Hi all,

We created a POC that enables domain-related role checking to components that do not support domains (such as Nova and Cinder). The code can be found here: https://github.com/rodrigods/keystone/tree/domain-check

The idea is to use the HttpCheck feature: https://github.com/openstack/oslo-incubator/blob/master/openstack/common/policy.py#L849 to check if a user has a given role in a domain. The changes were made exclusively into Keystone. The service willing to use the feature, just has to add the rule in its policy file.

Here is a list of the changes added to make it work:

1 - Create a new endpoint to handle the HttpCheck calls, for example:
/v3/projects/ <project_id>/roles/<role_name>

2 - Add a method to handle this endpoint at Keystone:
https://github.com/rodrigods/keystone/blob/domain-check/keystone/assignment/controllers.py#L559

 * Get domain_id from target project (from given project_id)
 * Filter all role_assignments from logged user in target domain (from
   user_id in given credentials)
 * Check if role_assignments contains target role


To test it, we added the following rule into Nova's policy file:

 * "compute:create":"rule:domain_admin"
 * "domain_admin":"http://localhost:5000/v3/projects/%(project_id)
   s/roles/admin"

Once the request arrives into Keystone, it checks if the the logged user has /admin/ role at /project_id/'s domain.

So, what do you think? We would like your feedback before giving extra efforts such as creating the bp/spec.

--

Rodrigo Duarte Sousa
MSccandidate in Computer Science
Software Engineer at OpenStack Project HP/LSD-UFCG
Distributed Systems Laboratory
Federal University of Campina Grande
Campina Grande, PB - Brazil
http://lsd.ufcg.edu.br/~rodrigod <http://lsd.ufcg.edu.br/%7Erodrigods>s
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to