[oslo][keystone] admin-ness not properly scoped and oslo.policy current status about this issue

Ben Nemec openstack at nemebean.com
Wed Mar 13 17:30:53 UTC 2019

Tagging Keystone as I think they are better suited to answering this.

A bit more from my limited knowledge inline.

On 3/13/19 12:07 PM, Herve Beraud wrote:
> Hello
> ## Overview
> I want to bring up this topic (admin-ness not properly scoped)[1] to get 
> a big picture of the state of this issue and that was needed on the 
> oslo.policy side.
> Few weeks ago some RHOSP customers request for an enhancement of 
> oslo.policy since their admin domain can manage other domains. They use 
> OSP13.

For those not rocking fedoras, OSP 13 corresponds to Queens. :-)

> The goal of this ML thread is to help us to track informations about 
> this topic and I also planned to discuss about this topic during the 
> next oslo meeting (Monday 18 of March).
> ## Details
> After some investigations I've found a lot of related issues on 
> launchpad[1][2][3], and a lot of disucssions inside the openstack 
> community about this topic.
> First I guess it's not an RFE but it's a known issue.
> This bug has side-effects across several services, not just oslo or 
> keystone, making the fix complex to orchestrate across services.
> In a first time, I want to know more about the latest events on this 
> topic on the oslo side:
> - the states of the related specs 
> (https://specs.openstack.org/openstack/oslo-specs/specs/queens/include-scope-in-policy.html).
> - if we need to add more changes to completely fix this issue and/or if 
> everything is complete on the oslo side and know since which version. I 
> guess this one[4] is related to.

To my knowledge the Oslo side is done. I think we actually added the 
necessary fields to oslo.policy (and oslo.context?) at the end of last 
cycle. I'm not sure where the Keystone side stands, but I'm sure someone 
from that team can provide an update.

Unfortunately, even if Keystone is completely finished, to consume this 
I _think_ it's going to require policy changes in all of the consuming 
services, and I don't know that any of those have happened yet. I 
believe it's a PTG topic for Keystone.

> Also due to the complexity of this issue I guess is not totally fixed on 
> the whole openstack components on stein and it can't be fully (whole) 
> backported to stable branches, but your point of view is really 
> appreciate. In other words I guess some parts are already fixed on some 
> components but some services still need to be fixed and the issue 
> partially occur on stein, so fix that on stable branches is not really 
> possible, can you confirm?

Yeah, I don't expect most of this would be backportable, especially all 
the way to Queens.

> Also I've found few related specs that I guess can be useful to track 
> the evolution:
> - 
> https://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/capabilities-app-creds.html
> - 
> https://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
> - 
> https://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html
> - 
> https://specs.openstack.org/openstack/oslo-specs/specs/queens/include-scope-in-policy.html
> If I missed something useful do not hesitate to reply on and to share it 
> with us.
> [1] https://bugs.launchpad.net/keystone/+bug/968696
> [2] https://bugs.launchpad.net/keystone/+bug/1783659
> [3] https://bugs.launchpad.net/nova/+bug/1649532
> [4] https://bugs.launchpad.net/oslo.policy/+bug/1577996
> -- 
> Hervé Beraud
> Senior Software Engineer
> Red Hat - Openstack Oslo
> irc: hberaud
> Kf31yCutl5bAlS7tOKpPQ9XN4oC0ZSThyNNFVrg8ail0SczHXsC4rOrsPblgGRN+
> RQLoCm2eO1AkB0ubCYLaq0XqSaO+Uk81QxAPkyPCEGT6SRxXr2lhADK0T86kBnMP
> F8RvGolu3EFjlqCVgeOZaR51PqwUlEhZXZuuNKrWZXg/oRiY4811GmnvzmUhgK5G
> 5+f8mUg74hfjDbR2VhjTeaLKp0PhskjOIKY3vqHXofLuaqFDD+WrAy/NgDGvN22g
> glGfj472T3xyHnUzM8ILgAGSghfzZF5Skj2qEeci9cB6K3Hm3osj+PbvfsXE/7Kw
> m/xtm+FjnaywZEv54uCmVIzQsRIm1qJscu20Qw6Q0UiPpDFqD7O6tWSRKdX11UTZ
> hwVQTMh9AKQDBEh2W9nnFi9kzSSNu4OQ1dRMcYHWfd9BEkccezxHwUM4Xyov5Fe0
> qnbfzTB1tYkjU78loMWFaLa00ftSxP/DtQ//iYVyfVNfcCwfDszXLOqlkvGmY1/Y
> B8qUJhBqJ8RS2F+vTs3DTaXqcktgJ4UkhYC2c1gImcPRyGrK9VY0sCT+1iA+wp/O
> v6rDpkeNksZ9fFSyoY2o
> =ECSj

More information about the openstack-discuss mailing list