yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2045974] Re: RFE: Create a role for domain-scoped self-service identity management by end users

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <2045974@xxxxxxxxxxxxxxxxxx>
Date: Wed, 28 Aug 2024 18:29:54 -0000
Reply-to: Bug 2045974 <2045974@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/keystone/+/924132
Committed: https://opendev.org/openstack/keystone/commit/69d1897d0974aafc5f41b851ce61f62ab879c805
Submitter: "Zuul (22348)"
Branch:    master

commit 69d1897d0974aafc5f41b851ce61f62ab879c805
Author: Markus Hentsch <markus.hentsch@xxxxxxxxxxxxxxxx>
Date:   Mon Jul 15 11:09:55 2024 +0200

    Implement the Domain Manager Persona for Keystone
    
    Introduces domain-scoped policies for the 'manager' role to permit
    domain-wide management capabilities in regards to users, groups,
    projects and role assignments.
    Defines a new base policy rule to restrict the roles assignable by
    domain managers.
    
    Closes-Bug: #2045974
    Change-Id: I62742ed7d906c92d1132251080758bb54d0fc8e1


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2045974

Title:
  RFE: Create a role for domain-scoped self-service identity management
  by end users

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  When assigning individual domains to customers of an OpenStack cloud,
  customer-side self-service identity management (i.e. managing users,
  projects and groups) within a domain is a popular use case but hard to
  implement with the current default role model.

  With its current architecture, assigning the "admin" role to end users is very risky even if scoped [1] and usually not an option.
  Furthermore, the "admin" role already has an implicit meaning associated with it that goes beyond identity management according to operator feedback [2].

  The Consistent and Secure RBAC rework introduced a "manager" role for projects [3].
  Having a similar role model on domain-level for identity management would be a good complement to that and enable self-service capabilities for end users.

  Request: introduce a new "domain-manager" role in Keystone and associated policy rules.
  The new "domain-manager" role - once assigned to an end user in a domain scope - would enable them to manage projects, groups, users and associated role assignments within the limitations of the domain.

  [1] https://bugs.launchpad.net/keystone/+bug/968696

  [2] https://governance.openstack.org/tc/goals/selected/consistent-and-
  secure-rbac.html#the-issues-we-are-facing-with-scope-concept

  [3] https://governance.openstack.org/tc/goals/selected/consistent-and-
  secure-rbac.html#project-manager

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2045974/+subscriptions

References

[Bug 2045974] [NEW] RFE: Create a role for domain-scoped self-service identity management by end users
From: Markus Hentsch, 2023-12-08