For project scoped tokens that are issued for a project acting as a domain, the token should also contain is_domain=true.
In policy files today, the creation of concepts such as “domain admin” rely on the use of domain scoped tokens. Support for domain tokens doesn’t really exist outside keystone (even in horizon), which is problematic. We have already discussed (and rejected) dual scoped tokens (i.e. a token which contains both a project ID and domain ID, both set to the same ID). However, the problem of how we enable policy protected domain related operations in clients of keystone remains.
This proposal is to simply add is_domain=true to any token that is issued for a project that is acting as a domain. With that change, it would then be possible to write policy rules that today require a domain token, to instead work with regular project tokens, while still providing the same level of protection. For example, the a typical policy rule of:
"identity:create_user": "rule:admin_required and domain_id:%(user.domain_id)s"
would be replaced with:
"identity:create_user": "rule:admin_required and project_id:%(user.domain_id)s and is_domain:True"
In a similar way, this would allow a nova policy file to specify that, for instance, servers were not allowed to be created in a project acting as a domain:
"compute:create": "role:vm-manager and is_domain:False"
This simple change would allow the entire policy file to be re-written to never require domain scoped tokens, paving the way for their eventual removal.
In order for a project token to be used in this way, it must, of course, be possible to request a project scoped token for a project acting as a domain. The current issue with this is the potential ambiguity of requesting this by project name, since there could be a clash between the name of the project acting as a domain and a project somewhere in that domain. It is proposed that when request such a token by project name:
Such a proposal for requesting a token leaves open for the future the possibility of more comprehensive options such as passing in a hierarchy definition if, for example, we wanted to move to support only requiring a project name to be unique within its immediate parent.
A number of alternatives have already been discussed in other proposals, and so far have been rejected.
None
None
None
None
None
None
To take advantage of this, deployers would have to change their policy files.
None
None
None, beyond the regular unit testing.
Changes to the Identity API and configuration.rst.
None