openstack
/
keystone-specs
Code Issues Proposed changes

Update the default roles spec to include Rocky details 

Since we're not going to get everything details in this specification
done in Rocky, we should update the spec to clarify why we did get
done and what we plan to pick in subsequent releases.

Change-Id: Ife2089167354b9e1c918dd9219aff5e5ff66e856
This commit is contained in:
Lance Bragstad 2018-07-13 19:42:46 +00:00
parent 657bb13d3b
commit b05d80a97a
1 changed files with 17 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
specs/keystone/rocky/define-default-roles.rst
View File

@ -49,6 +49,21 @@ operators in ways that are consistent with changing configuration options.
This specification proposes that Keystone enhance the basic RBAC experience
by incorporating the following default roles into its default policies.
The work detailed here can be separated into two initiatives. The first is
ensuring the defaults proposed are available to operators after installation.
The second is incorporating those available roles into default policies across
services. Note that the first initiative was targeted and completed in the
Rocky release. While this specification does go into detail describing the
second initiative, it will be implemented in a subsequent release (likely Stein
or later). The second initiative specifically within keystone will require
landing a large refactor cleaning up technical debt and moving keystone to
using `flask <https://bugs.launchpad.net/keystone/+bug/1776504>`_ instead of a
home-grown WSGI implementation. It is imperative to land this refactor prior to
starting the second initiative because it will make treating RBAC across
different scopes like formal business logic across the Manager layers within
keystone subsystems, as opposed to obfuscating more complexity into the
``@controller.protected`` decorator that is currently used by most APIs.
Our goal is that this work will serve as a template which other services may
use to adopt the proposed default roles in a future `community goal
<https://governance.openstack.org/tc/goals/>`_.
@ -255,6 +270,8 @@ This work is dependent on the following:
<https://governance.openstack.org/tc/goals/queens/policy-in-code.html>`_
all policies in code
* `Use flask <https://bugs.launchpad.net/keystone/+bug/1776504>`_
The work detailed in this specification will be supplemented with policy work
being done in oslo and keystone: