Add Fine Grained Restrictions to Keystone Trusts
Currently, Keystone Trusts' only meaningful restriction is (a) scoping access to a project and (b) scoping access to a set of roles within that project. This blueprint aims to add more fine grained restrictions to trusts, namely a white list of capabilities (in terms of oslo.policy targets) the trust may be used for, a list of endpoints it is valid for, and (where applicable) a concrete object UUID the trust may be used for. Note that this information is only recorded in Keystone and passed to the service in the course of token validation. oslo.policy will then use that information for policy enforcement on the service's side.
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- Johannes Grassler
- Direction:
- Needs approval
- Assignee:
- Johannes Grassler
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by
- Morgan Fainberg
Related branches
Related bugs
Sprints
Whiteboard
Gerrit topic: https:/
Addressed by: https:/
Added first draft of trust scope extensions.