6094ec9e70215021f84d4176675c52353f814"},{"author":{"_account_id":5707,"name":"Henry Nash","email":"henryn@linux.vnet.ibm.com","username":"henry-nash"},"change_message_id":"312af6e419cbae32133508e6c2e24605bdaf5f26","unresolved":false,"context_lines":[{"line_number":68,"context_line":"    parent_id set to match their domain_id"},{"line_number":69,"context_line":""},{"line_number":70,"context_line":" ** Ceate a USER-PROJECT and a GROUP-PROJECT role assignment for each"},{"line_number":71,"context_line":"    USER-DOMAIN/GROUP-DOMAIN existing"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":" ** Delete all domain assignments."},{"line_number":74,"context_line":""}],"source_content_type":"text/x-rst","patch_set":29,"id":"da86d52c_b6e496ac","line":71,"in_reply_to":"da86d52c_f6d60e27","updated":"2015-02-05 12:29:00.000000000","message":"So I agree with your first point, but for the second, that\u0027s not what I expected! Why wouldn\u0027t the assignments appear in /role_assignments?scope.project.id\u003d{project_id})?  And are you saying I could\u0027t use:\n\nPOST /projects/{project_id}/users/{user_id}/roles/{role_id} to a project that has the is_domain flag set?","commit_id":"18d6094ec9e70215021f84d4176675c52353f814"},{"author":{"_account_id":11022,"name":"Rodrigo Duarte Sousa","email":"rodrigodsousa@gmail.com","username":"rodrigods"},"change_message_id":"3dc07ef4d1e6b97a270ab9fbc29b62ae5fc75914","unresolved":false,"context_lines":[{"line_number":68,"context_line":"    parent_id set to match their domain_id"},{"line_number":69,"context_line":""},{"line_number":70,"context_line":" ** Ceate a USER-PROJECT and a GROUP-PROJECT role assignment for each"},{"line_number":71,"context_line":"    USER-DOMAIN/GROUP-DOMAIN existing"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":" ** Delete all domain assignments."},{"line_number":74,"context_line":""}],"source_content_type":"text/x-rst","patch_set":29,"id":"da86d52c_f6d60e27","line":71,"in_reply_to":"da86d52c_fb98b71d","updated":"2015-02-05 12:21:44.000000000","message":"Regarding 1), we need to make only possible to assign a domain role once a project has the \"is_domain\" flag enabled, this means that once a project has became a domain, all its assignments will work as domain assignments (this assignments won\u0027t appear in GET /role_assignments?scope.project.id\u003d{project_id}).\n\n@Lin, this sounds ok for you? Do you have any use case where this behavior isn\u0027t desirable?","commit_id":"18d6094ec9e70215021f84d4176675c52353f814"},{"author":{"_account_id":5707,"name":"Henry Nash","email":"henryn@linux.vnet.ibm.com","username":"henry-nash"},"change_message_id":"4b1d925cf3b7e9ffec185c01994aceffb1c24a70","unresolved":false,"context_lines":[{"line_number":102,"context_line":"  related to domain roles, that can improve this role management in"},{"line_number":103,"context_line":"  Hierarchical Multitenancy. It is important to observe that the current"},{"line_number":104,"context_line":"  implementation of inherited role assignments consider **only** projects, role"},{"line_number":105,"context_line":"  assignments won\u0027t be inherited in a domain hierarchy."},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"* Creating a new non-root domain will be possible via both domains and"},{"line_number":108,"context_line":"  projects APIs: POST v3/domains (create domain passing a parent_id from an"}],"source_content_type":"text/x-rst","patch_set":29,"id":"da86d52c_5be0e3f9","line":105,"updated":"2015-02-05 12:12:02.000000000","message":"I think what you mean is that \"inherited role assignments are only inherited to projects that are not acting as a domain (i.e. those with is_domain \u003d False).  This implies that inherited assignments will have no effect if placed on a domain which has only domains as children.  This clarification shouldn\u0027t hold up the approval of this spec.","commit_id":"18d6094ec9e70215021f84d4176675c52353f814"},{"author":{"_account_id":11022,"name":"Rodrigo Duarte Sousa","email":"rodrigodsousa@gmail.com","username":"rodrigods"},"change_message_id":"3dc07ef4d1e6b97a270ab9fbc29b62ae5fc75914","unresolved":false,"context_lines":[{"line_number":102,"context_line":"  related to domain roles, that can improve this role management in"},{"line_number":103,"context_line":"  Hierarchical Multitenancy. It is important to observe that the current"},{"line_number":104,"context_line":"  implementation of inherited role assignments consider **only** projects, role"},{"line_number":105,"context_line":"  assignments won\u0027t be inherited in a domain hierarchy."},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"* Creating a new non-root domain will be possible via both domains and"},{"line_number":108,"context_line":"  projects APIs: POST v3/domains (create domain passing a parent_id from an"}],"source_content_type":"text/x-rst","patch_set":29,"id":"da86d52c_16dac24b","line":105,"in_reply_to":"da86d52c_5be0e3f9","updated":"2015-02-05 12:21:44.000000000","message":"Exactly! :)","commit_id":"18d6094ec9e70215021f84d4176675c52353f814"}]}