yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1926345] [NEW] Horizon should use the authorization API in keystone to build authorization targets for users

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Lance Bragstad <1926345@xxxxxxxxxxxxxxxxxx>
Date: Tue, 27 Apr 2021 18:52:59 -0000
Reply-to: Bug 1926345 <1926345@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

During the Xena PTG we discussed how to continue integrating the secure
RBAC effort into Horizon [0].

One improvement we agreed upon was for Horizon to use the user's
unscoped token to fetch authorization scopes (GET /v3/auth/projects, GET
/v3/auth/domains, GET /v3/auth/system) [1].

Then horizon can present a list of targets and rescope tokens similar to
what it does today. Additionally, this is a good way to start
integrating support for system-scoped tokens into Horizon, which horizon
will need in the future when it's required by policy.

[0] https://etherpad.opendev.org/p/policy-popup-xena-ptg
[1] https://docs.openstack.org/api-ref/identity/v3/?expanded=get-available-project-scopes-detail#authentication-and-token-management

** Affects: horizon
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1926345

Title:
  Horizon should use the authorization API in keystone to build
  authorization targets for users

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  During the Xena PTG we discussed how to continue integrating the
  secure RBAC effort into Horizon [0].

  One improvement we agreed upon was for Horizon to use the user's
  unscoped token to fetch authorization scopes (GET /v3/auth/projects,
  GET /v3/auth/domains, GET /v3/auth/system) [1].

  Then horizon can present a list of targets and rescope tokens similar
  to what it does today. Additionally, this is a good way to start
  integrating support for system-scoped tokens into Horizon, which
  horizon will need in the future when it's required by policy.

  [0] https://etherpad.opendev.org/p/policy-popup-xena-ptg
  [1] https://docs.openstack.org/api-ref/identity/v3/?expanded=get-available-project-scopes-detail#authentication-and-token-management

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1926345/+subscriptions