[openstack-dev] Questions about token scopes

Matt Riedemann mriedemos at gmail.com
Wed May 30 13:47:50 UTC 2018


I know the keystone team has been doing a lot of work on scoped tokens 
and Lance has been trying to roll that out to other projects (like nova).

In Rocky the nova team is adding granular policy rules to the placement 
API [1] which is a good opportunity to set scope on those rules as well.

For now, we've just said everything is system scope since resources in 
placement, for the most part, are managed by "the system". But we do 
have some resources in placement which have project/user information in 
them, so could theoretically also be scoped to a project, like GET 
/usages [2].

While going through this, I've been hammering Lance with questions but I 
had some more this morning and wanted to send them to the list to help 
spread the load and share the knowledge on working with scoped tokens in 
the other projects.

So here goes with the random questions:

* devstack has the admin project/user - does that by default get system 
scope tokens? I see the scope is part of the token create request [3] 
but it's optional, so is there a default value if not specified?

* Why don't the token create and show APIs return the scope?

* It looks like python-openstackclient doesn't allow specifying a scope 
when issuing a token, is that going to be added?

The reason I'm asking about OSC stuff is because we have the 
osc-placement plugin [4] which allows users with the admin role to work 
with resources in placement, which could be useful for things like 
fixing up incorrect or leaked allocations, i.e. fixing the fallout of a 
bug in nova. I'm wondering if we define all of the placement API rules 
as system scope and we're enforcing scope, will admins, as we know them 
today, continue to be able to use those APIs? Or will deployments just 
need to grow a system-scope admin project/user and per-project admin 
users, and then use the former for working with placement via the OSC 
plugin?

[1] 
https://review.openstack.org/#/q/topic:bp/granular-placement-policy+(status:open+OR+status:merged)
[2] https://developer.openstack.org/api-ref/placement/#list-usages
[3] 
https://developer.openstack.org/api-ref/identity/v3/index.html#password-authentication-with-scoped-authorization
[4] https://docs.openstack.org/osc-placement/latest/index.html

-- 

Thanks,

Matt



More information about the OpenStack-dev mailing list