Adding Multi-level User Management to Keystone via Project Nesting
Admin-Project-User is the current user organization hierarchy in Openstack (Keystone, more specifically). And it is enough for many cases. However, there are also many deploying scenarios which require multiple level user management, i.e governments, large companies or universities. Thus, a more flexible user management supporting multi-level organization is needed to support more flexible access control. This blueprint is proposed to achieve this goal.
In the initial design, this blueprint can be regarded as an EXTENSION to the current implementation of keystone via project nesting. That means the original logical of keystone would not be changed. An additional table which indicates the relations of different projects will be maintained to achieve multi-level organization.
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- Kylin CG
- Direction:
- Needs approval
- Assignee:
- Kylin CG
- Definition:
- Superseded
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by
- Dolph Mathews
Related branches
Related bugs
Sprints
Whiteboard
identity management doesn't have much to do with project nesting, so the description here is a bit confusing? project nesting has been discussed on occasion by the community and generally rejected (i was one of the advocates!). multi-container user management is better solved by either federation (icehouse) (or perhaps using domains as containers for users would be considered sufficient).