Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Domain Manager role standard (issues#184) #343

Merged
merged 17 commits into from
Oct 11, 2023
Merged

Domain Manager role standard (issues#184) #343

merged 17 commits into from
Oct 11, 2023

Conversation

markus-hentsch
Copy link
Contributor

@markus-hentsch markus-hentsch commented Sep 13, 2023
edited
Loading

Adds a standard for the Keystone API policy configuration to introduce the domain-manager role as per SovereignCloudStack/issues#184

It includes extensions for Keystone groups and therefore closes SovereignCloudStack/issues#383

@markus-hentsch markus-hentsch changed the title WIP: Domain Manager role standard WIP: Domain Manager role standard (issues#184) Sep 13, 2023
@anjastrunk anjastrunk self-requested a review September 14, 2023 11:33
@fkr fkr added the Sprint Ljubljana Sprint Ljubljana (2023, cwk 38+39) label Sep 20, 2023
@fkr
Copy link
Member

fkr commented Sep 20, 2023

Reviews more than welcome.

anjastrunk
anjastrunk approved these changes Sep 20, 2023
View reviewed changes
Copy link
Contributor

@anjastrunk anjastrunk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A standard documented excellently.

@anjastrunk anjastrunk mentioned this pull request Sep 21, 2023
Merged
@anjastrunk anjastrunk added the SCS-VP10 Related to tender lot SCS-VP10 label Sep 21, 2023
artificial-intelligence
artificial-intelligence approved these changes Sep 21, 2023
View reviewed changes
Copy link
Contributor

@artificial-intelligence artificial-intelligence left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM; I guess you can remove the "WIP".

@markus-hentsch
Copy link
Contributor Author

@anjastrunk, @artificial-intelligence thank you for reviewing this draft!

I guess you can remove the "WIP"

Not yet. I'm still busy implementing extensive tests (on a dedicated domain-manager-role-tests branch) that are able to validate the conformance of the standard and secure implementation of the policy via the API. While doing so I'm still refining the policy definitions due to edge cases I'm discovering during test implementation.

josephineSei
josephineSei reviewed Sep 25, 2023
View reviewed changes
Copy link
Contributor

@josephineSei josephineSei left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall this looks good to me. Inline I have a few comments

Standards/scs-0302-v1-domain-manager-role.md Show resolved Hide resolved
Standards/scs-0302-v1-domain-manager-role.md Show resolved Hide resolved
Standards/scs-0302-v1-domain-manager-role.md Outdated Show resolved Hide resolved
Standards/scs-0302-v1-domain-manager-role.md Outdated Show resolved Hide resolved
Standards/scs-0302-v1-domain-manager-role.md Outdated Show resolved Hide resolved
Standards/scs-0302-v1-domain-manager-role.md Outdated Show resolved Hide resolved
Standards/scs-0302-v1-domain-manager-role.md Show resolved Hide resolved
Standards/scs-0302-v1-domain-manager-role.md Show resolved Hide resolved
Standards/scs-0302-v1-domain-manager-role.md Show resolved Hide resolved
@markus-hentsch
Copy link
Contributor Author

I'm unable to fix the last two linter errors because the links that it complains being dead will only become valid once the PR is merged.

@markus-hentsch markus-hentsch changed the title WIP: Domain Manager role standard (issues#184) Domain Manager role standard (issues#184) Sep 28, 2023
@markus-hentsch markus-hentsch force-pushed the domain-manager-role branch 3 times, most recently from 272ee92 to 49e7506 Compare October 11, 2023 08:08
@markus-hentsch
Add draft for scs-0302: Domain Manager role standard
5901b4b 
Signed-off-by: Markus Hentsch <[email protected]>
@markus-hentsch
Add two links to related upstream documents and corresponding summaries
ecddda2 
Signed-off-by: Markus Hentsch <[email protected]>
@markus-hentsch
Move away from bare links to appease the linter
25c21ad 
Signed-off-by: Markus Hentsch <[email protected]>
@markus-hentsch
Fix syntax for is_domain_managed_role policy rule
ef49afa 
Signed-off-by: Markus Hentsch <[email protected]>
@markus-hentsch
Support OpenStack SDK role assignments per role id
cc12268 
Signed-off-by: Markus Hentsch <[email protected]>
@markus-hentsch
Allow domain-level role grants for groups
b6944ce 
Signed-off-by: Markus Hentsch <[email protected]>
@markus-hentsch
Allow domain-level role grants for users
dc54c06 
Signed-off-by: Markus Hentsch <[email protected]>
@markus-hentsch
Allow list_user_projects within domain
41572d7 
Signed-off-by: Markus Hentsch <[email protected]>
@markus-hentsch
Domain Manager role tests (#348)
f02607a 
Add test suite for Domain Manager role

Signed-off-by: Markus Hentsch <[email protected]>
@markus-hentsch
Fill the 'Conformance Tests' section
717502a 
Signed-off-by: Markus Hentsch <[email protected]>
@markus-hentsch
Include decision record as an appendix
1bd9afb 
Signed-off-by: Markus Hentsch <[email protected]>
@markus-hentsch
Allow flexibility for the roles a Domain Manager can assign/revoke
a495e1a 
Implements and documents the decision of the Team IaaS and Team IAM
meetings from 2023-09-27.

Signed-off-by: Markus Hentsch <[email protected]>
@markus-hentsch
Apply suggestions from code review
02a4a6f 
Signed-off-by: Markus Hentsch <[email protected]>
@markus-hentsch
Update design considerations according to new role flexibility
bfbc4ea 
Signed-off-by: Markus Hentsch <[email protected]>
@markus-hentsch
Rephrase and extend some sections to address review feedback
0da95bf 
Signed-off-by: Markus Hentsch <[email protected]>
@markus-hentsch
Address linter errors
ca5df27 
Signed-off-by: Markus Hentsch <[email protected]>
@markus-hentsch
For Domain Manager tests add role creation to README
fa5d4fb 
Signed-off-by: Markus Hentsch <[email protected]>
@markus-hentsch markus-hentsch merged commit b13195e into main Oct 11, 2023
3 of 4 checks passed
@markus-hentsch markus-hentsch deleted the domain-manager-role branch October 11, 2023 08:12
@markus-hentsch markus-hentsch mentioned this pull request Oct 19, 2023
Closed
jschoone pushed a commit that referenced this pull request Dec 1, 2023
@mbuechse
Extend scs-0003: more context and process (resolves issues/#343) (#329)
3bcd99f 
* added lots of context in the introduction
* introduced the distinction between "certificate" and "certificate type"
* improved misleading wording in the motivation
* rectified incorrect section levels
* added process description (governance)
* drop misleading sentence from scs-0001
* included intended length of grace period

Signed-off-by: Matthias Büchse <[email protected]>
This was referenced Jun 20, 2024
Closed
Open
@markus-hentsch markus-hentsch mentioned this pull request Aug 30, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@josephineSei josephineSei josephineSei approved these changes

@anjastrunk anjastrunk anjastrunk approved these changes

@artificial-intelligence artificial-intelligence artificial-intelligence approved these changes

Assignees

@markus-hentsch markus-hentsch

Labels
SCS-VP10 Related to tender lot SCS-VP10 Sprint Ljubljana Sprint Ljubljana (2023, cwk 38+39)
Projects
Sovereign Cloud Stack
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Adjust keystone policy.yaml to allow "domain-manager" to manage groups.
5 participants
@markus-hentsch @fkr @artificial-intelligence @anjastrunk @josephineSei