Skip to content
This repository has been archived by the owner on Apr 27, 2022. It is now read-only.

A more flexible definition of HIL admin when using Keystone auth #814

Open
jeremyfreudberg opened this issue Jun 30, 2017 · 4 comments
Open

A more flexible definition of HIL admin when using Keystone auth #814

jeremyfreudberg opened this issue Jun 30, 2017 · 4 comments
Labels
discuss enhancement nice to have

Comments

@jeremyfreudberg
Copy link
Member

Right now (when HIL is configured to use Keystone auth) a HIL admin is a user with the admin role in Keystone. https://github.com/CCI-MOC/hil/blob/master/hil/ext/auth/keystone.py#L49

For those who are not Keystone experts, some background/clarity can be found here: #615 (comment)

Ideally the definition of HIL admin would be more flexible: the simplest solution is replacing the hard-coded admin role check to instead check for some arbitrary custom role (which could be indicated by the configuration file). This would allow cloud operators to delegate the ability to manage HIL without also delegating any extra privileges which may also be already linked to the admin role.

I'm purposely limiting the scope of this issue: there is a lot more to be said about admin-ness, roles, and policy. We could eventually get fancy with it and support something like oslo.policy.
@zenhack
Copy link
Contributor

zenhack commented Jul 1, 2017

I think making the privileged role configurable is a good idea. The patch would be trivial.

@henn
Copy link
Contributor

henn commented Jul 5, 2017

In theory, I totally agree with this. The "admin" check was a stop-gap until we had something better (which happened to agree with what OpenStack does by default IIRC).

My understanding is that roles in OpenStack services are defined by policies stored in json files.

Is this oslo.policy?

Is there a parser for these json files available via a straightforward library interface?

@jeremyfreudberg
Copy link
Member Author

@henn The JSON-stored policies consumed by OpenStack services are, in fact, oslo.policy -- which serves as both the parser of those files and can act as the enforcer of the policies within the API code.

oslo.policy is powerful - you can define policy not only by Keystone role, but also by membership in Keystone project/domain, being a specific user, etc. And the rules can be combined, and are per-action and per-method.

To quote myself:

I'm purposely limiting the scope of this issue

oslo.policy is great, but it is very OpenStacky (much more than other oslo libraries), since it is so Keystone-oriented. It's a larger discussion as to whether or not it is appropriate to introduce it to HIL. (But we can have that discussion if you want.) I think, start small with just having the single configurable role to determine admin-ness, and then we can move forward as we see fit from there.

@zenhack
Copy link
Contributor

zenhack commented Jul 9, 2017

I am very against letting any of this creeping into hil core, though I'm okay making the extension able to be smarter about how it determines admin/project access. I agree we should limit the initial scope though.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
discuss enhancement nice to have
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@zenhack @henn @jeremyfreudberg @naved001