You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+26-15Lines changed: 26 additions & 15 deletions
Original file line number
Diff line number
Diff line change
@@ -7,45 +7,58 @@
7
7
8
8
Oslo policy generation and testing framework.
9
9
10
+
### Compute Service
11
+
12
+
We need the following to be allowed (non-root):
13
+
14
+
* Management of quotas
15
+
10
16
### Network Service
11
17
12
18
We need the following to be allowed (non-root):
13
19
20
+
* Management of quotas
14
21
* Provisioning of provider networks in managed projects
15
22
16
-
Problem with Neutron is, it has zero view of identity hierarchies.
17
-
When you create a network, for example, it infers the network from the token, and that's it.
18
-
There is no way to infer the domain also and allow access at that level.
19
-
This may, in fact, although not proven, go all the way back to Keystone not encoding this hierarchical information in the token.
20
-
Which then, basically, says that Keystone's encoding of scope in a token is totally stupid in the first place, and should be way more generalized, because having to re-authenticate in multiple scopes is a massive butt pain.
23
+
### Design
21
24
22
-
Then, after you consider the lack of decent support for scoped policies, there is the fact that provisioning with a specific project ID is not even handled by policies at all, but hard coded, then we are in a world of pain.
25
+
Problem with any service that isn't Keystone is, it has zero view of identity hierarchies.
26
+
When you create a network, for example, it infers the project from the token, and that's it.
27
+
There is no way to infer the domain and allow access at that level.
23
28
24
-
Our only remaining option is to take our domain admin `manager` role, and create a role on every project we create.
25
-
Then when we want to create a network, we need to create a token bound to that project.
29
+
Our only option is to take our domain admin `manager` role, and apply that role to every project we create and manage.
30
+
Then, when we want to create a network, we need to create a token bound to that project.
26
31
Finally, we need to allow the `manager` to create provider networks in the project.
27
32
28
33
## Usage
29
34
30
35
You first need to create a non-admin role to perform all the necessary actions.
31
36
Unikorn already requires the [SCS domain admin](https://docs.scs.community/standards/scs-0302-v1-domain-manager-role/) functionality for reduced privilege user/project creation, so we use the same role.
37
+
38
+
The SCS policies limit the roles that can be applied to projects by the manager, and are incompatible with how unikorn needs to work so you will want to update the following line:
39
+
40
+
```diff
41
+
-"is_domain_managed_role": "'member':%(target.role.name)s or 'load-balancer_member':%(target.role.name)s"+"is_domain_managed_role": "'member':%(target.role.name)s or 'load-balancer_member':%(target.role.name)s or 'manager':%(target.role.name)s"
42
+
```
43
+
44
+
You may also need to add a `_member_` role if you are using an old version of OpenStack and this is required by Neutron to function.
45
+
32
46
As an admin account:
33
47
34
48
```bash
35
49
openstack role create manager
36
50
```
37
51
38
-
Assuming a user has then been created, with the `manager` role on a domain, authenticate as that user scoped to the managed domain, then create a project/user:
52
+
Assuming a `domain-manager`user has then been created in a `managed-domain` domain with the `manager` role on that domain, authenticate as that user scoped to the managed domain, then create a managed project:
Then to actually provision a provider network you need to bind the `manager` role to the project:
58
+
Then to actually use the policies defined here you need to bind the `manager` role to the project:
46
59
47
60
```bash
48
-
openstack role add --user my-manager-user --domain my-managed-domain --project my-project manager
61
+
openstack role add --user domain-manager--domain managed-domain --project managed-project manager
49
62
```
50
63
51
64
At this point, you must have [installed](#installation) the policies we define in this library, though whatever mechanism your orchestration layer provides.
@@ -55,8 +68,6 @@ Re-authenticate as the `manager` user, now scoped to the project, and create the
0 commit comments