Le mer. 13 mars 2019 à 18:33, Ben Nemec <openstack@nemebean.com> a écrit :
Tagging Keystone as I think they are better suited to answering this.
Yep make sense :)
A bit more from my limited knowledge inline.
On 3/13/19 12:07 PM, Herve Beraud wrote:
Hello
## Overview I want to bring up this topic (admin-ness not properly scoped)[1] to get a big picture of the state of this issue and that was needed on the oslo.policy side.
Few weeks ago some RHOSP customers request for an enhancement of oslo.policy since their admin domain can manage other domains. They use OSP13.
For those not rocking fedoras, OSP 13 corresponds to Queens. :-)
The goal of this ML thread is to help us to track informations about this topic and I also planned to discuss about this topic during the next oslo meeting (Monday 18 of March).
## Details
After some investigations I've found a lot of related issues on launchpad[1][2][3], and a lot of disucssions inside the openstack community about this topic.
First I guess it's not an RFE but it's a known issue.
This bug has side-effects across several services, not just oslo or keystone, making the fix complex to orchestrate across services.
In a first time, I want to know more about the latest events on this topic on the oslo side: - the states of the related specs (
https://specs.openstack.org/openstack/oslo-specs/specs/queens/include-scope-... ).
- if we need to add more changes to completely fix this issue and/or if everything is complete on the oslo side and know since which version. I guess this one[4] is related to.
To my knowledge the Oslo side is done. I think we actually added the necessary fields to oslo.policy (and oslo.context?) at the end of last cycle. I'm not sure where the Keystone side stands, but I'm sure someone from that team can provide an update.
Yeah I guess we can bring oslo.context too since these changes like looks to this topic too: https://github.com/openstack/oslo.context/commit/f65408df5cd5924f2879c3ee94d...
Unfortunately, even if Keystone is completely finished, to consume this I _think_ it's going to require policy changes in all of the consuming services, and I don't know that any of those have happened yet. I believe it's a PTG topic for Keystone.
Also due to the complexity of this issue I guess is not totally fixed on the whole openstack components on stein and it can't be fully (whole) backported to stable branches, but your point of view is really appreciate. In other words I guess some parts are already fixed on some components but some services still need to be fixed and the issue partially occur on stein, so fix that on stable branches is not really possible, can you confirm?
Yeah, I don't expect most of this would be backportable, especially all the way to Queens.
Thanks.
Also I've found few related specs that I guess can be useful to track the evolution: -
https://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/ca...
-
https://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/de...
-
https://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/s...
-
https://specs.openstack.org/openstack/oslo-specs/specs/queens/include-scope-...
If I missed something useful do not hesitate to reply on and to share it with us.
[1] https://bugs.launchpad.net/keystone/+bug/968696 [2] https://bugs.launchpad.net/keystone/+bug/1783659 [3] https://bugs.launchpad.net/nova/+bug/1649532 [4] https://bugs.launchpad.net/oslo.policy/+bug/1577996
-- Hervé Beraud Senior Software Engineer Red Hat - Openstack Oslo irc: hberaud -----BEGIN PGP SIGNATURE-----
wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+ Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+ RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G 5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0 qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3 B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O v6rDpkeNksZ9fFSyoY2o =ECSj -----END PGP SIGNATURE-----
-- Hervé Beraud Senior Software Engineer Red Hat - Openstack Oslo irc: hberaud -----BEGIN PGP SIGNATURE----- wsFcBAABCAAQBQJb4AwCCRAHwXRBNkGNegAALSkQAHrotwCiL3VMwDR0vcja10Q+ Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+ RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G 5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0 qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y F1ON0ONekDZkGJsDoS6QdiUSn8RZ2mHArGEWMV00EV5DCIbCXRvywXV43ckx8Z+3 B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O v6rDpkeNksZ9fFSyoY2o =ECSj -----END PGP SIGNATURE-----