yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #93194
[Bug 2045974] [NEW] RFE: Create a role for domain-scoped self-service identity management by end users
Public bug reported:
When assigning individual domains to customers of an OpenStack cloud,
customer-side self-service identity management (i.e. managing users,
projects and groups) within a domain is a popular use case but hard to
implement with the current default role model.
With its current architecture, assigning the "admin" role to end users is very risky even if scoped [1] and usually not an option.
Furthermore, the "admin" role already has an implicit meaning associated with it that goes beyond identity management according to operator feedback [2].
The Consistent and Secure RBAC rework introduced a "manager" role for projects [3].
Having a similar role model on domain-level for identity management would be a good complement to that and enable self-service capabilities for end users.
Request: introduce a new "domain-manager" role in Keystone and associated policy rules.
The new "domain-manager" role - once assigned to an end user in a domain scope - would enable them to manage projects, groups, users and associated role assignments within the limitations of the domain.
[1] https://bugs.launchpad.net/keystone/+bug/968696
[2] https://governance.openstack.org/tc/goals/selected/consistent-and-
secure-rbac.html#the-issues-we-are-facing-with-scope-concept
[3] https://governance.openstack.org/tc/goals/selected/consistent-and-
secure-rbac.html#project-manager
** Affects: keystone
Importance: Undecided
Status: In Progress
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2045974
Title:
RFE: Create a role for domain-scoped self-service identity management
by end users
Status in OpenStack Identity (keystone):
In Progress
Bug description:
When assigning individual domains to customers of an OpenStack cloud,
customer-side self-service identity management (i.e. managing users,
projects and groups) within a domain is a popular use case but hard to
implement with the current default role model.
With its current architecture, assigning the "admin" role to end users is very risky even if scoped [1] and usually not an option.
Furthermore, the "admin" role already has an implicit meaning associated with it that goes beyond identity management according to operator feedback [2].
The Consistent and Secure RBAC rework introduced a "manager" role for projects [3].
Having a similar role model on domain-level for identity management would be a good complement to that and enable self-service capabilities for end users.
Request: introduce a new "domain-manager" role in Keystone and associated policy rules.
The new "domain-manager" role - once assigned to an end user in a domain scope - would enable them to manage projects, groups, users and associated role assignments within the limitations of the domain.
[1] https://bugs.launchpad.net/keystone/+bug/968696
[2] https://governance.openstack.org/tc/goals/selected/consistent-and-
secure-rbac.html#the-issues-we-are-facing-with-scope-concept
[3] https://governance.openstack.org/tc/goals/selected/consistent-and-
secure-rbac.html#project-manager
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2045974/+subscriptions
Follow ups
