[openstack-dev] [Keystone] Attribute mapping and groups

Henry Nash henryn at linux.vnet.ibm.com
Wed Dec 19 00:18:11 UTC 2012 

So I personally don't think this is the right approach.  My rationale is:

1) We already have the standard "RBAC based" groups proposal & implementation that has been reviewed several times  - so there is no argument really here for minimising code development or wasted effort.  GIven the review comments so far, this will all be ready to be merged this week.
2) I still think we do not have consensus of what parts of attribute mapping/control api would be exposed to administrators to achieve the equivalent of groups.  In my view,  most installations in the short to medium term want an RBAC solution (that's what they know and it is sufficient).  Complicating the administration with a general purpose AM/ABAC semantics would be a negative.  Longer term, for complex installations (and particular when we want federation), then the AM/ABAC model comes into its own and will be a real differentiator for OpenStack.  
3) We should therefore complete the RBAC groups approach and make that our reference implementation.
4) Once we have 3), we can then look at how we might start using AM/ABAC - e.g. using it to set/get role assignments.  We can decide as we close in on the Grizzly dates whether this support is experimental or production.

Henry



> Henry, Adam, Joe et al
> 
> this is how I propose that attribute mapping is integrated into Keystone order to minimise code development and wasted effort
> 
> 1. Henry produces code that stores groups and group memberships in Keystone
> 
> 2. Henry produces code that retrieves user groups from keystone
> 
> 3. Henry does not produce code that links groups to roles and that iterates through roles to find out who the group members are that have the roles. Instead
> 
> 4. Kristy finishes off the super API, that given a set of input groups, returns the set of roles and tenants that the user is a member of. (This is already partly written, but is not part of the code that has already been submitted to git. But it will use the code that has been submitted)
> 
> 5. Henry uses Kristy's code
> 
> regards
> 
> David
> 
> 
> 
> 
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>

More information about the OpenStack-dev mailing list