OpenStack Identity (keystone)

Add a new admin-readonly role

Registered by Malini Bhandaru

This blueprint has been superseded. See the newer blueprint "Basic Default Roles" for updated plans.

At the Juno Operator mid-cycle meet-up there was a request for an admin user with read-only privileges. This will require the introduction of a new role and its use in policies and in code where roles are examined directly by way of context['is_admin'] or variants of the same. Essentially this user can see everything but modify or delete nothing.

While KeyStone is the entry point, policy.json files in other OpenStack projects at a minimum will need to be modified to take advantage of this new role.

Blueprint information

Status:
Complete
Approver:
None
Priority:
Undefined
Drafter:
Malini Bhandaru
Direction:
Needs approval
Assignee:
None
Definition:
Superseded
Series goal:
None
Implementation:
Unknown
Milestone target:
None
Completed by
Lance Bragstad

Related branches

Sprints

Whiteboard

(morganfainberg): This is part of the larger policy discussion that there will be *at least* one design session on at the Kilo summit.

(timg): @morganfainberg any notes from that discussion? Have found the etherpads but it all looks quite long-term. This seems like a good smaller step.

(malini-k-bhandaru) We think its a good first step to clean up each project of its hard coded is-admin-context type checks. Then introduce the admin-read-only role, and when the full long term policy thing is in place the individual OpenStack projects are ready for it.

David Lyle kindly pulled up all policy related blueprints and specs

Below from a Brazilian team sponsored by HP
[1] https://blueprints.launchpad.net/nova/+spec/policy-sample
      https://blueprints.launchpad.net/cinder/+spec/policy-sample
      https://blueprints.launchpad.net/glance/+spec/policy-sample
      https://blueprints.launchpad.net/neutron/+spec/policy-sample
[2] https://blueprints.launchpad.net/nova/+spec/rbac-improvements

The v3 policy file and roles being pushed were advanced by IBM and keystone’s version is https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json

Wei Chen from Intel is looking at the clean-up tasks.

[Dave Chen] The clean up task may has some impact on the oslo-incubator project.
[Dave Chen] Someone has an interest in such kind of readonly role as well.
link is here, https://github.com/rcbops/chef-cookbooks/issues/871

(lbragstad) 19-02-13: The specification for defining a set of basic default roles supersedes this work and the implementation start in Rocky [0].

[0] https://blueprints.launchpad.net/keystone/+spec/basic-default-roles

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.