[openstack-dev] [all] default and implied roles changes

Lance Bragstad lbragstad at gmail.com
Tue Jun 19 18:11:34 UTC 2018


Hi all,

Keystone recently took a big step in implementing the default roles work
that's been a hot topic over the past year [0][1][2][3][4], and a big
piece in making RBAC more robust across OpenStack. We merged a patch [5]
that ensures the roles described in the specification [6] exist. This
was formally a cross-project specification [7], but rescoped to target
keystone directly in hopes of making it a future community goal [8].

If you've noticed issues with various CI infrastructure, it could be due
to the fact a couple new roles are being populated by keystone's
bootstrap command. For example, if your testing infrastructure creates a
role named 'Member' or 'member', you could see HTTP 409s since keystone
is now creating that role by default. You can safely remove code that
ensures that role exists, since keystone will now handle that for you.
These types of changes have been working their way into infrastructure
and deployment projects [9] this week.

If you're seeing something that isn't an HTTP 409 and suspect it is
related to these changes, come find us in #openstack-keystone. We'll be
around to answer questions about the changes in keystone and can assist
in straightening things out.


[0] https://etherpad.openstack.org/p/policy-queens-ptg Queens PTG Policy
Session
[1] https://etherpad.openstack.org/p/queens-PTG-keystone-policy-roadmap
Queens PTG Roadmap Outline
[2] https://etherpad.openstack.org/p/rbac-and-policy-rocky-ptg Rocky PTG
Policy Session
[3] https://etherpad.openstack.org/p/baremetal-vm-rocky-ptg Rocky PTG
Identity Integration Track
[4] https://etherpad.openstack.org/p/YVR-rocky-default-roles Rocky Forum
Default Roles Forum Session
[5] https://review.openstack.org/#/c/572243/
[6]
http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[7] https://review.openstack.org/#/c/523973/
[8] http://lists.openstack.org/pipermail/openstack-dev/2018-May/130208.html
[9]
https://review.openstack.org/#/q/(status:open+OR+status:merged)+branch:master+topic:fix-member

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180619/b924d298/attachment.sig>


More information about the OpenStack-dev mailing list