OpenStack Identity (keystone)

Role chaining policy

Registered by Alexander Makarov on 2016-01-25

In lieu of unified delegation being introduced there is an option to restrict delegation by developing role chaining policies.
The corner case of such policy is now implicitly applied as: "admin role can grant assignment of any role".
The unified delegation concept is: "anybody may delegate a subset of his scopes to anyone"
The proposed concept is: "One being delegated a role on a project may delegate the role considered next in the workflow role chain"

Blueprint information

Status:: Complete

Approver:: None

Priority:: Undefined

Drafter:: Alexander Makarov

Direction:: Needs approval

Assignee:: None

Definition:: Obsolete

Series goal:: None

Implementation:: Unknown

Milestone target:: None

Completed by: Lance Bragstad on 2019-02-13

Related branches

Related bugs

Sprints

Whiteboard

(stevemar) 16-02-02: is this superseded by implied roles?

(vishakha) 19-02-13 Can be marked as invalid as system scope things are going to land soon which prevents too much admin- ness.
[1] https://bugs.launchpad.net/keystone/+bugs?field.tag=system-scope

(lbragstad) 19-02-13: I think we'll need a proper specification for this that clarifies or updates the details in the unified delegation specification [0] in addition to stevemar's comment about how this works with implied roles.

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/unified-delegation.html

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information

Everyone can see this information.

Subscribers

No subscribers.