[openstack-dev] Organizational roles via "Built-in Groups" or Attributes
K.W.S.Siu
K.W.S.Siu at kent.ac.uk
Mon Dec 10 14:43:03 UTC 2012
Hi Henry,
I've added the proposed API changes for our role mapping service to the role mapping blueprint specification (https://blueprints.launchpad.net/keystone/+spec/role-mapping-service-keystone) which should hopefully clarify some things.
Kristy
On 10 Dec 2012, at 10:23, David Chadwick wrote:
> Hi Henry
>
> if the GUI uses the MVC pattern then surely the GUI issue is largely
> irrelevant isnt it, since the user view can be of either groups or mappings.
>
> > So in terms of customer experience, I think you are saying that if a
> > cloud provider wants to offer organizational roles to their
> > customers, then there is a manual set up required by the Keystone
> > admin to create these sets
>
> Yes in the first release. Though we have discussed an automated set up where the keystone admin creates a config file and the set up is done automatically from this by a tool that calls the APIs.
>
>
> ...these, I assume, are in addition to the
> > user/roles/metadata tables (or whichever backend solution is bring
> > used) that will exist already?
>
> Yes, these also have to be set up manually or via a set of tools
>
> > We'll need to come up with a way of
> > sharing the names/Ids of these"well known" sets - since keystone
> > will need to name them in the api calls to pick up the mappings.
>
> I dont think that knowing the names of the sets needs to be known by anyone except the keystone admin since he is the only one who will see them. He will need to know the names of the org attributes and the org admin will need to know the names of the roles. The sets are an internal grouping mechanism that dont need to be externally visible in the first release.
>
> Depending upon how the access controls are set up in the second release, the set names may need to be known by the org admins.
>
> > we need to
> > allow organizational roles to be assigned to a domain or a project
> > (and hence and user who has that organizational attribute then gets
> > the respective role on that object)
>
> The concept is the same. Domain will simply become another internal attribute that the external org attributes can map into
>
> regards
>
> David
>
> On 10/12/2012 09:49, Henry Nash wrote:
>> Hi
>>
>> So a few additional comments in-line below.
>>
>> Further, I'd like to (re-)suggest my original proposal that we submit
>> a reference implementation for groups as defined in the blueprint (in
>> fact the client side api for this is already up for review at:
>> https://review.openstack.org/#/c/17693/). The server side would be
>> available for review this week - this is relatively straight forward
>> given the existing rather nice design of the v3 support in general
>> (kudos to whoever did that, btw). The advantage of this approach is
>> that
>>
>> a) We are guaranteed a solution for Grizzly b) As components of the
>> attribute mapping service come into play, we integrate them in to the
>> exiting flow and remove redundant parts of the reference
>> implementation c) We can decide fairly late how pervasive the
>> attribute support for organizational roles is - e.g. - if it
>> front-ended by a more traditional simple groups api? Or an attribute
>> api, with a simpler "groups" ui, or the full thing, etc.
>>
>> This would give us a lot of flexibility - e.g. we could decide, for
>> instance, that in Grizzly, we'll use the attribute mapper to store
>> the group relationship, but actually present it as a traditional
>> group capability on the front end (i.e. give us more time to come up
>> with a suitable api/ui for generalized attribute mapping...maybe with
>> a preview in Grizzly)...and then expose the (already stored in AM)
>> underlying relationships directly in H. Or some other combination
>> of hybrid implementation that lets us strike that right balance for
>> the state of the s/w in a couple of months.
>>
>> Adam/Dolph - any views/comments?
>>
>> Henry On 7 Dec 2012, at 15:05, David Chadwick wrote:
>>
>>> Hi Henry
>>>
>>> On 07/12/2012 14:24, Henry Nash wrote:
>>>> Hi David/Kirtsy,
>>>>
>>>> So a few questions:
>>>>
>>>> - How do the attribute sets get created (e.g. roles, projects,
>>>> domains)?
>>>
>>> In the first version the Keystone admin will create them via a new
>>> user command. We dont think the backend storage will need altering
>>> as we are simply creating a new type of object to be stored there.
