yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2028409] Re: Add domain_id config option to remove the need of cloud admin user when generating dynamic credentials

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Ghanshyam Mann <2028409@xxxxxxxxxxxxxxxxxx>
Date: Fri, 03 Nov 2023 18:27:03 -0000
Reply-to: Bug 2028409 <2028409@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

** Also affects: keystone
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2028409

Title:
  Add domain_id config option to remove the need of cloud admin user
  when generating dynamic credentials

Status in OpenStack Identity (keystone):
  New
Status in tempest:
  In Progress

Bug description:
  Currently generating dynamic credentials requires listing domains and
  filter the result by domain name to get the current/admin domain
  object from Keystone API (through `/v3/domains` API). And as stated in
  the default keystone policy, listing domains requires cloud_admin
  privilege, which means we cannot use a domain admin to create test
  accounts with tempest.

  ```
  "identity:list_domains": "rule:cloud_admin",
  ```

  A better behavior would be using `/v3/domains/{domain_id}` API to get
  the domain object directly so that only a domain admin user is needed
  to generate test accounts. The benefit of reducing required user
  privileges is isolating test environment. This requires adding an
  additional domain_id configuration option in [auth] section.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2028409/+subscriptions