[RFE] Domain-defined RBAC

@Kourosh,

Isn't this the same as setting the network's attribute 'shared' as True. Please see the section titled "How the ‘shared’ flag relates to these entries" in this on-line document: http://docs.openstack.org/draft/networking-guide/config-rbac.html

Since this is a questions rather than a bug report, I am flagging it as invalid

@Miguel,

No, use shared or external allow all project to use the ressource whithout considering their domain_id.

I need to limit an RBAC to a domain_id not only a project_id.

I update the status to new again because I add some informations, this ticket is not a simple question. I see that RBAC are made to filter network share to specific tenant but it doesn't consider domain (see database schema above).

Domain can be used in CLI but it is only used to filter tenants on RBAC creation (see the API call during RBAC creation above).

kevinbenton should be able to triage this further.

This is definitely an RFE.

Can a project's domain ever change? If not, this should be a reasonable feature to implement.

I think this is not a bug at all, you can just set property 'shared = true' of network

Hi, this is not a bug, this is a request to change. Current architecture doesn't allow to share a network to a specific domain.

If I use "shared = true", all project from all domain are affected. But I have a use case where I have to share a network to all project belonging to domain A only.

@kevinbenton

About the ability to change the domain of an existing projet, keystone API V3's ref mention this:

"The ability to change the domain of a project is now deprecated, and will be removed in subequent release. It is already disabled by default in most Identity service implementations."

source: https://developer.openstack.org/api-ref/identity/v3/index.html?expanded=update-project-detail

I agree that this is a reasonable request.

We are making a change to include domain information to neutron context object and RBAC mechanism can refer to it.

> Can a project's domain ever change? If not, this should be a reasonable feature to implement.
Agree. if a project domain is changed after a port is created, the situation would be complicated.

@kourosh: are you open to working on addressing this gap as you identified? If so, I think a spec would be a useful way to document how we expect this work from end to end. If not, then we'd need to find volunteers.

@armando Yes, i am able to make a spec about it.

Fix proposed to branch: master
Review: https://review.openstack.org/452677

Fix proposed to branch: master
Review: https://review.openstack.org/452680

Change abandoned by kourosh vivan (<email address hidden>) on branch: master
Review: https://review.openstack.org/452680
Reason: duplicate of https://review.openstack.org/452677

Fix proposed to branch: master
Review: https://review.openstack.org/466711

Change abandoned by kourosh vivan (<email address hidden>) on branch: master
Review: https://review.openstack.org/466711
Reason: Duplicate of I13d5fa308a99c7e0009f26dc582d601965db509a

Change abandoned by kourosh vivan (<email address hidden>) on branch: master
Review: https://review.openstack.org/452677
Reason: Abandon because this feature will be handle has a fix. Current middelware doesn't populate context with full project hierarchy (all project parent + domain). When this will be done, fix must be made to neutron:
1 Fix project argument/paremeter validation for API and CLI to allow domain (because domain must be deal like a special project (keystone logic))
2 Fix filtering to check updated context (with all parent project if exist and domain)
3 Update doc

This feature (enabling rbacs to be created for an entire domain) would be handy to have. I'd like to raise this possibility again.

As the change has obviously been abandoned some time ago, I'll change the status from "In Progress" to "New".

There is no one assigned to this bug, and I would have never noticed it if not for doing bug cleaning.

The first thing we should do is involve Slawek to see if any of the RBAC work in the base few releases addresses any of the concerns here. If it does then we might be all set. If not we'll need someone to take ownership, I'm just not sure who that would be.

Hi,

All the work related to Secure-RBAC in last few cycles was actually related to "different RBAC" (I know that naming is confusing here). We were working on new API policy RBACs and this request is about sharing neutron resources using Neutron's RBAC mechanism.
AFAIK there is nothing done to support domains in the Neutron API nor RBAC mechanism so if this is requested feature, we will need ownership who will do initial triage of the bug, check if the domain info is now in the neutron_context object how it should be I guess. Then we may need a spec as this may require api extension and probably some api changes as well.