Public bug reported: When assigning individual domains to customers of an OpenStack cloud, customer-side self-service identity management (i.e. managing users, projects and groups) within a domain is a popular use case but hard to implement with the current default role model.
With its current architecture, assigning the "admin" role to end users is very risky even if scoped [1] and usually not an option. Furthermore, the "admin" role already has an implicit meaning associated with it that goes beyond identity management according to operator feedback [2]. The Consistent and Secure RBAC rework introduced a "manager" role for projects [3]. Having a similar role model on domain-level for identity management would be a good complement to that and enable self-service capabilities for end users. Request: introduce a new "domain-manager" role in Keystone and associated policy rules. The new "domain-manager" role - once assigned to an end user in a domain scope - would enable them to manage projects, groups, users and associated role assignments within the limitations of the domain. [1] https://bugs.launchpad.net/keystone/+bug/968696 [2] https://governance.openstack.org/tc/goals/selected/consistent-and- secure-rbac.html#the-issues-we-are-facing-with-scope-concept [3] https://governance.openstack.org/tc/goals/selected/consistent-and- secure-rbac.html#project-manager ** Affects: keystone Importance: Undecided Status: In Progress -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/2045974 Title: RFE: Create a role for domain-scoped self-service identity management by end users Status in OpenStack Identity (keystone): In Progress Bug description: When assigning individual domains to customers of an OpenStack cloud, customer-side self-service identity management (i.e. managing users, projects and groups) within a domain is a popular use case but hard to implement with the current default role model. With its current architecture, assigning the "admin" role to end users is very risky even if scoped [1] and usually not an option. Furthermore, the "admin" role already has an implicit meaning associated with it that goes beyond identity management according to operator feedback [2]. The Consistent and Secure RBAC rework introduced a "manager" role for projects [3]. Having a similar role model on domain-level for identity management would be a good complement to that and enable self-service capabilities for end users. Request: introduce a new "domain-manager" role in Keystone and associated policy rules. The new "domain-manager" role - once assigned to an end user in a domain scope - would enable them to manage projects, groups, users and associated role assignments within the limitations of the domain. [1] https://bugs.launchpad.net/keystone/+bug/968696 [2] https://governance.openstack.org/tc/goals/selected/consistent-and- secure-rbac.html#the-issues-we-are-facing-with-scope-concept [3] https://governance.openstack.org/tc/goals/selected/consistent-and- secure-rbac.html#project-manager To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/2045974/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
