[openstack-dev] Replacing Keystone Admin Accounts

Adam Young ayoung at redhat.com
Wed Mar 14 17:05:59 UTC 2018


As we attempt to close the gap on Bug 968696, we have to make sure we are
headed forward in a path that won't get us stuck.

It seems that many people use Admin-every accounts for many things that
they are not really meant for.  Such as performing Operations that should
be scoped to a project, like creating networks in Neutron or Block devices
in Cinder.

With the service scoping of role assignments, we have both the opportunity
and responsibility to rework how these operations are authorized.

Back in the time when we were discussing and engineering Hierarchical
Multi-tenancy (HMT) the operators told us that they did not want to have to
rescope tokens in order to provide help for their users.  I remember
getting this both verbally and in writing, although I cannot find the
message now.

If we created basic policy rules that allowed a Nova service account to
list all servers (for example) but not to change those servers without
getting a token scoped to that specific project, would it break a lot of
tooling?

The other use case we've found is the need to clean up project-scoped
resources.  Once a project has been deleted in Keystone, it is impossible
to get a project scoped token to delete the resources in cinder, glance,
and so on.  It seems like these operations need to be on a per-system
(service? endpoint) basis for the foreseeable future.  Is this acceptable?
Are there any alterntives that people would rather see implemented?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180314/61d25c3a/attachment.html>


More information about the OpenStack-dev mailing list