openstack
/
keystone-specs
Code Issues Proposed changes

Add identity spec for domain-manager persona 

Partial-Bug: #2045974
Co-Authored-By: Josephine Seifert <josephine.seifert@cloudandheat.com>
Change-Id: I787972e560f70fc56a99c44198e509222fe5ad16
This commit is contained in:
Markus Hentsch 2023-12-08 14:16:56 +01:00 committed by Josephine Seifert
parent 330200b4d8
commit 557adfa072
1 changed files with 249 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

249
specs/keystone/2023.1/domain-manager-persona.rst Normal file
View File

@ -0,0 +1,249 @@
..
This work is licensed under a Creative Commons Attribution 3.0 Unported
License.
http://creativecommons.org/licenses/by/3.0/legalcode
====================================================================
Domain Manager Persona for domain-scoped self-service administration
====================================================================
`bug #2045974 <https://bugs.launchpad.net/keystone/+bug/2045974>`_
In scenarios where customers are assigned a whole domain, they might desire
self-service functionality for managing users, projects and groups within that
domain.
The `Consistent and Secure Default RBAC
<https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html>`_
introduced the ``manager`` role for projects as a customer-side management role
between ``admin`` and ``member`` but added no such role model for domains.
This specification introduces a new ``domain-manager`` persona to fill that gap
and enables domain-scoped identity self-service capabilities for customers.
Problem Description
===================
Today, you need the ``admin`` role in keystone in order to fully manage groups,
projects and users including their role assignments. Since this role is
intended for the highest level of authorization, it is usually reserved for
operators. This means that even if a customer is confined within a domain in
Keystone, they need to involve operators of the cloud to have users, projects
and groups as well as corresponding role assignments managed for them.
For customers receiving a whole domain in Keystone this is often unsatisfactory
since a self-service capability is desired. For instance, a customer might want
to align Keystone projects with their departments and on-/offboard
corresponding staff as Keystone users on their own.
For this purpose a role or persona and corresponding set of permissions are
required which implement this management functionality for customers.
Proposed Change
===============
Adjust existing policy defaults to incorporate the domain-scoped ``manager``
role accordingly like described below.
The ``domain-manager`` persona should be exclusive to Keystone for managing
identity objects such as users, projects and groups along with role assignments
within a domain to enable identity management self-service for end users.
All default policies that concern users, projects, groups and roles in the
Identity API have to be adjusted to incorporate the ``domain-manager`` persona
on a domain level.
Below is an example of the `identity:create_project` policy adjusted for the
``domain-manager`` persona. It adjusts the domain-scoped check to accept the
``manager`` role instead of ``admin``:
.. code-block:: python
# for the second part of the folllowing "or" conditional "role:admin" has
# been replaced by "role:manager"
SYSTEM_ADMIN_OR_DOMAIN_ADMIN = (
'(role:admin and system_scope:all) or '
'(role:manager and domain_id:%(target.project.domain_id)s)'
)
# policy defintions using this definition stay the same, for example
# the "identity:create_project" rule:
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_project',
check_str=SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
scope_types=['system', 'domain'],
description='Create project.',
operations=[{'path': '/v3/projects',
'method': 'POST'}],
deprecated_rule=deprecated_create_project),
One crucial part of a domain manager's responsibility will be to assign roles
within a domain. For this purpose, the existing rule defaults in Keystone can
be repurposed:
.. code-block:: python
# below "role:admin" has been replaced by "role:manager"
GRANTS_DOMAIN_ADMIN = (
'(role:manager and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and'
' ' + DOMAIN_MATCHES_PROJECT_DOMAIN + ') or '
'(role:manager and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and'
' ' + DOMAIN_MATCHES_TARGET_DOMAIN + ') or '
'(role:manager and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and'
' ' + DOMAIN_MATCHES_PROJECT_DOMAIN + ') or '
'(role:manager and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and'
' ' + DOMAIN_MATCHES_TARGET_DOMAIN + ')'
)
# the following stays the same
SYSTEM_ADMIN_OR_DOMAIN_ADMIN = (
'(' + base.SYSTEM_ADMIN + ') or '
'(' + GRANTS_DOMAIN_ADMIN + ') and '
'(' + DOMAIN_MATCHES_ROLE + ')'
)
However, a domain manager should not be able to assign roles of higher
privileges than themselves, so the set of target roles they are able to
