Cathing up on this bug, if I understand well, the initial issue was that there wasn't a way to grant admin-ness on a project without granting total control over all Openstack resources.
I think that this can now be achieved by defining appropriate roles and policy rules.
For instance we can create a `project_admin` role that only allows a project admin to grant the `Member` role on his own project to other users, with the following rule:
"identity:create_grant": "role:project_admin and project_id:%(target.project.id)s and 'Member':%(target.role.name)s"
Although the last condition needs the following patch, allowing to check context variables against constants during the policy enforcement phase : https://review.openstack.org/#/c/68176/
Cathing up on this bug, if I understand well, the initial issue was that there wasn't a way to grant admin-ness on a project without granting total control over all Openstack resources.
I think that this can now be achieved by defining appropriate roles and policy rules.
For instance we can create a `project_admin` role that only allows a project admin to grant the `Member` role on his own project to other users, with the following rule: create_ grant": "role:project_admin and project_ id:%(target. project. id)s and 'Member' :%(target. role.name) s"
"identity:
Although the last condition needs the following patch, allowing to check context variables against constants during the policy enforcement phase : https:/ /review. openstack. org/#/c/ 68176/