[openstack-dev] [keystone] New blueprint and implementation to standardize getting role assignments at authentication time

Henry Nash henryn at linux.vnet.ibm.com
Sun Jul 7 09:04:46 UTC 2013


In thinking about how to implement the OS-INHERIT extension as well as planning for simplification in iceHouse of all our backend grants tables, I realized we needed to rationalise the various different methodologies for getting the list of roles in the token/auth controllers (v2 local is different to v2 remote/token, which again is different to v3).  This make all this code hard to maintain - and in at least one case wrong (e.g. if your only role on a project is via group membership, authenticating using v2 will fail).

The small bp (https://blueprints.launchpad.net/keystone/+spec/authenticate-role-rationalization) and a full implementation of this is now ready for review at: https://review.openstack.org/#/c/35897/.  A nice feature is that this has a negative impact on keystone code size - i.e. it removes a net of 240 odd lines of code :-)

As an aside, it was doing this work that I found the rather nasty bug of: https://bugs.launchpad.net/keystone/+bug/1197874.  A fix is also posted for review at https://review.openstack.org/#/c/35739/.

I think both of these should got in H2.

As a further aside, a WIP version for the OS-INHERIT extension is also posted, for anyone who wants to comment on the approach I am taking.


More information about the OpenStack-dev mailing list