yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2045974] [NEW] RFE: Create a role for domain-scoped self-service identity management by end users

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Markus Hentsch <2045974@xxxxxxxxxxxxxxxxxx>
Date: Fri, 08 Dec 2023 13:13:33 -0000
Reply-to: Bug 2045974 <2045974@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

When assigning individual domains to customers of an OpenStack cloud,
customer-side self-service identity management (i.e. managing users,
projects and groups) within a domain is a popular use case but hard to
implement with the current default role model.

With its current architecture, assigning the "admin" role to end users is very risky even if scoped [1] and usually not an option.
Furthermore, the "admin" role already has an implicit meaning associated with it that goes beyond identity management according to operator feedback [2].

The Consistent and Secure RBAC rework introduced a "manager" role for projects [3].
Having a similar role model on domain-level for identity management would be a good complement to that and enable self-service capabilities for end users.

Request: introduce a new "domain-manager" role in Keystone and associated policy rules.
The new "domain-manager" role - once assigned to an end user in a domain scope - would enable them to manage projects, groups, users and associated role assignments within the limitations of the domain.

[1] https://bugs.launchpad.net/keystone/+bug/968696

[2] https://governance.openstack.org/tc/goals/selected/consistent-and-
secure-rbac.html#the-issues-we-are-facing-with-scope-concept

[3] https://governance.openstack.org/tc/goals/selected/consistent-and-
secure-rbac.html#project-manager

** Affects: keystone
     Importance: Undecided
         Status: In Progress

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2045974

Title:
  RFE: Create a role for domain-scoped self-service identity management
  by end users

Status in OpenStack Identity (keystone):
  In Progress

Bug description:
  When assigning individual domains to customers of an OpenStack cloud,
  customer-side self-service identity management (i.e. managing users,
  projects and groups) within a domain is a popular use case but hard to
  implement with the current default role model.

  With its current architecture, assigning the "admin" role to end users is very risky even if scoped [1] and usually not an option.
  Furthermore, the "admin" role already has an implicit meaning associated with it that goes beyond identity management according to operator feedback [2].

  The Consistent and Secure RBAC rework introduced a "manager" role for projects [3].
  Having a similar role model on domain-level for identity management would be a good complement to that and enable self-service capabilities for end users.

  Request: introduce a new "domain-manager" role in Keystone and associated policy rules.
  The new "domain-manager" role - once assigned to an end user in a domain scope - would enable them to manage projects, groups, users and associated role assignments within the limitations of the domain.

  [1] https://bugs.launchpad.net/keystone/+bug/968696

  [2] https://governance.openstack.org/tc/goals/selected/consistent-and-
  secure-rbac.html#the-issues-we-are-facing-with-scope-concept

  [3] https://governance.openstack.org/tc/goals/selected/consistent-and-
  secure-rbac.html#project-manager

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2045974/+subscriptions