>>> (An organisation admin could also create new mappings but it would
>>> be uncontrolled access). In the second version organisational
>>> admins will create the mappings and access controls will ensure
>>> they can only set their own attributes to authorised roles. So we
>>> can have multiple administrators updating different mappings in a
>>> controlled manner in the second version.
>>>
>> So in terms of customer experience, I think you are saying that if a
>> cloud provider wants to offer organizational roles to their
>> customers, then there is a manual set up required by the Keystone
>> admin to create these sets...these, I assume, are in addition to the
>> user/roles/metadata tables (or whichever backend solution is bring
>> used) that will exist already? We'll need to come up with a way of
>> sharing the names/Ids of these"well known" sets - since keystone
>> will need to name them in the api calls to pick up the mappings.
>>>
>>> Are you assuming that as these are created in keystone
>>>> they are replicated into the attribute service?
>>>
>>> No, they are stored in Keystone's backend storage and the AM reads
>>> then from there. So they are only stored once.
>>>
>>> Or that these are
>>>> created independently somehow? Or maybe crated on-the-fly as
>>>> relationship requests come in?
>>>
>>> Yes to both. Independently created by admin during initial
>>> configuration of Keystone. Then they will also be created on the
>>> fly in the federated Keystone when new users appear. The way this
>>> will work is as follows i) the mapping that the admin puts in says
>>> this attribute type (but no value specified) maps into a
>>> tenant/project with no value specified. ie. it is a rule for
>>> creating new tenants for each new identified user who has a
>>> specific set of attributes. (the same can apply for roles, although
>>> that sort of defeats the whole purpose of RBAC if each user has his
>>> own role. However it could be done at the organisation level e.g.
>>> set up a mapping for org attribute to role, then every new
>>> organisation would create a new role for itself and every user from
>>> the organisation would get the new role)
>>>
>>> ii) When a federated user first uses Keystone, the federated module
>>> will find that no specific mapping exists for him so it will create
>>> a new tenant and or role and add a new mapping for this user to
>>> this tenant/role using the AM.
>>>
>>>
>>> - What api (that other projects can
>>>> use) actually populates the mapping service with the
>>>> group-project-role and group-domain-role relationships
>>>
>>> Kristy has already specified the API internally. She should publish
>>> it over the weekend or on Monday.
>>>
>>> (remember
>>>> there are no "tenants" in v3)?
>>>
>>> Tenants are projects arent they? So doesnt v3 have projects? If so
>>> we can simply substitute tenant for project.
>>>
>> Yes there are projects, but projects are not the only thing that can
>> have roles assigned to - so can Domains. Large enterprise customers
>> will probably treat the domain as the "account holder" or tenant,
>> not the projects that come and go. So in this scenario we need to
>> allow organizational roles to be assigned to a domain or a project
>> (and hence and user who has that organizational attribute then gets
>> the respective role on that object)
>>> Is this front-end api the one I
>>>> defined in the user-groups blueprint,
>>>
>>> Not sure we will need to check this out
>>>
>>> but that the backend
>>>> relationships for groups are then stored in the attribute
>>>> service?
>>>
>>> the AM does not store anything itself. It relies on Keystone's
>>> existing storage mechanism to store the objects. What the AM does
>>> is define some new objects and populate the Keystone storage with
>>> them. So we have defined add, read and delete operations on these
>>> objects.
>>>
>>>
>>> Or
>>>> are you thinking that the other projects will call the mapping
>>>> service to define those relationships?
>>>
>>> In principle any administrator can use the AM API to create
>>> mappings, but in order to activate and control this, we will need a
>>> proper access control mechanism with delegation of authority from
>>> the Keystone administrator to the AM administrators. This
>>> delegation might be by the keystone admin creating access rules
>>> himself for these other AM administrators e.g. by creating some new
>>> admin roles and then assigning these roles to the other AM
>>> administrators. Precise details are still to be worked out for
>>> this.
>>>
>>>
>>>
>>> If the later, have we defined
>>>> this api (in terms of what actual http calls we support and the
>>>> client side python to make it easy for these to called)?
