Cleanup code that references users, projects or domains without
necessary scoping or filtering throughout the charm. Add logging
of domain name in contexts where this is relevant.
Tighten rule:service_role to require role:service and token scoped
to project config('service-tenant') created in SERVICE_DOMAIN. This
ensures that if you have a deployment with end-user access to assign
roles within their own domains they will not gain privileged access
simply by assigning the service role to one of their own users.
Allow users authorized by rule:service_role to perform
identity:list_projects. This is required to allow Ceilometer
to operate without Admin privileges.
Services are given a user in project config('service-tenant') in
SERVICE_DOMAIN for v3 authentication / authorization. As of Mitaka
Keystone v3 policy the 'service' role is sufficient for services to
validate tokens.
Services are also given a user in project config('service-tenant') in
DEFAULT_DOMAIN to support services still configured with v2.0
authentication / authorization.
This will allow us to transition from v2.0 based authentication /
authorization and existing services and charms will continue to
operate as before. This will also allow the end-user to roll their
deployment up to api_version 3 and back to api_version 2 as needed.
Services and charms that has made the transition to fully use the
v3 API for authentication and authorization will gain full access to
domains and projects across the deployment. The first charm to make
use of this is charm-ceilometer.
Closes-Bug: 1636098
Change-Id: If1518029c43476a5e14bf94596197eabe663499c
5de1770931