<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>Hello</div><div><br></div><div>## Overview<br></div><div>I want to bring up this topic (admin-ness not properly scoped)[1] to get a big picture of the state of this issue and that was needed on the oslo.policy side.</div><div><br></div><div>Few weeks ago some RHOSP customers request for an enhancement of oslo.policy since their <span id="gmail-summary_container"><span id="gmail-short_desc_nonedit_display">admin domain can manage other domains. They use OSP13.</span></span></div><div><div><span id="gmail-summary_container"><span id="gmail-short_desc_nonedit_display"><br></span></span></div><div><span id="gmail-summary_container"><span id="gmail-short_desc_nonedit_display">The
 goal of this ML thread is to help us to track informations about this 
topic and I also planned to discuss about this topic during the next 
oslo meeting (Monday 18 of March).</span></span></div><div><span id="gmail-summary_container"><span id="gmail-short_desc_nonedit_display"><br></span></span></div><div><span id="gmail-summary_container"><span id="gmail-short_desc_nonedit_display">## Details<br></span></span></div><span id="gmail-summary_container"><span id="gmail-short_desc_nonedit_display"></span></span></div><div><span id="gmail-summary_container"><span id="gmail-short_desc_nonedit_display"><br></span></span></div><div><span id="gmail-summary_container"><span id="gmail-short_desc_nonedit_display">After some investigations I've found a lot of related issues on launchpad[1][2][3], and a lot of <span id="gmail-summary_container"><span id="gmail-short_desc_nonedit_display">disucssions </span></span>inside the openstack community about this topic.</span></span></div><div><span id="gmail-summary_container"><span id="gmail-short_desc_nonedit_display"><br></span></span></div><div><span id="gmail-summary_container"><span id="gmail-short_desc_nonedit_display">First I guess it's not an RFE but it's a known issue.<br></span></span></div><div><span id="gmail-summary_container"><span id="gmail-short_desc_nonedit_display"></span></span><span id="gmail-summary_container"><span id="gmail-short_desc_nonedit_display"><br></span></span></div><div><span id="gmail-summary_container"><span id="gmail-short_desc_nonedit_display">This bug has side-effects across several services, not just oslo or keystone, making the fix complex to orchestrate across services.</span></span></div><div><span id="gmail-summary_container"><span id="gmail-short_desc_nonedit_display"><br></span></span></div><div><span id="gmail-summary_container"><span id="gmail-short_desc_nonedit_display">In a first time, I want to know more about the latest events on this topic on the oslo side:</span></span></div><div><span id="gmail-summary_container"><span id="gmail-short_desc_nonedit_display">- the states of the related specs (<a href="https://specs.openstack.org/openstack/oslo-specs/specs/queens/include-scope-in-policy.html">https://specs.openstack.org/openstack/oslo-specs/specs/queens/include-scope-in-policy.html</a>).<br></span></span></div><div><span id="gmail-summary_container"><span id="gmail-short_desc_nonedit_display">- if we need to add more changes to completely fix this issue and/or if everything is complete on the oslo side and know since which version. I guess this one[4] is related to.<br></span></span></div><div><span id="gmail-summary_container"><span id="gmail-short_desc_nonedit_display"><br></span></span></div><div><span id="gmail-summary_container"><span id="gmail-short_desc_nonedit_display">Also due to the complexity of this issue I guess is not totally fixed on the whole openstack components on stein and it can't be fully (whole) backported to stable branches, but your point of view is really appreciate. In other words I guess some parts are already fixed on some components but some services still need to be fixed and the issue partially occur on stein, so fix that on stable branches is not really possible, can you confirm?<br></span></span></div><div><span id="gmail-summary_container"><span id="gmail-short_desc_nonedit_display"><br></span></span></div><div><span id="gmail-summary_container"><span id="gmail-short_desc_nonedit_display">Also I've found few related specs that I guess can be useful to track the evolution:</span></span></div><div><span id="gmail-summary_container"><span id="gmail-short_desc_nonedit_display">- <a href="https://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/capabilities-app-creds.html">https://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/capabilities-app-creds.html</a><br></span></span></div><div><span id="gmail-summary_container"><span id="gmail-short_desc_nonedit_display">- <a href="https://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html">https://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html</a><br></span></span></div><div><span id="gmail-summary_container"><span id="gmail-short_desc_nonedit_display">- <a href="https://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html">https://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html</a><br></span></span></div><div><span id="gmail-summary_container"><span id="gmail-short_desc_nonedit_display">- <a href="https://specs.openstack.org/openstack/oslo-specs/specs/queens/include-scope-in-policy.html">https://specs.openstack.org/openstack/oslo-specs/specs/queens/include-scope-in-policy.html</a><br></span></span></div><div><span id="gmail-summary_container"><span id="gmail-short_desc_nonedit_display"><br></span></span></div><div><span id="gmail-summary_container"><span id="gmail-short_desc_nonedit_display">If I missed something useful do not hesitate to reply on and to share it with us.<br></span></span></div><div><br></div><div>[1] <a href="https://bugs.launchpad.net/keystone/+bug/968696">https://bugs.launchpad.net/keystone/+bug/968696</a></div><div>[2] <a href="https://bugs.launchpad.net/keystone/+bug/1783659">https://bugs.launchpad.net/keystone/+bug/1783659</a></div><div>[3] <a href="https://bugs.launchpad.net/nova/+bug/1649532">https://bugs.launchpad.net/nova/+bug/1649532</a></div><div>[4] <a href="https://bugs.launchpad.net/oslo.policy/+bug/1577996">https://bugs.launchpad.net/oslo.policy/+bug/1577996</a><br></div><div><br>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div>Hervé Beraud</div><div>Senior Software Engineer<br></div><div>Red Hat - Openstack Oslo</div><div>irc: hberaud</div><div>-----BEGIN PGP SIGNATURE-----<br><br>wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+<br>Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+<br>RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP<br>F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G<br>5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g<br>glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw<br>m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ<br>hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0<br>qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y<br>F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3<br>B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O<br>v6rDpkeNksZ9fFSyoY2o<br>=ECSj<br>-----END PGP SIGNATURE-----<br><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>