-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stabilize Domain Manager Role Standard #586
base: main
Are you sure you want to change the base?
Conversation
Currently blocked by:
|
Since the upcoming SCS release R7 will be based on 2024.1 ("Caracal"), I tested the
Since the native integration of Domain Manager in upstream OpenStack won't be available before 2024.2 ("Dalmatian"), we should stabilize this standard for SCS R7 to have a transitional solution and feature availability until an SCS release will be based on 2024.2 or later. I adjusted the standard accordingly and added a note about the upcoming native integration. |
Moves Domain Manager Standard from Draft to Stable Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
93e8aee
to
1df5d77
Compare
Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
1df5d77
to
c93a237
Compare
Moving this PR back to draft as a result of today's IaaS community call discussion:
|
Split standard into standard document and implementation notes. Move the downstream policy-based implementation into the implementation notes and differentiate instructions based on the Keystone release used. Add the upstream spec to related documents and update the standard according to the latest changes. Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
I split the standard into standard and implementation notes and moved the SCS downstream implementation using API policies into the implementation notes. I rewrote the standard section and implementation notes' introduction to differentiate between OpenStack Keystone releases and also integrated some upgrade instructions about dropping the old policies. With this, the standard should now be fully agnostic concerning the Keystone version and can be applied universally. Removing the draft marker. |
@@ -1,17 +1,27 @@ | |||
--- | |||
title: Domain Manager configuration for Keystone | |||
type: Standard | |||
status: Draft | |||
status: Stable | |||
stabilized_at: 2024-08-30 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please do not forget to update the date, when merging :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh and did we discuss to stabilize this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall a good split. I have made a few comments inline.
|
||
The "`is_domain_managed_role`" rule of the above policy template may be adjusted according to the requirements of the CSP and infrastructure architecture to specify different or multiple roles as manageable by Domain Managers as long as the policy rule adheres to the following: | ||
In case the Identity API was upgraded from an older version where the policy-based Domain Manager implementation of SCS described in the [implementation notes for this standard](https://github.com/SovereignCloudStack/standards/blob/main/Standards/scs-0302-w1-domain-manager-implementation-notes.md) was still in use, the policies described there MUST be removed (except for the "`is_domain_managed_role`" rule). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is that 'is_domain_managed_role' not added by upstream? or do you mean to include ONLY adjustments, that have been mage to that rule?
In the latter case could you state this more clear in the standard?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point. I rephrased this. Can you recheck please?
@@ -1,17 +1,27 @@ | |||
--- | |||
title: Domain Manager configuration for Keystone | |||
type: Standard | |||
status: Draft | |||
status: Stable | |||
stabilized_at: 2024-08-30 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh and did we discuss to stabilize this?
"identity:add_user_to_group": "(rule:is_domain_manager and token.domain.id:%(target.group.domain_id)s and token.domain.id:%(target.user.domain_id)s) or rule:base_add_user_to_group or rule:admin_required" | ||
``` | ||
|
||
Note that the policy file begins with a list of "`base_*`" rule definitions ("Section A"). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Something seems to be wrong with the text here - it shows up like it is still part of the code block. On the first sight I don'T see why this is happening - but this may lead to problems displaying this document.
Signed-off-by: Markus Hentsch <[email protected]>
Moves Domain Manager Standard from Draft to Stable