OpenStack Identity (keystone)

RFE: Domain Specific Mappings

Bug #1816160 reported by Lance Bragstad
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Triaged
Wishlist
Unassigned

Bug Description

(Original blueprint and specification were written by Henry Nash)

Today mapping rules for federated users have to be created by system administrators. As public clouds evolve and host more and more enterprises, system administrators will want to be able to delegate this responsibility to the domain administrator for a particular domain so that they can create their own mapping rules for access to their own domain.

This falls in line with OpenStack's technical vision of self-serviceability.

Revision history for this message
Lance Bragstad (lbragstad) wrote :

Specification review: https://review.openstack.org/#/c/324552/

Revision history for this message
Lance Bragstad (lbragstad) wrote :

Context from the blueprint, while it was still active:

(lbragstad) 19-02-13: This could be resolved with proper scope checking and the use of default roles, which were introduced in Rocky. The approach would safely protect the mapping API and allow domain users access to it. Additional validation should be done to make sure domain administrators are only accessing domains or identity providers they have authorization on. Also, the alternative solution proposed in review [0] might not be a silver bullet for this problem. I can imagine certain deployments might want to delegate mapping operations directly to domain administrators, which makes the API more self-service since domain users don't need to request system administrators to make mapping changes on their behalf. Colleen and I talked about this in IRC and agreed this might make sense to keep in discussion [1].

[0] https://review.openstack.org/#/c/324055/
[1] http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2019-02-13.log.html#t2019-02-13T14:31:14

Changed in keystone:
status: New → Triaged
importance: Undecided → Wishlist
Revision history for this message
Lance Bragstad (lbragstad) wrote :

This bug actually has some overlap with another bug report [0]. In addition to fixing [0], we could extend support and scope checking of the mapping API to open this functionality up to domain users.

[0] https://bugs.launchpad.net/keystone/+bug/1804521

tags: added: federation system-scope
Lance Bragstad (lbragstad)
tags: added: rfe
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.