assign/revoke should be restricted using a new rule. Defining this as a rule
offers the advantage that operators or deployers may easily adjust this role
list (which roles are manageable) without the need to rewrite the whole set of
lenghty individual rules for all the API actions:
.. code-block:: python
# define a new rule called "domain_managed_target_role"
policy.RuleDefault(
name='domain_managed_target_role',
check_str="'member':%(target.role.name)s or "
"'reader':%(target.role.name)s"),
Finally, all the rules that concern role grants should be adjusted to
incorporate this target role restriction. Below is an example for
``identity:create_grant``:
.. code-block:: python
# here a "and rule:domain_managed_target_role" is added to the check
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_grant',
check_str=(SYSTEM_ADMIN_OR_DOMAIN_ADMIN +
' and rule:domain_managed_target_role'),
scope_types=['system', 'domain'],
The changes illustrated above need to be applied to all applicable policy
definitions that handle relationships between users, projects, groups and roles
within domains accordingly.
Alternatives
------------
A new role: ``domain-manager`` could also be used for this purpose.
The positive aspect would be a better differenciation between the ``manager``
on a project level and a ``manager`` on a domain level. For an end user it
might be more obvious which of the two use cases they have been assigned the
role for without looking up the assignment scope by themselves.
But a new ``domain-manager`` role would not fit into the new RBAC system, that
requires the roles to be hierarchically structured, when they can be assigned
to a user.
Another alternative would be to assign the ``admin`` role to end users within
domains in a scoped fashion like the current rule defaults imply. However, the
``admin`` role does not seem be properly scoped across all OpenStack services
(see `this Launchpad bug <https://bugs.launchpad.net/keystone/+bug/968696>`_).
Furthermore, `there has been operator
feedback <https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#the-issues-we-are-facing-with-scope-concept>`_
that a scoped ``admin`` role is a confusing concept in general. It seems to be
more appropriate to introduce a dedicated role for this, akin to the
``manager`` role for projects.
Security Impact
---------------
The ``domain-manager`` persona will allow customers to have administrative
management capabilities for users, projects, groups and role assignments within
a domain. However, the persona must first be assigned to a customer
user by an operator. This is a deliberate action by the operator and customers
do not get the persona or its permission set by default.
Using the ``domain-manager`` persona will be better than granting customers the
``admin`` role in their domain.
Notifications Impact
--------------------
None
Other End User Impact
---------------------
This work doesn't require any client code.
End users receiving the new ``domain-manager`` persona within a domain can
start using its permission set right away.
Performance Impact
------------------
This is a trivial change to add another RBAC-persona and corresponding
policy definitions. Performance impact is negligible.
Other Deployer Impact
---------------------
None
Developer Impact
----------------
As this persona is intended for runtime usage, the only impact for developers
is to watch closely when adding new policies for the ``manager`` role, to avoid
accidently giving privileges to the domain-scoped ``manager``.
Implementation
==============
Assignee(s)
-----------
Primary assignee:
None
Other contributors:
None
Work Items
----------
* Adjust the default policies for group, project, user and role management
actions in Keystone to incorporate the new domain-scoped ``manager`` in a way
that enables management rights in domain scope only
* Add the ``domain-manager`` persona to the Keystone documentation describing
its purpose and usage
Dependencies
============
None
Documentation Impact
====================
Any documentation that concerns identity management and Keystone usage should
include instructions for the ``domain-manager`` persona where appropriate.
This will be more or less restricted to Keystone since this persona is only of
use for the Identity API.
References
==========
* `Draft of the Domain Manager
standard <https://github.com/SovereignCloudStack/standards/blob/main/Standards/scs-0302-v1-domain-manager-role.md>`_
implementing the concept in Sovereign Cloud Stack using separate Keystone
policy adjustments based on the current defaults
* `Etherpad notes from Caracal vPTG of Keystone discussing the topic and
initiating this spec <https://etherpad.opendev.org/p/caracal-ptg-keystone>`_
* `Consistent and Secure RBAC: project manager role <https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#implement-support-for-project-manager-personas>`_
* `Launchpad bug: "admin"-ness not properly scoped <https://bugs.launchpad.net/keystone/+bug/968696>`_