[openstack-dev] [Keystone] Feature to enable domain-related role validation

Rodrigo Duarte Sousa rodrigods at lsd.ufcg.edu.br
Tue Jul 1 20:32:09 UTC 2014


Hi all,

We created a POC that enables domain-related role checking to components 
that do not support domains (such as Nova and Cinder). The code can be 
found here: https://github.com/rodrigods/keystone/tree/domain-check

The idea is to use the HttpCheck feature: 
https://github.com/openstack/oslo-incubator/blob/master/openstack/common/policy.py#L849 
to check if a user has a given role in a domain. The changes were made 
exclusively into Keystone. The service willing to use the feature, just 
has to add the rule in its policy file.

Here is a list of the changes added to make it work:

1 - Create a new endpoint to handle the HttpCheck calls, for example:
/v3/projects/ <project_id>/roles/<role_name>

2 - Add a method to handle this endpoint at Keystone:
https://github.com/rodrigods/keystone/blob/domain-check/keystone/assignment/controllers.py#L559

  * Get domain_id from target project (from given project_id)
  * Filter all role_assignments from logged user in target domain (from
    user_id in given credentials)
  * Check if role_assignments contains target role


To test it, we added the following rule into Nova's policy file:

  * "compute:create":"rule:domain_admin"
  * "domain_admin":"http://localhost:5000/v3/projects/%(project_id)
    s/roles/admin"

Once the request arrives into Keystone, it checks if the the logged user 
has /admin/ role at /project_id/'s domain.

So, what do you think? We would like your feedback before giving extra 
efforts such as creating the bp/spec.

--

Rodrigo Duarte Sousa
MSccandidate in Computer Science
Software Engineer at OpenStack Project HP/LSD-UFCG
Distributed Systems Laboratory
Federal University of Campina Grande
Campina Grande, PB - Brazil
http://lsd.ufcg.edu.br/~rodrigod <http://lsd.ufcg.edu.br/%7Erodrigods>s
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140701/f05ae90c/attachment.html>


More information about the OpenStack-dev mailing list