-
Notifications
You must be signed in to change notification settings - Fork 35
Conversation
* `project-member:<project>` - | ||
Roles of this form represent the scopes accorded to members of the given project. | ||
This role is then be assumed by the appropriate groups. | ||
The scopes associated with a `project-member` role are: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would think that members of a project should get the scope assume:project:<project>:*
I'm not entirely sure how the project:<project>:...
role-pattern is supposed to be used?
When you say "controlled by the corresponding project" that seems weird...
I maybe wrong... but let's say releng does a special nightly project which is a server that run nightly builds.
I would think the role project:releng:nigtly-cron
is then given to the client-id that the cron server has, right?
Or do you think that the server would be allowed to programmatically create roles on the form project:releng:nightly-cron:*
??
Most of this looks good.. .But I'm not sure I have brain cycles to consider the @djmitche, so I think we have to rethink the scope-delegation stuff... Particularly, what scopes protect There is some problems with respect to activate and login and preventing people from persisting scopes after they've been revoked. Note: it's also possible that this doesn't have to be solved perfectly at first... But I suspect it would be bad not too, since we've built a bit to get to this point. |
A use-case for I chose I wouldn't mind switching to As for delegation, I need you to spell out the problems you're seeing explicitly. With the addition of projects, I think the current plan covers all of the use-cases I know of. |
Oh, yeah that seems unrelated to this... My concern is a different use-case, nvm... I'll think a bit about the |
@jonasfj: would |
I'm going to land this since it's documenting what's in place now. It's easy to change later (easier if I do it programmatically rather than copy/pasting scopes in the tools UI!) and we can just adjust the docs at that time. |
A few changes, but the
project-member:<project>
one is the one I'm particularly interested in getting feedback on.