feat: Rework domain-manager standard #879
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,143 @@ | ||
| --- | ||
| title: Domain Manager adoption notes | ||
| type: Standard | ||
| track: IAM | ||
| status: Draft | ||
| replaces: scs-0302-v1-domain-manager-role.md | ||
| --- | ||
|
|
||
| ## Introduction | ||
|
|
||
| After the domain manager persona has been implemented certain issues in the | ||
| standard adoption and verification started being raised by CSPs: | ||
|
|
||
| - Not every CSP is using domains to separate customers. | ||
|
|
||
| - CSP may rely on the Identity federation in which case it is impossible or is | ||
| prohibited to manage identities on OpenStack side (OpenStack is a service | ||
| provider and not an identity provider). | ||
|
|
||
| - CSP may customize authorization policies in a different way so that domain | ||
| manager can not be implemented by simply reusing the upstream implementation. | ||
|
|
||
| As such simple enforcement of the Domain Manager persona can not be achieved. | ||
|
|
||
| This standard clarifies base standard and splits requirements into recommended | ||
| and mandatory to provide better granularity while still giving guidance with | ||
| the goal to provide a smooth user experience for the end users. | ||
|
|
||
| Requiring customer to use CSP specific APIs to manage identity data is | ||
| contradicting the idea of standardization as such. It hinders customers from | ||
| having a smooth user experience across different cloud providers forcing them | ||
| to adapt their management strategies on such clouds. Moreover it represent a | ||
| lock-in what is contradicting with the idea of SovereignCloudStack. | ||
|
|
||
| ### Mandatory capabilities | ||
|
|
||
| #### Assign roles to users/group on projects/domain | ||
|
|
||
| One of the main initial concerns of the Domain Manager was the ability of the | ||
| customer to manage user permissions in a self-service manner. OpenStack | ||
| Keystone provides an easy possibility to smoothly integrate role assignments | ||
| with arbitrary external systems in a transparent way (a role assignment backend | ||
| plugin can be provided to persist assignments in any external system). As such | ||
| this capability MUST be supported by the CSP using OpenStack APIs or role | ||
| assignments. | ||
|
|
||
| #### Project creation | ||
|
|
||
| Another important requirement was to provide self-service capability for | ||
| customers to create projects as desired without requesting CSP support. This | ||
| capability MUST be available using native cloud APIs. | ||
|
There was a problem hiding this comment. This will lead to problems and effort for providers who have external processes on projects or use external processes to create/manage projects. There was a problem hiding this comment. Same thoughts as @berendt here. In our current lifecycle, a project including any pricing / billing metadata needs to be created externally (outside of Keystone). We would prefer not to change this, nor do we have any need for this coming from our customers There was a problem hiding this comment. I do not think that somebody is preventing user to create K8 namespace from kubernetes directly. Why should all of a sudden this is then causing problems on OpenStack? In my eyes this is just a wrong integration. As an OpenStack user (on a daily basis) I am incredibly frustrated by inability to create projects using native OpenStack API. I come to the CSP for OpenStack UX and I can't use it. There was a problem hiding this comment. As a user spending 50% of my day in OpenStack managing complex infrastructures always have the necessity to manage projects on my own without exiting boundaries of OpenStack. I (with my customer hat on) am always incredibly frustrated and angry when I can't do this. There was a problem hiding this comment. Perhaps it would be useful if other CSPs can give some insights here, for us we don't really have customers that feel the way about this as you do. Only from "don't need" to "nice to have" |
||
|
|
||
| #### Project editing | ||
|
|
||
| Customer must be able to activate or deactivate project access without | ||
| requesting CSP support. This capability provides possibility to temporarily | ||
| disable users to authorize into certain project by modifying `enabled` property | ||
| of the project. Further control of the project name, description, options and | ||
| tags MUST be provided to the customer using native Keystone API. | ||
|
There was a problem hiding this comment. This will also cause a stale state between Keystone and the CSPs source of truth, unless we build even more CSP-specific glue for backsynching this. I see why this is important, but realistically and according to various certification requirements, this needs to be implemented at a CSP level. Let's say Bob gets their account disabled There was a problem hiding this comment. I strongly disagree here. If the process is working like that - it is wrong. I call your support, request deletion of a server in your account and they just do it? CSP MUST implement validation of support requests. Imagine I am a customer bringing my own LDAP with 1000 users. Does that automatically mean I can not manage them on my side? Or does that mean that any of those 1000 users can request whatever they want? There was a problem hiding this comment. As a CSP we handle authorisation of user accounts in systems other than keystone. I'd argue that this is common practise pretty much everywhere. When a support case comes in, the support system shows what the requestor is authorised do to. We can and will not change this. It is part of multiple certifications. But discussing business processes should be beyond the scope of SCS anyways. |
