OpenStack Identity (keystone)

Unified model for delegations

Registered by Alexander Makarov

Both assignments and trusts serve the single purpose: delegate roles on the resource to the actor.
Resource may be either project or domain, actor is a user or a group.

This blueprint proposes a new delegation model containing following information:
 - trustee (user or gtoup)
 - roles to be delegated
 - resource (domain or project)
 - usage restrictions
 - source of delegation - actor, who delegates the scope

Delegation must allow to track the responsibility chain so that any delegation is always granted by some actor to another. To allow this keystone must maintain chain consistency: it must handle the cases where the chain is broken or changed.
Delegation must have an option to restrict it's usage so that it can be used for defined workflow and nothing more.

Blueprint information

Status:
Complete
Approver:
None
Priority:
Low
Drafter:
Alexander Makarov
Direction:
Approved
Assignee:
Alexander Makarov
Definition:
Superseded
Series goal:
None
Implementation:
Started
Milestone target:
None
Started by
Steve Martinelli
Completed by
Lance Bragstad

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/unified-delegation,n,z

Addressed by: https://review.openstack.org/189816
    Unified delegation spec

Addressed by: https://review.openstack.org/208488
    Unified delegation model

Addressed by: https://review.openstack.org/209600
    Unified delegation driver

Addressed by: https://review.openstack.org/237047
    Unified delegation migration

Addressed by: https://review.openstack.org/251445
    SQLAlchemy column type for materialized path

Addressed by: https://review.openstack.org/251513
    Use path hybrid property in query filtering

Addressed by: https://review.openstack.org/251455
    Materialized path convenience wrapper

Addressed by: https://review.openstack.org/253124
    Unified delegation manager skeleton

Addressed by: https://review.openstack.org/257378
    Trust manager using unified delegation

Addressed by: https://review.openstack.org/257527
    Assignment manager using unified delegation

Addressed by: https://review.openstack.org/260686
    Unified delegation SQL driver

Addressed by: https://review.openstack.org/291318
    Unified delegation assignment driver

Addressed by: https://review.openstack.org/291871
    WIP/DNM Unified delegation trust driver

Addressed by: https://review.openstack.org/330573
    Delegation parent discovery function

Addressed by: https://review.openstack.org/370965
    OAuth1 driver for unified delegation

Addressed by: https://review.openstack.org/384638
    Cross API unified delegation test

(lbragstad) 19-02-15: I'm marking this as superseded based on the plan socialized on the mailing list [0]. All relevant content from this blueprint has been ported to an RFE bug report [1].

[0] http://lists.openstack.org/pipermail/openstack-discuss/2019-February/002672.html
[1] https://bugs.launchpad.net/keystone/+bug/1816115

(?)

Work Items

Work items:
Specification: DONE
Unified delegation model for SQL backend: INPROGRESS
Unified driver base: INPROGRESS
Substitute the driver for assignment: INPROGRESS
Substitute the driver for trust: INPROGRESS
Substitute manager and driver for oauth1: TODO
Unified API: TODO
Unified Manager: TODO
Migration script: TODO

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.