Stabilize Domain Manager Role Standard #586
Conversation
|
Currently blocked by:
|
Since the upcoming SCS release R7 will be based on 2024.1 ("Caracal"), I tested the
Since the native integration of Domain Manager in upstream OpenStack won't be available before 2024.2 ("Dalmatian"), we should stabilize this standard for SCS R7 to have a transitional solution and feature availability until an SCS release will be based on 2024.2 or later. I adjusted the standard accordingly and added a note about the upcoming native integration. |
Moves Domain Manager Standard from Draft to Stable Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
markus-hentsch
force-pushed
the
domain-manager-stabilize
branch
2 times, most recently
from
93e8aee
to
1df5d77
Compare
Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
markus-hentsch
force-pushed
the
domain-manager-stabilize
branch
from
1df5d77
to
c93a237
Compare
|
Moving this PR back to draft as a result of today's IaaS community call discussion:
|
Split standard into standard document and implementation notes. Move the downstream policy-based implementation into the implementation notes and differentiate instructions based on the Keystone release used. Add the upstream spec to related documents and update the standard according to the latest changes. Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
I split the standard into standard and implementation notes and moved the SCS downstream implementation using API policies into the implementation notes. I rewrote the standard section and implementation notes' introduction to differentiate between OpenStack Keystone releases and also integrated some upgrade instructions about dropping the old policies. With this, the standard should now be fully agnostic concerning the Keystone version and can be applied universally. Removing the draft marker. |
| @@ -1,17 +1,27 @@ | |||
| --- | |||
| title: Domain Manager configuration for Keystone | |||
| type: Standard | |||
| status: Draft | |||
| status: Stable | |||
| stabilized_at: 2024-08-30 | |||
There was a problem hiding this comment.
Please do not forget to update the date, when merging :)
There was a problem hiding this comment.
Oh and did we discuss to stabilize this?
There was a problem hiding this comment.
|
|
||
| The "`is_domain_managed_role`" rule of the above policy template may be adjusted according to the requirements of the CSP and infrastructure architecture to specify different or multiple roles as manageable by Domain Managers as long as the policy rule adheres to the following: | ||
| In case the Identity API was upgraded from an older version where the policy-based Domain Manager implementation of SCS described in the [implementation notes for this standard](https://github.com/SovereignCloudStack/standards/blob/main/Standards/scs-0302-w1-domain-manager-implementation-notes.md) was still in use, the policies described there MUST be removed (except for the "`is_domain_managed_role`" rule). |
There was a problem hiding this comment.
Is that 'is_domain_managed_role' not added by upstream? or do you mean to include ONLY adjustments, that have been mage to that rule?
In the latter case could you state this more clear in the standard?
There was a problem hiding this comment.
Good point. I rephrased this. Can you recheck please?
| @@ -1,17 +1,27 @@ | |||
| --- | |||
| title: Domain Manager configuration for Keystone | |||
| type: Standard | |||
| status: Draft | |||
| status: Stable | |||
| stabilized_at: 2024-08-30 | |||
There was a problem hiding this comment.
Oh and did we discuss to stabilize this?
| "identity:add_user_to_group": "(rule:is_domain_manager and token.domain.id:%(target.group.domain_id)s and token.domain.id:%(target.user.domain_id)s) or rule:base_add_user_to_group or rule:admin_required" | ||
| ``` | ||
|
|
||
| Note that the policy file begins with a list of "`base_*`" rule definitions ("Section A"). |
There was a problem hiding this comment.
Something seems to be wrong with the text here - it shows up like it is still part of the code block. On the first sight I don'T see why this is happening - but this may lead to problems displaying this document.
Signed-off-by: Markus Hentsch <[email protected]>
Moves Domain Manager Standard from Draft to Stable