<div dir="ltr"><div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Le mer. 13 mars 2019 à 18:33, Ben Nemec <<a href="mailto:openstack@nemebean.com">openstack@nemebean.com</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Tagging Keystone as I think they are better suited to answering this.<br></blockquote><div><br></div><div>Yep make sense :) <br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
A bit more from my limited knowledge inline.<br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
On 3/13/19 12:07 PM, Herve Beraud wrote:<br>
> Hello<br>
> <br>
> ## Overview<br>
> I want to bring up this topic (admin-ness not properly scoped)[1] to get <br>
> a big picture of the state of this issue and that was needed on the <br>
> oslo.policy side.<br>
> <br>
> Few weeks ago some RHOSP customers request for an enhancement of <br>
> oslo.policy since their admin domain can manage other domains. They use <br>
> OSP13.<br>
<br>
For those not rocking fedoras, OSP 13 corresponds to Queens. :-)<br>
<br>
> <br>
> The goal of this ML thread is to help us to track informations about <br>
> this topic and I also planned to discuss about this topic during the <br>
> next oslo meeting (Monday 18 of March).<br>
> <br>
> ## Details<br>
> <br>
> After some investigations I've found a lot of related issues on <br>
> launchpad[1][2][3], and a lot of disucssions inside the openstack <br>
> community about this topic.<br>
> <br>
> First I guess it's not an RFE but it's a known issue.<br>
> <br>
> This bug has side-effects across several services, not just oslo or <br>
> keystone, making the fix complex to orchestrate across services.<br>
> <br>
> In a first time, I want to know more about the latest events on this <br>
> topic on the oslo side:<br>
> - the states of the related specs <br>
> (<a href="https://specs.openstack.org/openstack/oslo-specs/specs/queens/include-scope-in-policy.html" rel="noreferrer" target="_blank">https://specs.openstack.org/openstack/oslo-specs/specs/queens/include-scope-in-policy.html</a>).<br>
> - if we need to add more changes to completely fix this issue and/or if <br>
> everything is complete on the oslo side and know since which version. I <br>
> guess this one[4] is related to.<br>
<br>
To my knowledge the Oslo side is done. I think we actually added the <br>
necessary fields to oslo.policy (and oslo.context?) at the end of last <br>
cycle. I'm not sure where the Keystone side stands, but I'm sure someone <br>
from that team can provide an update.<br></blockquote><div><br></div><div>Yeah I guess we can bring oslo.context too since these changes like looks to this topic too:</div><div> <a href="https://github.com/openstack/oslo.context/commit/f65408df5cd5924f2879c3ee94d07fd27cb2cf73">https://github.com/openstack/oslo.context/commit/f65408df5cd5924f2879c3ee94d07fd27cb2cf73</a><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Unfortunately, even if Keystone is completely finished, to consume this <br>
I _think_ it's going to require policy changes in all of the consuming <br>
services, and I don't know that any of those have happened yet. I <br>
believe it's a PTG topic for Keystone.<br>
<br>
> <br>
> Also due to the complexity of this issue I guess is not totally fixed on <br>
> the whole openstack components on stein and it can't be fully (whole) <br>
> backported to stable branches, but your point of view is really <br>
> appreciate. In other words I guess some parts are already fixed on some <br>
> components but some services still need to be fixed and the issue <br>
> partially occur on stein, so fix that on stable branches is not really <br>
> possible, can you confirm?<br>
<br>
Yeah, I don't expect most of this would be backportable, especially all <br>
the way to Queens.<br></blockquote><div><br></div><div>Thanks. <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
> <br>
> Also I've found few related specs that I guess can be useful to track <br>
> the evolution:<br>
> - <br>
> <a href="https://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/capabilities-app-creds.html" rel="noreferrer" target="_blank">https://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/capabilities-app-creds.html</a><br>
> - <br>
> <a href="https://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html" rel="noreferrer" target="_blank">https://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html</a><br>
> - <br>
> <a href="https://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html" rel="noreferrer" target="_blank">https://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html</a><br>
> - <br>
> <a href="https://specs.openstack.org/openstack/oslo-specs/specs/queens/include-scope-in-policy.html" rel="noreferrer" target="_blank">https://specs.openstack.org/openstack/oslo-specs/specs/queens/include-scope-in-policy.html</a><br>
> <br>
> If I missed something useful do not hesitate to reply on and to share it <br>
> with us.<br>
> <br>
> [1] <a href="https://bugs.launchpad.net/keystone/+bug/968696" rel="noreferrer" target="_blank">https://bugs.launchpad.net/keystone/+bug/968696</a><br>
> [2] <a href="https://bugs.launchpad.net/keystone/+bug/1783659" rel="noreferrer" target="_blank">https://bugs.launchpad.net/keystone/+bug/1783659</a><br>
> [3] <a href="https://bugs.launchpad.net/nova/+bug/1649532" rel="noreferrer" target="_blank">https://bugs.launchpad.net/nova/+bug/1649532</a><br>
> [4] <a href="https://bugs.launchpad.net/oslo.policy/+bug/1577996" rel="noreferrer" target="_blank">https://bugs.launchpad.net/oslo.policy/+bug/1577996</a><br>
> <br>
> -- <br>
> Hervé Beraud<br>
> Senior Software Engineer<br>
> Red Hat - Openstack Oslo<br>
> irc: hberaud<br>
> -----BEGIN PGP SIGNATURE-----<br>
> <br>
> wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+<br>
> Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+<br>
> RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP<br>
> F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G<br>
> 5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g<br>
> glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw<br>
> m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ<br>
> hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0<br>
> qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y<br>
> F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3<br>
> B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O<br>
> v6rDpkeNksZ9fFSyoY2o<br>
> =ECSj<br>
> -----END PGP SIGNATURE-----<br>
> <br>
<br>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div>Hervé Beraud</div><div>Senior Software Engineer<br></div><div>Red Hat - Openstack Oslo</div><div>irc: hberaud</div><div>-----BEGIN PGP SIGNATURE-----<br><br>wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+<br>Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+<br>RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP<br>F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G<br>5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g<br>glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw<br>m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ<br>hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0<br>qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y<br>F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3<br>B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O<br>v6rDpkeNksZ9fFSyoY2o<br>=ECSj<br>-----END PGP SIGNATURE-----<br><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>