Comment 3 for bug 1435827

Revision history for this message
Stanislaw Bogatkin (sbogatkin) wrote :

Seems that it is a little problematic to fix this bug in current release due to the fact that:

1. We need to create read-only oswl role in keystone and add workload user to it.
2. Need to change all according policies for all services that oswl use
3. I start digging from keystone. For keystone we need:
4. Move from v2 API to v3 due to the fact that keystone v2 API doesn't use policy file for RBAC and use admin user only [1]. It seems to be true everywhere (for RH, for example: [2])
5. If we move to API v3 then we cannot use cli part of python-keystoneclient (see [3]). It is bad for user expirience. I suppose, that it is done due to:
6. All cli parts from python-*client utilities slowly move to OpenStackClient (OSC) [4]. But OSC doesn't support part of functionality from old clients (for example, see neutron part from [5]). We cannot use python-neutronclient and OSC simultaneously, cause python-neutronclient doesn't support auth by keystone v3 API. I found some articles that said than if we will expose keystone api in format http://ip:port/ instead of http://ip:port/v2.0 or http://ip:port/v3 then newer clients will choose keystone API version that they support. Alas, our current clients cannot do this (and try to test every newest client for every service to create one read-only user will get too much time).

So, I move this bug to next release due to this huge amount of work that should be done to fix it now properly.

[1] https://bugs.launchpad.net/keystone/+bug/1350879
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1125333
[3] https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/shell.py#L402-L412
[4] http://docs.openstack.org/developer/python-openstackclient/
[5] https://wiki.openstack.org/wiki/OpenStackClient/Commands