Obsolete:Labs keystone roles
The Present
User 'foo'
Foo can log in to wikitech, gerrit, etc.
- Ldap user record
- dn: uid=foo,ou=people,dc=wikimedia,dc=org
This record is created by the ldap mediawiki plugin on wikitech during account creation.
Project 'bar'
- Ldap project record
- dn: cn=bar,ou=projects,dc=wikimedia,dc=org
- Ldap project group record
- dn: cn=project-bar,ou=groups,dc=wikimedia,dc=org
Both ldap groups are created by wikitech during project creation.
A labs user 'foo' in project 'bar'
Foo can log into project instances and, in some cases, view project information on wikitech.
- Member of ldap project 'bar'
- dn: cn=bar,ou=projects,dc=wikimedia,dc=org
member: uid=foo,ou=people,dc=wikimedia,dc=org
- Member of ldap projectgroup 'project-bar'
- dn: cn=project-bar,ou=groups,dc=wikimedia,dc=org
member: uid=foo,ou=people,dc=wikimedia,dc=org
The project membership governs wikitech access; the projectgroup membership governs instance access.
When a user is added to a project on wikitech, the OSM plugin addes the user to both groups.
A labs user 'foo' who is an admin in project 'bar'
Foo can log into project instances, view project information on wikitech, create/delete instances, create/delete addresses, service groups, security groups, etc. Can also add and remove members and assign roles within project.
The 'projectadmin' role permits the above creation/deletion rules.
- Member of ldap project 'bar'
- dn: cn=bar,ou=projects,dc=wikimedia,dc=org
member: uid=foo,ou=people,dc=wikimedia,dc=org
- Member of ldap projectgroup 'project-bar'
- dn: cn=project-bar,ou=groups,dc=wikimedia,dc=org
member: uid=foo,ou=people,dc=wikimedia,dc=org
- Member of role 'projectadmin' in project 'bar'
- dn: cn=projectadmin,cn=bar,ou=projects,dc=wikimedia,dc=org
roleOccupant: uid=foo,ou=people,dc=wikimedia,dc=org
When a user is added as a project admin, wikitech adds them to the projectadmin record in ldap.
The Future
User 'foo'
- no change
Project 'bar'
- Keystone project record
- Ldap project group record
- dn: cn=project-bar,ou=groups,dc=wikimedia,dc=org
A labs user 'foo' in project 'bar'
- Keystone 'user' role
- role record: user 'foo' with role 'user' in project 'bar'
- Ldap project group record
- dn: cn=project-bar,ou=groups,dc=wikimedia,dc=org
- The OSM call to add the ldap project record will be replaced with a keystone call to assign the 'user' role to these users.
- Keystone will need some sort of callback to insert/remove ldap 'group' records as appropriate.
- OSM will have to query keystone for project membership rather than use ldap
A labs user 'foo' who is an admin in project 'bar'
- Keystone 'user' role
- role record: user 'foo' with role 'user' in project 'bar'
- Keystone 'projectadmin' role
- role record: user 'foo' with role 'projectadmin' in project 'bar'
- Ldap project group record
- dn: cn=project-bar,ou=groups,dc=wikimedia,dc=org
- OSM will have to query keystone directly for adminship
- This user CAN NOT add and remove members from a project in Horizon, due to the fact that having the 'admin' role in any project gives that user admin cloud-wide.
a labs user 'foo' who is a cloud-admin
- Keystone 'admin' role
- role record: user 'foo' with role 'admin' in project 'admin'
- The 'admin' role confers all above rights as well as the rights to assign and remove roles in all projects.
Steps
- Disable the 'project' page on wikitech (or disable wikitech entirely)
- switch keystone from ldap assignment to db assignment: https://gerrit.wikimedia.org/r/#/c/244350/6
- Create admin project and user, member and projectadmin roles
- Run projectmigrate.py (WIP) to import projects from ldap into keystone
- Run rolemigrate.py (WIP) to grab ldap role data and shove it into keystone
- merge OpenStackManager patches that switch to keystone calls for role management
- re-enable wikitech
- test
- (and then, someday...)
- Add keystone callbacks to sync usergroups in ldap