Difference between revisions of "Horizon/DomainSupport"
< Horizon
Dan Nguyen (talk | contribs) (Created page with "'''Domain Support (Work In Progress)''' '''Use Cases''' - LDAP, AD, MySQL support '''Best Practices''' - Use the same policy files all around - Create a separate domain a...") |
Dan Nguyen (talk | contribs) |
||
Line 1: | Line 1: | ||
− | + | == Domain Support (Work In Progress) == | |
− | + | === Use Cases === | |
- LDAP, AD, MySQL support | - LDAP, AD, MySQL support | ||
− | + | === Best Practices === | |
− | |||
− | |||
− | |||
− | |||
− | + | ==== Keystone v3 policy files ==== | |
+ | Horizon should use the same keystone v3 policy file as the keystone API | ||
+ | ==== An new admin domain should be created ==== | ||
+ | - Cloud Admin should have an admin role in a domain specifically created for Identity management of the system. | ||
+ | - Non-Cloud Admin users should not have a role on the default admin domain | ||
+ | |||
+ | ==== Project Admin should be avoided ==== | ||
+ | Cloud Admin and Domain Admin are the preferred "admin" personas in the context of domains | ||
+ | |||
+ | ==== Avoid mixing User Type roles ==== | ||
+ | - Domain Admin + Project Member is not supported | ||
+ | - Domain Admin + Project Admin is not supported | ||
+ | |||
+ | === Definitions === | ||
+ | |||
+ | ==== User Types / Personas ==== | ||
+ | |||
+ | ===== Cloud Admin ===== | ||
+ | domain-scoped token, scoped to the ‘default’ domain. This is assuming that user have the ‘admin’ role assigned to him for the ‘default’ domain. | ||
+ | |||
+ | ===== Domain Admin ===== | ||
+ | domain-scoped token, scoped to the given domain. This is assuming that user have the ‘admin’ role assigned to him for the given domain. Cloud Admin is also the Domain Admin for the ‘default’ domain. | ||
+ | |||
+ | ===== Project Admin ===== | ||
+ | project-scoped token, scoped to the given project. This is assuming that user have the ‘admin’ role assigned to him for the given project. | ||
+ | |||
+ | ===== Project User ===== | ||
+ | project-scoped token, scoped to the given project. This is assuming that user have at least one role assigned to him for the given project. Project User is also Project Admin only if user also have the ‘admin’ role assigned to him for the given project. | ||
+ | |||
+ | ''Note:'' | ||
+ | Domain-scoped token should NOT have access to Nova. Only project-scoped token have access to the services. Cloud Admin and Domain Admin are Keystone-specific personas and therefore only have access to Keystone APIs. | ||
Revision as of 23:34, 30 April 2015
Domain Support (Work In Progress)
Use Cases
- LDAP, AD, MySQL support
Best Practices
Keystone v3 policy files
Horizon should use the same keystone v3 policy file as the keystone API
An new admin domain should be created
- Cloud Admin should have an admin role in a domain specifically created for Identity management of the system. - Non-Cloud Admin users should not have a role on the default admin domain
Project Admin should be avoided
Cloud Admin and Domain Admin are the preferred "admin" personas in the context of domains
Avoid mixing User Type roles
- Domain Admin + Project Member is not supported - Domain Admin + Project Admin is not supported
Definitions
User Types / Personas
Cloud Admin
domain-scoped token, scoped to the ‘default’ domain. This is assuming that user have the ‘admin’ role assigned to him for the ‘default’ domain.
Domain Admin
domain-scoped token, scoped to the given domain. This is assuming that user have the ‘admin’ role assigned to him for the given domain. Cloud Admin is also the Domain Admin for the ‘default’ domain.
Project Admin
project-scoped token, scoped to the given project. This is assuming that user have the ‘admin’ role assigned to him for the given project.
Project User
project-scoped token, scoped to the given project. This is assuming that user have at least one role assigned to him for the given project. Project User is also Project Admin only if user also have the ‘admin’ role assigned to him for the given project.
Note:
Domain-scoped token should NOT have access to Nova. Only project-scoped token have access to the services. Cloud Admin and Domain Admin are Keystone-specific personas and therefore only have access to Keystone APIs.
Known Issues
- Mixing Domain Admin + Project Admin - Creating Members in the Default Admin domain - Project Admin, hide Admin Dash on purpose
Horizon Bugs
- luigi (project member, invalid Catalog Service:compute) - list_role_assignments (pure domain admin) - Group manange members (pure domain admin) - Project details (pure project admin, member) - checkboxes and actions when no actions available (member)
Next Steps
- DOA patch - Keystone patch - Fix Horzon Bugs - UX/UI - project picker, set domain context changes
Test Cases
Future
- angular goodness - persona driven workflows - keystone changes