OpenStack Identity (keystone)

RFE: Unified Delegation

Bug #1816115 reported by Lance Bragstad
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Triaged
Wishlist
Unassigned

Bug Description

Both assignments and trusts serve a single purpose, to delegate roles on a resource (e.g., system, domain, project) to the actor (e.g., user or group).

This RFE proposes a new delegation model containing the following information:

 - trustee (user or group)
 - roles to be delegated
 - resource (domain or project)
 - usage restrictions
 - source of delegation - actor, who delegates the scope

A valid delegation must be auditable. To allow this, keystone must maintain chain consistency and do the right thing when a chain of delegation is broken. A valid delegation must be optionally restricted so that it can be used for a defined workflow and nothing more.

Tags: rfe
Revision history for this message
Lance Bragstad (lbragstad) wrote :

Specification review: https://review.openstack.org/#/c/189816/
Specification doc: http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/unified-delegation.html

Revision history for this message
Lance Bragstad (lbragstad) wrote :

The following patches work towards this initiative, or its dependencies:

Unified delegation model: https://review.openstack.org/208488
Unified delegation driver: https://review.openstack.org/209600
Unified delegation migration: https://review.openstack.org/237047
SQLAlchemy column type for materialized path: https://review.openstack.org/251445
Use path hybrid property in query filtering: https://review.openstack.org/251513
Materialized path convenience wrapper: https://review.openstack.org/251455
Unified delegation manager skeleton: https://review.openstack.org/253124
Trust manager using unified delegation: https://review.openstack.org/257378
Assignment manager using unified delegation: https://review.openstack.org/257527
Unified delegation SQL driver: https://review.openstack.org/260686
Unified delegation assignment driver: https://review.openstack.org/291318
WIP/DNM Unified delegation trust driver: https://review.openstack.org/291871
Delegation parent discovery function: https://review.openstack.org/330573
OAuth1 driver for unified delegation: https://review.openstack.org/370965
Cross API unified delegation test: https://review.openstack.org/384638

Lance Bragstad (lbragstad)
tags: added: rfe
Changed in keystone:
status: New → Triaged
importance: Undecided → Wishlist
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.