Skip to content

Commit ff8049f

Browse files
authored
Make Documentation Clearer (#7)
And actually up to date, and remove the ranting :D
1 parent a05bdb5 commit ff8049f

File tree

1 file changed

+26
-15
lines changed

1 file changed

+26
-15
lines changed

README.md

Lines changed: 26 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -7,45 +7,58 @@
77

88
Oslo policy generation and testing framework.
99

10+
### Compute Service
11+
12+
We need the following to be allowed (non-root):
13+
14+
* Management of quotas
15+
1016
### Network Service
1117

1218
We need the following to be allowed (non-root):
1319

20+
* Management of quotas
1421
* Provisioning of provider networks in managed projects
1522

16-
Problem with Neutron is, it has zero view of identity hierarchies.
17-
When you create a network, for example, it infers the network from the token, and that's it.
18-
There is no way to infer the domain also and allow access at that level.
19-
This may, in fact, although not proven, go all the way back to Keystone not encoding this hierarchical information in the token.
20-
Which then, basically, says that Keystone's encoding of scope in a token is totally stupid in the first place, and should be way more generalized, because having to re-authenticate in multiple scopes is a massive butt pain.
23+
### Design
2124

22-
Then, after you consider the lack of decent support for scoped policies, there is the fact that provisioning with a specific project ID is not even handled by policies at all, but hard coded, then we are in a world of pain.
25+
Problem with any service that isn't Keystone is, it has zero view of identity hierarchies.
26+
When you create a network, for example, it infers the project from the token, and that's it.
27+
There is no way to infer the domain and allow access at that level.
2328

24-
Our only remaining option is to take our domain admin `manager` role, and create a role on every project we create.
25-
Then when we want to create a network, we need to create a token bound to that project.
29+
Our only option is to take our domain admin `manager` role, and apply that role to every project we create and manage.
30+
Then, when we want to create a network, we need to create a token bound to that project.
2631
Finally, we need to allow the `manager` to create provider networks in the project.
2732

2833
## Usage
2934

3035
You first need to create a non-admin role to perform all the necessary actions.
3136
Unikorn already requires the [SCS domain admin](https://docs.scs.community/standards/scs-0302-v1-domain-manager-role/) functionality for reduced privilege user/project creation, so we use the same role.
37+
38+
The SCS policies limit the roles that can be applied to projects by the manager, and are incompatible with how unikorn needs to work so you will want to update the following line:
39+
40+
```diff
41+
-"is_domain_managed_role": "'member':%(target.role.name)s or 'load-balancer_member':%(target.role.name)s"+"is_domain_managed_role": "'member':%(target.role.name)s or 'load-balancer_member':%(target.role.name)s or 'manager':%(target.role.name)s"
42+
```
43+
44+
You may also need to add a `_member_` role if you are using an old version of OpenStack and this is required by Neutron to function.
45+
3246
As an admin account:
3347

3448
```bash
3549
openstack role create manager
3650
```
3751

38-
Assuming a user has then been created, with the `manager` role on a domain, authenticate as that user scoped to the managed domain, then create a project/user:
52+
Assuming a `domain-manager` user has then been created in a `managed-domain` domain with the `manager` role on that domain, authenticate as that user scoped to the managed domain, then create a managed project:
3953

4054
```bash
41-
openstack project create --domain my-managed-domain my-project
42-
openstack user create --domain my-managed-domain my-user
55+
openstack project create --domain managed-domain managed-project
4356
```
4457

45-
Then to actually provision a provider network you need to bind the `manager` role to the project:
58+
Then to actually use the policies defined here you need to bind the `manager` role to the project:
4659

4760
```bash
48-
openstack role add --user my-manager-user --domain my-managed-domain --project my-project manager
61+
openstack role add --user domain-manager--domain managed-domain --project managed-project manager
4962
```
5063

5164
At this point, you must have [installed](#installation) the policies we define in this library, though whatever mechanism your orchestration layer provides.
@@ -55,8 +68,6 @@ Re-authenticate as the `manager` user, now scoped to the project, and create the
5568
openstack network create --provider-network-type vlan --provider-physical-network physnet1 --provider-segment 666 my-provider-network
5669
```
5770

58-
Then, after all that, take a step back and assess your life choices and whether you should be using OpenStack in the first place...
59-
6071
### Installation
6172

6273
> [!NOTE]

0 commit comments

Comments
 (0)