Browse Source

Update the default roles spec to include Rocky details

Since we're not going to get everything details in this specification
done in Rocky, we should update the spec to clarify why we did get
done and what we plan to pick in subsequent releases.

Change-Id: Ife2089167354b9e1c918dd9219aff5e5ff66e856
Lance Bragstad 9 months ago
parent
commit
b05d80a97a
1 changed files with 17 additions and 0 deletions
  1. 17
    0
      specs/keystone/rocky/define-default-roles.rst

+ 17
- 0
specs/keystone/rocky/define-default-roles.rst View File

@@ -49,6 +49,21 @@ operators in ways that are consistent with changing configuration options.
49 49
 This specification proposes that Keystone enhance the basic RBAC experience
50 50
 by incorporating the following default roles into its default policies.
51 51
 
52
+The work detailed here can be separated into two initiatives. The first is
53
+ensuring the defaults proposed are available to operators after installation.
54
+The second is incorporating those available roles into default policies across
55
+services. Note that the first initiative was targeted and completed in the
56
+Rocky release. While this specification does go into detail describing the
57
+second initiative, it will be implemented in a subsequent release (likely Stein
58
+or later). The second initiative specifically within keystone will require
59
+landing a large refactor cleaning up technical debt and moving keystone to
60
+using `flask <https://bugs.launchpad.net/keystone/+bug/1776504>`_ instead of a
61
+home-grown WSGI implementation. It is imperative to land this refactor prior to
62
+starting the second initiative because it will make treating RBAC across
63
+different scopes like formal business logic across the Manager layers within
64
+keystone subsystems, as opposed to obfuscating more complexity into the
65
+``@controller.protected`` decorator that is currently used by most APIs.
66
+
52 67
 Our goal is that this work will serve as a template which other services may
53 68
 use to adopt the proposed default roles in a future `community goal
54 69
 <https://governance.openstack.org/tc/goals/>`_.
@@ -255,6 +270,8 @@ This work is dependent on the following:
255 270
   <https://governance.openstack.org/tc/goals/queens/policy-in-code.html>`_
256 271
   all policies in code
257 272
 
273
+* `Use flask <https://bugs.launchpad.net/keystone/+bug/1776504>`_
274
+
258 275
 The work detailed in this specification will be supplemented with policy work
259 276
 being done in oslo and keystone:
260 277
 

Loading…
Cancel
Save