RFE: Unified Delegation

Bug #1816115 reported by Lance Bragstad on 2019-02-15
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Wishlist
Unassigned

Bug Description

Both assignments and trusts serve a single purpose, to delegate roles on a resource (e.g., system, domain, project) to the actor (e.g., user or group).

This RFE proposes a new delegation model containing the following information:

 - trustee (user or group)
 - roles to be delegated
 - resource (domain or project)
 - usage restrictions
 - source of delegation - actor, who delegates the scope

A valid delegation must be auditable. To allow this, keystone must maintain chain consistency and do the right thing when a chain of delegation is broken. A valid delegation must be optionally restricted so that it can be used for a defined workflow and nothing more.

Tags: rfe Edit Tag help
Lance Bragstad (lbragstad) wrote :

The following patches work towards this initiative, or its dependencies:

Unified delegation model: https://review.openstack.org/208488
Unified delegation driver: https://review.openstack.org/209600
Unified delegation migration: https://review.openstack.org/237047
SQLAlchemy column type for materialized path: https://review.openstack.org/251445
Use path hybrid property in query filtering: https://review.openstack.org/251513
Materialized path convenience wrapper: https://review.openstack.org/251455
Unified delegation manager skeleton: https://review.openstack.org/253124
Trust manager using unified delegation: https://review.openstack.org/257378
Assignment manager using unified delegation: https://review.openstack.org/257527
Unified delegation SQL driver: https://review.openstack.org/260686
Unified delegation assignment driver: https://review.openstack.org/291318
WIP/DNM Unified delegation trust driver: https://review.openstack.org/291871
Delegation parent discovery function: https://review.openstack.org/330573
OAuth1 driver for unified delegation: https://review.openstack.org/370965
Cross API unified delegation test: https://review.openstack.org/384638

tags: added: rfe
Changed in keystone:
status: New → Triaged
importance: Undecided → Wishlist
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers