Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Domain Manager standard to keep enforce_scope and enforce_new_defaults disabled #585

Closed
wants to merge 1 commit into from
Closed

Update Domain Manager standard to keep enforce_scope and enforce_new_defaults disabled #585

wants to merge 1 commit into from

Conversation

markus-hentsch
Copy link
Contributor

As long as the Domain Manager persona is not fully integrated upstream12, we need to implement it using policy adjustments only.

This makes it incompatible with the new enforce_scope and enforce_new_defaults options of oslo.policy in Keystone.
The options are still disabled per default currently but are planned to be the new default in the future.

Since it is currently unknown when the upstream contribution work will conclude, we might see the options becoming the new default before we get the persona upstream.
So for the standard to be future-proof, we should mandate to keep the conflicting options disabled.

This will not change existing infrastructures as it matches current defaults.

Footnotes

  1. https://bugs.launchpad.net/keystone/+bug/2045974

  2. https://review.opendev.org/c/openstack/keystone-specs/+/903172

@markus-hentsch markus-hentsch added the SCS-VP10 Related to tender lot SCS-VP10 label May 3, 2024
@berendt berendt mentioned this pull request May 3, 2024
Open
@markus-hentsch markus-hentsch mentioned this pull request May 7, 2024
Open
@markus-hentsch
Copy link
Contributor Author

Note that the Role Standard (#590) will most likely end up mandating to disable those options for all services in general due to their conflict with Heat1 which SCS is in the process of officially supporting as an optional component2.

As such, the addition to this standard seems less impactful all things considered.

Footnotes

  1. https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#the-issues-we-are-facing-with-scope-concept

  2. https://github.com/SovereignCloudStack/standards/pull/587

@markus-hentsch
Copy link
Contributor Author

Note that the Role Standard (#590) will most likely end up mandating to disable those options for all services in general due to their conflict with Heat which SCS is in the process of officially supporting as an optional component.

This is not true anymore. Things have changed:

  • enforce_scope and enforce_new_defaults do not clash with the SCS Domain Manager implementation anymore as of Keystone 2024.2 release
  • incompatibities of Heat with those options have been fixed

When the Domain Manager standard moves from Draft to Stable, either 2024.2 will be available or the Domain Manager persona is even already implemented upstream. This PR is obsolete now, closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
SCS-VP10 Related to tender lot SCS-VP10
Projects
Sovereign Cloud Stack
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@markus-hentsch