<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi all,<br>
<br>
We created a POC that enables domain-related role
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
checking to components that do not support domains (such as Nova and
Cinder). The code can be found here:
<a class="moz-txt-link-freetext" href="https://github.com/rodrigods/keystone/tree/domain-check">https://github.com/rodrigods/keystone/tree/domain-check</a><br>
<br>
The idea is to use the HttpCheck feature:
<a class="moz-txt-link-freetext" href="https://github.com/openstack/oslo-incubator/blob/master/openstack/common/policy.py#L849">https://github.com/openstack/oslo-incubator/blob/master/openstack/common/policy.py#L849</a>
to check if a user has a given role in a domain. The changes were
made exclusively into Keystone. The service willing to use the
feature, just has to add the rule in its policy file.<br>
<br>
Here is a list of the changes added to make it work:<br>
<br>
1 - Create a new endpoint to handle the HttpCheck calls, for
example:<br>
/v3/projects/ <project_id>/roles/<role_name>
<br>
<br>
2 - Add a method to handle this endpoint at Keystone:<br>
<a class="moz-txt-link-freetext" href="https://github.com/rodrigods/keystone/blob/domain-check/keystone/assignment/controllers.py#L559">https://github.com/rodrigods/keystone/blob/domain-check/keystone/assignment/controllers.py#L559</a><br>
<ul>
<li>Get domain_id from target project (from given project_id)<br>
</li>
<li>Filter all role_assignments from logged user in target domain
(from user_id in given credentials)
</li>
<li>Check if role_assignments contains target role
</li>
</ul>
<br>
To test it, we added the following rule into Nova's policy file:
<ul>
<li>"compute:create":"rule:domain_admin"</li>
<li>"domain_admin":<a class="moz-txt-link-rfc2396E" href="http://localhost:5000/v3/projects/%(project_id)s/roles/admin">"http://localhost:5000/v3/projects/%(project_id)
s/roles/admin"</a></li>
</ul>
Once the request arrives into Keystone, it checks if the the logged
user has <i>admin</i> role at <i>project_id</i>'s domain.
<p>So, what do you think? We would like your feedback before giving
extra efforts such as creating the bp/spec.<br>
</p>
<p>--<br>
</p>
<p>
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
</p>
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
<font style="font-family: arial, sans-serif; font-size: 13px;
font-style: normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: normal; orphans: auto;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255);" color="#666666">Rodrigo Duarte Sousa<br>
<span>MSc</span><span> </span><span>candidate</span><span> in
Computer Science<br>
Software Engineer at OpenStack Project HP/LSD-UFCG<br>
</span></font>
<div style="color: rgb(136, 136, 136); font-family: arial,
sans-serif; font-size: 13px; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing: normal; line-height:
normal; orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);"><font color="#666666">Distributed
Systems Laboratory<br>
Federal University of Campina Grande<br>
Campina Grande, PB - Brazil</font><br>
<font color="#3333ff"><a
href="http://lsd.ufcg.edu.br/%7Erodrigods" target="_blank"
style="color: rgb(17, 85, 204);">http://lsd.ufcg.edu.br/~<wbr>rodrigod</a>s</font></div>
</body>
</html>