Customized and Pluggable Access Control Module in Keystone to Enable Multi-Tenancy

Multi-tenancy is an important aspect for Keystone, a potential solution is to re-design the underlying access control model together with its enforcement mechanism. This blueprint proposes to provide a pluggable and customizable access control mechanism by which each tenant can be dynamically adopted with an access control policy. This policy may be based on an existing access control model like RBAC, MLS, DTE, etc, it can also be based on a user-defined specific access control policy.

In order to support different business models, such an access control mechanism should also take into account collaboration between tenants. For the “reseller” use case discussed in the community, one actor can create a tenant which will be shared by another tenant. Thus, the underlying access control module of Keystone should support cross-tenant access control.

So the next steps are:
- define a generic access control model which can be used to instantiate different access control policies
- implement the customized access control enforcement mechanism for each tenant
- implement a cross-tenant collaboration mechanism based on the tenant relations
- integrate the whole implementation with current Keystone

This will be a generic solution to close:
- https://blueprints.launchpad.net/keystone/+spec/add-openstackclient-federation-crud
- https://blueprints.launchpad.net/keystone/+spec/attribute-access-privilege-based-on-role
- https://blueprints.launchpad.net/keystone/+spec/attribute-based-access-control
- https://blueprints.launchpad.net/keystone/+spec/fine-grain
- https://blueprints.launchpad.net/keystone/+spec/hierarchical-administrative-boundary
- https://blueprints.launchpad.net/keystone/+spec/hierarchical-multitenancy
- https://blueprints.launchpad.net/keystone/+spec/domain-trusts