RFE: Unified Delegation
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | OpenStack Identity (keystone) |
Wishlist
|
Unassigned | ||
Bug Description
Both assignments and trusts serve a single purpose, to delegate roles on a resource (e.g., system, domain, project) to the actor (e.g., user or group).
This RFE proposes a new delegation model containing the following information:
- trustee (user or group)
- roles to be delegated
- resource (domain or project)
- usage restrictions
- source of delegation - actor, who delegates the scope
A valid delegation must be auditable. To allow this, keystone must maintain chain consistency and do the right thing when a chain of delegation is broken. A valid delegation must be optionally restricted so that it can be used for a defined workflow and nothing more.
| Lance Bragstad (lbragstad) wrote : | #1 |
| Lance Bragstad (lbragstad) wrote : | #2 |
The following patches work towards this initiative, or its dependencies:
Unified delegation model: https:/
Unified delegation driver: https:/
Unified delegation migration: https:/
SQLAlchemy column type for materialized path: https:/
Use path hybrid property in query filtering: https:/
Materialized path convenience wrapper: https:/
Unified delegation manager skeleton: https:/
Trust manager using unified delegation: https:/
Assignment manager using unified delegation: https:/
Unified delegation SQL driver: https:/
Unified delegation assignment driver: https:/
WIP/DNM Unified delegation trust driver: https:/
Delegation parent discovery function: https:/
OAuth1 driver for unified delegation: https:/
Cross API unified delegation test: https:/
| tags: | added: rfe |
| Changed in keystone: | |
| status: | New → Triaged |
| importance: | Undecided → Wishlist |
Specification review: https:/
Specification doc: http://