[openstack-dev] [keystone] Inherited domain roles

David Chadwick d.w.chadwick at kent.ac.uk
Fri Jun 7 08:17:10 UTC 2013


Hi Arvind

On 06/06/2013 23:02, Tiwari, Arvind wrote:
> Hi Henry,
>
> I am totally agree with David Chadwick that roleDefs itself should have
> enough info so that underline system (role assignment) can make some
> decision whether roleDef is inheritable or not. Below is my proposal
> which is extensible and pretty much aligned with David’s thoughts.
>

Before diving into the implementation details, perhaps we should agree 
which types of inheritance should be supported. Lets try to list all of 
the inheritance possibilities, and then decide which should be supported 
(or not).

1. A global role definition which can be inherited by all domains as and 
when they are created.
2. A domain defined role which can be inherited by all projects in the 
domain as and when they are created.
3. A project defined role which can be inherited by all users of the 
project (this is the traditional inheritance in the hierarchical RBAC 
model, but I dont think Keystone supports hierarchical RBAC does it?).
4. A global role definition inherited by a domain that can be inherited 
by all projects in the domain
5. A global role definition inherited by a domain and by a project in 
the domain that can be inherited by users of the project
6. A domain defined role inherited by a project in the domain that can 
be inherited by users of the project

Next we have to decide if an inheritable role can be partially inherited 
or not. By partial inheritance, I mean that only a subset of the 
subordinates can inherit the role definition, as opposed to the complete 
set of all subordinates e.g. if a global role is specified to be 
inheritable, does this mean that all domains will automatically inherit 
it, or should there be a mechanism to specify which domains can inherit 
it. This can get messy, because now you need to decide whether partial 
inheritance is based on a white list or a black list, meaning either 
only those subordinates that are listed can inherit the definition, or 
all subordinates which are not listed can inherit the definition.

My preference would be to only support full inheritance in the first 
instance, unless someone has a good argument to make for partial inheritance

regards

David



More information about the OpenStack-dev mailing list