2. Copyright 2015 FUJITSU LIMITED
Patch
https://review.openstack.org/#/c/149930/15
What is required to move this patch forward?
What are the other dependencies that this
brings in?
And how does this impact other parts of
swift?
discussion about…
1
3. Copyright 2015 FUJITSU LIMITED
Background
Current approach & status
Open discussion for implementation
Dependencies
Misc.
This slide explains
2
4. Copyright 2015 FUJITSU LIMITED
Policy-based RBAC in OpenStack
Oslo.policy was graduated from incubated prj.
from Kilo
Background
Status Policy File
Keystone Supported /etc/keystone/policy.json
Nova Supported /etc/nova/policy.json
Cinder Supported /etc/cinder/policy.json
Neutron Supported /etc/neutron/policy.json
Glance Supported /etc/glance/policy.json
Heat Supported /etc/heat/policy.json
Swift Not Supported -
3
5. Copyright 2015 FUJITSU LIMITED
Commits function tests on master first
Background
Make function test with matrix in order to guarantee the RBAC
patch [Vancouver Summit agreement]
Patches (16 patches, 803 items)
Status: Already submitted (but now need rebase them)
http://paste.openstack.org/show/477395/
Open discussion about devstack correspondence
https://review.openstack.org/#/c/202411/14
Current approach & status
4
6. Copyright 2015 FUJITSU LIMITED
Continue the RBAC patch
Patch
https://review.openstack.org/#/c/149930/15
Status
Abandoned.
I will re-opened this patch with some fixes for Clay’s comments.
http://paste.openstack.org/show/477318/
Open discussion about user I/F specially for ACL
Current approach & status cont.
5
7. Copyright 2015 FUJITSU LIMITED
This patch introduces only oslo.policy
Compares the following two patterns
• Swift + KeystoneAuth (keystonemiddleware)
• Swift + this patch (keystonemiddleware + oslo.policy)
Dependencies
dnspython>=1.9.4
eventlet>=0.16.1,!=0.17.0
greenlet>=0.3.1
netifaces>=0.5,!=0.10.0,!=0.10.1
pastedeploy>=1.3.3
simplejson>=2.0.9
six>=1.9.0
xattr>=0.4
PyECLib==1.0.7
Swift
requirements.txt
Babel>=1.3
oslo.config>=2.3.0 # Apache-2.0
oslo.context>=0.2.0 # Apache-2.0
oslo.i18n>=1.5.0 # Apache-2.0
oslo.serialization>=1.4.0 # Apache-2.0
oslo.utils!=2.6.0,>=2.4.0 # Apache-2.0
pbr>=1.6
pycadf>=1.1.0
python-keystoneclient!=1.8.0,>=1.6.0
requests!=2.8.0,>=2.5.2
six>=1.9.0
WebOb>=1.2.3
Keystonemiddleware
requirements.txt
requests!=2.8.0,>=2.5.2
oslo.config>=2.3.0 # Apache-2.0
oslo.i18n>=1.5.0 # Apache-2.0
oslo.serialization>=1.4.0 # Apache-2.0
oslo.utils!=2.6.0,>=2.4.0 # Apache-2.0
six>=1.9.0
Oslo.policy
requirements.txt
All requirements
are covered
6
8. Copyright 2015 FUJITSU LIMITED
Improve Keystone v3 token support
Background
HTTP_X_TENANT_NAME/ID are deprecated and might be
removed in Mitaka so I would like to update current token
support logic.
Patch
https://review.openstack.org/#/c/201461/
Misc.
7
9. Copyright 2015 FUJITSU LIMITED
Remove _keystone_identity method
Background
_keystone_identity method has been kept because of backward
compatibility. But there is no place to use an identity from the
method in our repo. Alistair already mentioned it as a comment
in the code (one year ago) so I think it’s time remove it.
Patch
https://review.openstack.org/#/c/204050/
Misc. cont.
8
10. Copyright 2015 FUJITSU LIMITED
Improve Keystone v3 token support
Background
HTTP_X_TENANT_NAME/ID are deprecated and might be
removed in Mitaka so I would like to update current token
support logic.
Patch
https://review.openstack.org/#/c/201461/
Misc. cont.
9