implement rbac support for identity
Summary:
Implement RBAC on actions making calls to the identity service, in Identity dashboard.
Motivation:
Dashboards should reflect the policies permissions, if a user has permission to list users, that option should appear in the Identity dashboard.
Use Case #1
As a cloud admin I want to define new roles to be used in my cloud: cloud_admin, the role to manager the cloud, domain admin for the domain, project admin, the role to manager the project the user is the admin, and member, the usual user with no admin privilege.
As seen in code, for some operations, like list users, it's required that the user has the role admin ( https:/
Use Case #2
I want to give permission to users with role member in a domain to list users and projects.
With the currently implementation this is not possible, because of the same case above, as these users are not admins, the Horizon Keystone client won't give permission to them to list users and projects.
Description:
In order to implement this feature it's required to remove the parameter in Horizon Keystone client that requires the user to be admin and rely only on the policies ( https:/
UX:
The UX will not be modified, except that it will show dashboards and panels for non-admin users as well.
Outside Dependencies:
N/A
Requirements Update Required:
N/A
Doc Impact:
N/A
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- Andre Aranha
- Direction:
- Needs approval
- Assignee:
- Andre Aranha
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
-
Unknown
- Milestone target:
- None
- Started by
- Completed by
- David Lyle
Related branches
Related bugs
Sprints
Whiteboard
[Lin Oct-6-2014] Andre, the Identity panels seems already have RBAC in place. What calls to Identity service are you looking to add RBAC to?
As discussed in the chat, I tested it and it's not working 100%, because for non-admin user the panel is not even showing
Gerrit topic: https:/
Addressed by: https:/
Implementing RBAC in Identity
[Lin Oct-7-2014] hey Andre, can you format the bp this way: https:/
[tsufiev Oct-9-2014] Passing `admin=True` in a `keystoneclient()` call is entirely unrelated to the roles that are required to perform an action. Actually it chooses between admin and public/internal endpoint of Keystone. There are no differences between them for Keystone V3, but for Keystone V2 the API provided on public endpoint has less capabilities than the admin one, namely, it isn't able to operate on /users. Thus, removing `admin=True` will certainly break users-related functionality for Horizon instance running on a Keystone V2 service. Please take a notice of openstack_
Gerrit topic: https:/
[2014-11-24 | david-lyle] I believe the general direction for keystone is to move away from utilizing the 3 separate interfaces for the keystone API. If they make this change, we should support removing forcing "admin=" value to the client. Beyond that, the is_superuser call has recently been changed in django_
[1] https:/