||
|
|
||
| :::info | ||
|
|
||
| Project deletion using Keystone API is not mandatory since CSP may have certain | ||
| expectations on the resources cleanup. This requirement is described in detail | ||
| in a dedicated chapter. | ||
|
|
||
| ::: | ||
|
|
||
| ### Recommended capabilities | ||
|
|
||
| Relying on the Identity federation conceptually changes ways of identity | ||
| resource management. This makes it impossible to fulfill them as MUST | ||
| requirements. This chapter describes remaining capabilities of the initial | ||
| Domain Manager as SHOULD implement. | ||
|
|
||
| #### Domains usage | ||
|
|
||
| It is strongly suggested to rely on the Domain concept of Keystone to implement | ||
| multi-tenancy. | ||
|
|
||
| Usage of domains by itself allows to implement a form of self-service management | ||
| by the customer. Only identity resources are owned by domains (with projects | ||
| being also identity resources). Other services use projects for resources | ||
| isolation. They do not need to be domain aware. | ||
|
|
||
| Using domains allows implementing [domain | ||
| limits](https://docs.openstack.org/keystone/latest/admin/unified-limits.html#domain-limits) | ||
| which allow to set a global resources limit for the customer. Without domains | ||
| specific limits artificial control of the overall customer consumption must be | ||
| implemented. | ||
|
|
||
| #### User management | ||
|
|
||
| User management (creation, activation, deactivation, deletion) SHOULD be | ||
| possible using OpenStack APIs. | ||
|
|
||
| When an external IdP is being used (IdP federation) there is still an | ||
| expectation that local users may be required by customers. As such, creation of | ||
| users (pre-creating federated users or regular local users) within customer | ||
| domain SHOULD be possible. Keystone does not allow certain operations on | ||
| federated users (i.e. password change, MFA, name) as such allowing customers to | ||
| manage users using OpenStack APIs should not conflict with any additional | ||
| requirements. | ||
|
|
||
| Security requirements on the customer side or on the CSP side to only allow | ||
| federated users to consume platform services was used as the limitating factor | ||
| forcing degrading of the capability requirement. | ||
|
|
||
| #### Group management | ||
|
|
||
| Management of groups SHOULD be possible using OpenStack APIs. | ||
|
|
||
| In the case of federated Identities the possibility exists that groups on the IdP | ||
| side do not match groups on the cloud provider side. In addition to that there | ||
| might be a need to combine federated and local users. This would only be | ||
| possible when groups are managed by the OpenStack. | ||
|
|
||
| It is advised to keep user groups as mapped entities between external systems | ||
| of CSP and Keystone. Upon user login (or using SCIM) user group relation may be | ||
| synchronized between both platforms. | ||
|
|
||
| #### Project deletion | ||
|
|
||
| As described above project deletion may be implemented differently by CSPs. | ||
| There are few ways of achieving that: | ||
|
|
||
| - Forbid project deletion when resources (i.e. VMs) are still provisioned | ||
| inside of those projects. This scenario assumes that the customer is | ||
| responsible for cleaning projects before their deletion. | ||
|
|
||
| - Automatically purge all project resources by the CSP when project deletion | ||
| request is received. In this scenario CSP is implementing custom functionality | ||
| to delete all resources before deleting the project. | ||
|
|
||
| - Leave orphaned resources. In this scenario project is being deleted by the API | ||
| with custom cleanup procedures being responsible for dropping orphaned resources. | ||
|
|
||
| Leaving orphaned resources MAY NOT be allowed. | ||
|
|
||
| Forbidding project deletion making customer responsible for the cleanup SHOULD | ||
| be preferred since it allows preventing the accidental deletion of the | ||
| resources. Supplementary methods for purging project resources MAY be offered by | ||
| the CSP. | ||
|
There was a problem hiding this comment. To avoid a race condition (be it with checking for existing resources to reject project deletion if there are still resources or be it with deleting the resources automatically), we would need a two phase commit: |
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be noteworthy that - even though this is technically possible, it won't always be feasible for CSPs and would require extra work to build the glue between keystone and the external systems
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's technically a 100-200 lines of python code depending on the desired integration. I repeat - I (user) come for OpenStack UX, why can't I have it? When CSP is not capable to integrate OpenStack into their business system without disrupting the designed flows they simply should not do this at all.