[Yahoo-eng-team] [Bug 2045974] Re: RFE: Create a role for domain-scoped self-service identity management by end users

[OpenStack Infra]

Reviewed:  https://review.opendev.org/c/openstack/keystone/+/924132
Committed: 
https://opendev.org/openstack/keystone/commit/69d1897d0974aafc5f41b851ce61f62ab879c805
Submitter: "Zuul (22348)"
Branch:    master

commit 69d1897d0974aafc5f41b851ce61f62ab879c805
Author: Markus Hentsch <markus.hent...@cloudandheat.com>
Date:   Mon Jul 15 11:09:55 2024 +0200

    Implement the Domain Manager Persona for Keystone
    
    Introduces domain-scoped policies for the 'manager' role to permit
    domain-wide management capabilities in regards to users, groups,
    projects and role assignments.
    Defines a new base policy rule to restrict the roles assignable by
    domain managers.
    
    Closes-Bug: #2045974
    Change-Id: I62742ed7d906c92d1132251080758bb54d0fc8e1


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2045974

Title:
  RFE: Create a role for domain-scoped self-service identity management
  by end users

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  When assigning individual domains to customers of an OpenStack cloud,
  customer-side self-service identity management (i.e. managing users,
  projects and groups) within a domain is a popular use case but hard to
  implement with the current default role model.

  With its current architecture, assigning the "admin" role to end users is 
very risky even if scoped [1] and usually not an option.
  Furthermore, the "admin" role already has an implicit meaning associated with 
it that goes beyond identity management according to operator feedback [2].

  The Consistent and Secure RBAC rework introduced a "manager" role for 
projects [3].
  Having a similar role model on domain-level for identity management would be 
a good complement to that and enable self-service capabilities for end users.

  Request: introduce a new "domain-manager" role in Keystone and associated 
policy rules.
  The new "domain-manager" role - once assigned to an end user in a domain 
scope - would enable them to manage projects, groups, users and associated role 
assignments within the limitations of the domain.

  [1] https://bugs.launchpad.net/keystone/+bug/968696

  [2] https://governance.openstack.org/tc/goals/selected/consistent-and-
  secure-rbac.html#the-issues-we-are-facing-with-scope-concept

  [3] https://governance.openstack.org/tc/goals/selected/consistent-and-
  secure-rbac.html#project-manager

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2045974/+subscriptions


-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp