Customized and Pluggable Access Control Module in Keystone to Enable Multi-Tenancy
Multi-tenancy is an important aspect for Keystone, a potential solution is to re-design the underlying access control model together with its enforcement mechanism. This blueprint proposes to provide a pluggable and customizable access control mechanism by which each tenant can be dynamically adopted with an access control policy. This policy may be based on an existing access control model like RBAC, MLS, DTE, etc, it can also be based on a user-defined specific access control policy.
In order to support different business models, such an access control mechanism should also take into account collaboration between tenants. For the “reseller” use case discussed in the community, one actor can create a tenant which will be shared by another tenant. Thus, the underlying access control module of Keystone should support cross-tenant access control.
So the next steps are:
- define a generic access control model which can be used to instantiate different access control policies
- implement the customized access control enforcement mechanism for each tenant
- implement a cross-tenant collaboration mechanism based on the tenant relations
- integrate the whole implementation with current Keystone
This will be a generic solution to close:
- https:/
- https:/
- https:/
- https:/
- https:/
- https:/
- https:/
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- WuKong
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by
- Steve Martinelli
Related branches
Related bugs
Sprints
Whiteboard
(stevemar @ 02-14-16) I am administratively marking this as obsolete. most of the goals here have been, or are being addressed by competing blueprints.