Skip to content

Update Domain Manager standard to keep enforce_scope and enforce_new_defaults disabled#585

Closed
markus-hentsch wants to merge 1 commit intomainfrom
fix-domain-manager-scopes
Closed

Update Domain Manager standard to keep enforce_scope and enforce_new_defaults disabled#585
markus-hentsch wants to merge 1 commit intomainfrom
fix-domain-manager-scopes

Conversation

@markus-hentsch
Copy link
Contributor

@markus-hentsch markus-hentsch commented May 3, 2024

As long as the Domain Manager persona is not fully integrated upstream12, we need to implement it using policy adjustments only.

This makes it incompatible with the new enforce_scope and enforce_new_defaults options of oslo.policy in Keystone.
The options are still disabled per default currently but are planned to be the new default in the future.

Since it is currently unknown when the upstream contribution work will conclude, we might see the options becoming the new default before we get the persona upstream.
So for the standard to be future-proof, we should mandate to keep the conflicting options disabled.

This will not change existing infrastructures as it matches current defaults.

Footnotes

  1. https://bugs.launchpad.net/keystone/+bug/2045974

  2. https://review.opendev.org/c/openstack/keystone-specs/+/903172

@markus-hentsch
Mandate disabling enforce_scope and enforce_new_defaults
ff83511 
Signed-off-by: Markus Hentsch <markus.hentsch@cloudandheat.com>
@markus-hentsch markus-hentsch added the SCS-VP10 Related to tender lot SCS-VP10 label May 3, 2024
@berendt berendt mentioned this pull request May 3, 2024
Closed
@markus-hentsch markus-hentsch mentioned this pull request May 7, 2024
Merged
@markus-hentsch
Copy link
Contributor Author

markus-hentsch commented May 16, 2024

Note that the Role Standard (#590) will most likely end up mandating to disable those options for all services in general due to their conflict with Heat1 which SCS is in the process of officially supporting as an optional component2.

As such, the addition to this standard seems less impactful all things considered.

Footnotes

  1. https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#the-issues-we-are-facing-with-scope-concept

  2. https://github.com/SovereignCloudStack/standards/pull/587

@markus-hentsch
Copy link
Contributor Author

markus-hentsch commented Aug 2, 2024

Note that the Role Standard (#590) will most likely end up mandating to disable those options for all services in general due to their conflict with Heat which SCS is in the process of officially supporting as an optional component.

This is not true anymore. Things have changed:

  • enforce_scope and enforce_new_defaults do not clash with the SCS Domain Manager implementation anymore as of Keystone 2024.2 release
  • incompatibities of Heat with those options have been fixed

When the Domain Manager standard moves from Draft to Stable, either 2024.2 will be available or the Domain Manager persona is even already implemented upstream. This PR is obsolete now, closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

SCS-VP10 Related to tender lot SCS-VP10

Projects

Sovereign Cloud Stack
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@markus-hentsch