When assigning individual domains to customers of an OpenStack cloud, customer-side self-service identity management (i.e. managing users, projects and groups) within a domain is a popular use case but hard to implement with the current default role model.
With its current architecture, assigning the "admin" role to end users is very risky even if scoped [1] and usually not an option.
Furthermore, the "admin" role already has an implicit meaning associated with it that goes beyond identity management according to operator feedback [2].
The Consistent and Secure RBAC rework introduced a "manager" role for projects [3].
Having a similar role model on domain-level for identity management would be a good complement to that and enable self-service capabilities for end users.
Request: introduce a new "domain-manager" role in Keystone and associated policy rules.
The new "domain-manager" role - once assigned to an end user in a domain scope - would enable them to manage projects, groups, users and associated role assignments within the limitations of the domain.
[1] https://bugs.launchpad.net/keystone/+bug/968696
[2] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#the-issues-we-are-facing-with-scope-concept
[3] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#project-manager
Fix proposed to branch: master
Review: https:/