>>>
>>> that's good. So Kristy should compare your APIs with her APIs and
>>> see what the similarities and differences are. Can I leave it to
>>> the two of you to agree what these APIs should be. Essentially we
>>> need get, post and delete
>>>
>> Sure. More than this, however, have we thought about what an example
>> UI would be for this - we will need that in Horizon. We want people
>> to have organziational roles out of the box. This might be
>> challenging - we need to come up with a generalized UI concept for
>> attribute mapping (I assume there must be examples of this already,
>> however), that is simple enough not to confuse the users who just
>> want "groups" when there are in, what is for now, the usual case of a
>> non-federated world, but is extensible enough not to require
>> re-design if they ever go federated.
>>> regards
>>>
>>> David
>>>
>>>>
>>>> Henry On 6 Dec 2012, at 13:46, David Chadwick wrote:
>>>>
>>>>> Hi Henry
>>>>>
>>>>> I discussed this very topic with Dolph in London yesterday.
>>>>> This is what we agreed would be the most sensible
>>>>> implementation route (Dolph please correct me if I am wrong)
>>>>>
>>>>> 1. Henry writes code that can add group memberships to the
>>>>> user identity store (maybe backend LDAP or whatever). Each user
>>>>> will probably have a group member attribute added to his entry,
>>>>> but details are for Henry to decide, since he will be
>>>>> responsible for both storing and picking up the groups. This
>>>>> will probably involve changes to Keystone client, but may not
>>>>> require any changes to the backend storage, depending upon how
>>>>> flexible it is (e.g. Kristy has managed to add IDPs to the
>>>>> service catalog without making any changes to the service
>>>>> catalog or backend storage)
>>>>>
>>>>> 2. Henry writes a new Keystone middleware module for the
>>>>> pipeline that, after the user has been identified and
>>>>> authenticated, calls the identity store to pick up the user's
>>>>> groups (added in 1 above). It then calls Kristy's Attribute
>>>>> Mapping Service, passing it the groups and getting back the
>>>>> tenants and roles. It then hands back control to the Keystone
>>>>> pipeline.
>>>>>
>>>>> regards
>>>>>
>>>>> David
>>>>>
>>>>>
>>>>> On 06/12/2012 11:43, Henry Nash wrote:
>>>>>> David/Kristy,
>>>>>>
>>>>>> So let's try and move this discussion on so that we at least
>>>>>> have a clearer description of what we would implement on both
>>>>>> paths - and make progress towards getting code into Grizzly.
>>>>>>
>>>>>> The traditional implementation (as defined by the bp:
>>>>>> https://blueprints.launchpad.net/keystone/+spec/user-groups
>>>>>> ) would involve: - Api implementation to support semantics
>>>>>> described (e.g. in keystone client) - A GroupControllerV3 in
>>>>>> keystone to pick up and dispatch these calls to the backends
>>>>>> (e.g sql, kvs), as well as a few changes to other controllers
>>>>>> affected (e.g. RoleController) - Backend implementations to
>>>>>> support the semantics - e.g. in sql the addition of a group,
>>>>>> GroupProjectMetadata and GroupDomainMetadata tables,
>>>>>> mirroring the way we do user-project/domain-role assignment -
>>>>>> Tests at the various levels against all these
>>>>>>
>>>>>> Now I *think* what you are suggesting is that, if we were
>>>>>> instead to use attributes to achieve group membership, that
>>>>>> the code in the Controllers would instead make calls to the
>>>>>> attribute mapping service for group membership aspects. It
>>>>>> isn't really a new backend (since you aren't supporting
>>>>>> everything as attributes), but conceptually something
>>>>>> similar. Do I have that right? Or do you see the changes as
>>>>>> more pervasive?
>>>>>>
>>>>>> Given that I am implementing this starting from the front
>>>>>> end (e.g. create the api support fist and all the tests
>>>>>> should all fail with not implemented), then the controllers,
>>>>>> and then backends...this might interlock with a little more
>>>>>> time to make a decision on where the backend is implemented.
>>>>>> Given the rather nice clean way that the new
>>>>>> controllers/backends are implemented - even doing a reference
>>>>>> implementation in the traditional fashion, then swapping out
>>>>>> (or modifying) the controllers to talk to the attribute
>>>>>> mappings service might be a good way of progressing this.
>>>>>>
>>>>>> Henry
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20121210/0afd92dd/attachment.html>
More information about the OpenStack-dev
mailing list