Bug 1041955

Summary: [RFE][keystone]: Super inherited roles and assignments
Product: Red Hat OpenStack Reporter: RHOS Integration <rhos-integ>
Component: RFEsAssignee: RHOS Maint <rhos-maint>
Status: CLOSED UPSTREAM QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: markmc, yeylon
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: https://blueprints.launchpad.net/keystone/+spec/super-inherited-roles-and-assignments
Whiteboard: upstream_milestone_none upstream_status_unknown upstream_definition_obsolete
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-19 17:26:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description RHOS Integration 2013-12-12 20:16:55 UTC 
Cloned from launchpad blueprint https://blueprints.launchpad.net/keystone/+spec/super-inherited-roles-and-assignments.

Description:

https://blueprints.launchpad.net/keystone/+spec/inherited-domain-roles

The above BP (which is already implemented in keystone) helps cloud admin to setup one-off inherited role on customers domain, this way a cloud provide (admin user) can scope his/her token to a customer domain and do some admin work on behalf of customer. This solution work well with small scale cloud deployment where number of customer domains are less (in 100s) but for large scale cloud deployment this solution (one-off inherited role-assignment)  is not scalable, as the number of customer domains are in multiple of 1000s.

To resolve this problem we want to introduce a notion of super inherited role-assignments which will work as below.

1. Cloud provide has to maintain a domain which will represent an admin domain (lets call it super domain), all the cloud admin will belong to this domain.

2. A super inherited role assignment will linkup a subject (user/group) with a role on all domain, all projects of a particular domain. (user/group, role_id, "all domains", "all projects")

3. Cloud admin will scope his/her token to a customer project and can gain roles which are given through super inherited role-assignments on a project.

This will help cloud provider to efficiently manage their customers and resources.

Specification URL (additional information):

None