Bug 1041909

Summary: [RFE][keystone]: Service-scoped tokens and role assignments
Product: Red Hat OpenStack Reporter: RHOS Integration <rhos-integ>
Component: RFEsAssignee: RHOS Maint <rhos-maint>
Status: CLOSED UPSTREAM QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: markmc, pablo.iranzo, yeylon
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: https://blueprints.launchpad.net/keystone/+spec/service-scoped-tokens
Whiteboard: upstream_milestone_none upstream_status_not-started upstream_definition_obsolete
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-19 17:09:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description RHOS Integration 2013-12-12 20:01:42 UTC 
Cloned from launchpad blueprint https://blueprints.launchpad.net/keystone/+spec/service-scoped-tokens.

Description:

This is an evolution of several prior blueprints, including:
- https://blueprints.launchpad.net/keystone/+spec/tenantless-assignments
- https://blueprints.launchpad.net/keystone/+spec/service-scoped-role-definition
- https://blueprints.launchpad.net/keystone/+spec/serviceid-binding-with-role-definition
- https://blueprints.launchpad.net/keystone/+spec/auth-mechanisms-for-services

In addition, this addresses the following long-standing bug:
- https://bugs.launchpad.net/keystone/+bug/968696

In summary, the proposal is to replace "unscoped" tokens with explicitly service-scoped tokens (scoped to the identity service itself), and allow users to scope to other services to consume service-specific role assignments.

As a side effect, an "admin" assignment on a project would no longer convey global "admin"ness. This wouldn't break existing deployments unless they also use revised authorization policies which take advantage of the new attributes.

Step 1: Service-based role assignments

- assign roles to users on services
- assign roles to groups on services

Step 2: service-scoped tokens

- unscoped tokens are replaced by tokens explicitly scoped to keystone itself
- allow users to request alternate service scopes during auth

Step 3: revised policy enforcement

(this is out of scope for this bp, but included here to illustrate the roadmap)

- oslo's policy engine needs to be able to enforce service-scoped authorization
- keystone's policy.json needs to be revised to enforce service-scoped authorization

Specification URL (additional information):

https://etherpad.openstack.org/p/1Uiwcbfpxq
Comment 2 Stephen Gordon 2014-01-24 16:35:16 UTC 
Updating based on BP milesone.