[RFE] system scope and scoped RBAC: support enforce_scope on Queens+ deployments
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Keystone Charm |
Triaged
|
Wishlist
|
Unassigned |
Bug Description
Upstream Keystone is progressing with better scoping of tokens and policies to address the following bugs:
https:/
https:/
As of keystone there is now a "system" scope in addition to domain and project-level scopes.
Over time charms need to be converted to support setups with system scope admins where enforce_scope option is set to True:
https:/
https:/
https:/
It will also require modifications of default policy files or their modification/
1) policy.json/yaml customization via policy_dirs https:/
(discontinued)
2) verb + URL API-based checks for scoped RBAC https:/
Currently we hard-code admin_domain_id and service_tenant_id for policy rules while we could simply use system-scoped admin roles in the future.
https:/
`keystone-manage bootstrap` as of Queens
https:/
https:/
"Keystone now supports the ability to assign roles to users and groups on the system. As a result, users and groups with system role assignment will be able to request system-scoped tokens. Additional logic has been added to keystone-manage bootstrap to ensure the administrator has a role on the project and system."
An example of how to create a system-scoped token via keystone API (openstack client support seems to be missing at the time of writing) with a notably different scope section in the request:
openstack user list --domain admin_domain ------- ------- ------- ------- +------ -+ ------- ------- ------- ------- +------ -+ 08a612a60c190e8 0a | test | baa16c7e15a1432 0f | admin | ------- ------- ------- ------- +------ -+ ------- ------- ------- ------- +------ -+ ------- ------- ------- ------- +------ -+ 5aa8f1f004109fc 93 | usera | 6a2266d738233e9 6e | adma | ------- ------- ------- ------- +------ -+
+------
| ID | Name |
+------
| 24c00642cc954b1
| c35ddbaea658492
+------
openstack user list --domain a
+------
| ID | Name |
+------
| 0009487964b148c
| 300be329708e40d
+------
openstack role list ------- ------- ------- ------- +------ ---+ ------- ------- ------- ------- +------ ---+ d98e61706044757 9e | Admin | 5ab82c9a38ff54e 2a | Member | 8b3028616dfbf71 1c | service | ------- ------- ------- ------- +------ ---+
+------
| ID | Name |
+------
| 2c998c11b22d40c
| ceaeb81722d7438
| cecb51748dec434
+------
openstack role assignment list ------- ------- ------- ------- +------ ------- ------- ------- ------- +------ -+----- ------- ------- ------- ------- -+----- ------- ------- ------- ------- -+----- ------+ ------- ------- ------- ------- +------ ------- ------- ------- ------- +------ -+----- ------- ------- ------- ------- -+----- ------- ------- ------- ------- -+----- ------+ d98e61706044757 9e | 0009487964b148c 5aa8f1f004109fc 93 | | 55d11414559d400 796c0a96b2b6f98 62 | | False | d98e61706044757 9e | 0009487964b148c 5aa8f1f004109fc 93 | | 92bb8ef45f3c490 c9b0588b1bf6b0c 1b | | False | d98e61706044757 9e | 0009487964b148c 5aa8f1f004109fc 93 | | | 2c0d6ccea9c9401 7a613cdb1958771 76 | False | 5ab82c9a38ff54e 2a | 0009487964b148c 5aa8f1f004109fc 93 | | | 40635a04cf954b5 f9d7f717e8da23b 26 | False | d98e61706044757 9e | 0009487964b148c 5aa8f1f004109fc 93 | | | 6c2a44b399f14ec 5899696526d3c2c c9 | False | d98e61706044757 9e | 1279d1c3e7444dd 799915948ab166c c6 | | 8ed89949272545a 68a36e5fd30f062 ab | | False | d98e61706044757 9e | 2091908c458d4c2 9b80da77cbbb343 18 | | c15d9ac702b84f1 2a622536a9aeaa3 99 | | False | d98e61706044757 9e | 300be329708e40d 6a2266d738233e9 6e | | | 40635a04cf954b5 f9d7f717e8da23b 26 | False | d98e61706044757 9e | 36b8d20cb3ca480 5a0e68f3f17d7ea 39 | | c15d9ac702b84f1 2a622536a9aeaa3 99 | | False | d98e61706044757 9e | 411eb24f18274a4 ead12d40b32dd95 e...
+------
| Role | User | Group | Project | Domain | Inherited |
+------
| 2c998c11b22d40c
| 2c998c11b22d40c
| 2c998c11b22d40c
| ceaeb81722d7438
| 2c998c11b22d40c
| 2c998c11b22d40c
| 2c998c11b22d40c
| 2c998c11b22d40c
| 2c998c11b22d40c
| 2c998c11b22d40c