Shadow users: work item to relax mapping requirements

This addresses an unaddressed comment from the original spec review. See Steve's item "6" on line 38: https://review.openstack.org/#/c/296123/1/specs/newton/shadow-users.rst Change-Id: Id5290c6982565803d82495a6707cb2991dc9ac46
2016-03-30 12:22:25 -05:00 · 2016-03-30 12:22:25 -05:00 · a71e5b2518
parent 9253062353
commit a71e5b2518
1 changed files with 5 additions and 0 deletions
--- a/specs/keystone/newton/shadow-users-newton.rst
+++ b/specs/keystone/newton/shadow-users-newton.rst
@ -55,6 +55,11 @@ for the originally-proposed changes and additional detail.
   no longer ephemeral, we can ignore the "ephemeral" vs "local" user type and
   treat all users equally.

+#. **Relax the requirement for mappings to result in group memberships.** Now
+   that we're able to grant authorization to federated users using concrete
+   role assignments, we can drop the requirement for the mapping engine to
+   result in any authorization (via group membership) at all.
+
 Alternatives
 ------------