OpenStack Keystone role assignment plugin using OpenFGA
Project description
This project implements a backend plugin for Keystone to manage role assignments not in the Keystone database, but in the OpenFGA.
It is expected that every role assignment in Keystone context is represented by a relation in the OpenFGA (ReBAC) between user/group and project/domain.
model
schema 1.1
type domain
type user
relations
define owner: [domain]
type group
relations
define member: [user, group#member]
define owner: [domain]
type project
relations
define admin: [user, group#member]
define manager: [user, group#member] or admin
define member: [user, group#member] or admin or manager
define owner: [domain]
define reader: [user, group#member] or member or admin
define service: [system]
type system
relations
define admin: [user, group#member]
define member: [user, group#member] or admin
define reader: [user, group#member] or member or admin
define system: [user, group#member]Delegating role assignments to the OpenFGA allows to improve integration of OpenStack with the external IdP and authorization system to centrally manage user authorizations for different service providers (improves service provider role of OpenStack).
Installation
For the moment the project is not being published to the PyPi so you can install it from git repository.
Install the project into the virtual environment with the Keystone using pip install .
Configuration
In order to enable the integration it is necessary to make few changes in the keystone.conf
[fga]
api_url = <OPEN_FGA_URL>
store_id = <OPENFGA_STORE_ID>
model_id = <OPENFGA_MODEL_ID>
...
[assignment]
driver = openfgaAdditional considerations
OpenFGA must be highly available. In this deployment style OpenStack will query OpenFGA for at least every authentication request.
Having many roles requires expanding OpenFGA authorization model to define every role as a relation. This is not very scalable but at the same time unavoidable due to the nature of role assignments in OpenStack being a triplets (actor-role-object).
Keystone and OpenFGA both have methods of inheriting/inferring roles through role inferrence, group membership, domain to project delegation and so on. Currently Keystone does not support delegating such decisions to the backend and instead reimplements it internally. This has an effect that when certain role is granted between assignee and the object it is not possible to learn how is this achieved (as a direct assignment of through inheritance). It is strongly advised to keep role inferrence and user/group relations in sync between Keystone and OpenFGA to reduce confusion.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file keystone_role_assignment_openfga-0.1.0.tar.gz.
File metadata
- Download URL: keystone_role_assignment_openfga-0.1.0.tar.gz
- Upload date:
- Size: 108.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.12.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f42afac0baa9c80bcabbf29c8144f53b33e67b2a0abef8b33ad6ff0bb2fdeb8a
|
|
| MD5 |
fb9769cec72bfcd028cfd0987d89a633
|
|
| BLAKE2b-256 |
3a508dac24d806fc2724b5a04ea9bddf036e7d2256c1cf2d7f5a951fdde4fb6a
|
Provenance
The following attestation bundles were made for keystone_role_assignment_openfga-0.1.0.tar.gz:
Publisher:
release.yml on gtema/keystone-role-assignment-openfga
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
keystone_role_assignment_openfga-0.1.0.tar.gz -
Subject digest:
f42afac0baa9c80bcabbf29c8144f53b33e67b2a0abef8b33ad6ff0bb2fdeb8a - Sigstore transparency entry: 193237721
- Sigstore integration time:
-
Permalink:
gtema/keystone-role-assignment-openfga@21bccc64a8e52cdada3b69a46396595d75c0408f -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/gtema
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@21bccc64a8e52cdada3b69a46396595d75c0408f -
Trigger Event:
push
-
Statement type:
File details
Details for the file keystone_role_assignment_openfga-0.1.0-py3-none-any.whl.
File metadata
- Download URL: keystone_role_assignment_openfga-0.1.0-py3-none-any.whl
- Upload date:
- Size: 19.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.12.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
360ed18b9e3d1f823b43a10edc40854bf8180f78a07ad494a822030f8bff9c5f
|
|
| MD5 |
27774997aa48eae0b8037ce31ddf7f40
|
|
| BLAKE2b-256 |
df9535e7a92eb7d4acf57a4fa6af8302768f9a5fea9e8f735cbc28b92881e06f
|
Provenance
The following attestation bundles were made for keystone_role_assignment_openfga-0.1.0-py3-none-any.whl:
Publisher:
release.yml on gtema/keystone-role-assignment-openfga
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
keystone_role_assignment_openfga-0.1.0-py3-none-any.whl -
Subject digest:
360ed18b9e3d1f823b43a10edc40854bf8180f78a07ad494a822030f8bff9c5f - Sigstore transparency entry: 193237726
- Sigstore integration time:
-
Permalink:
gtema/keystone-role-assignment-openfga@21bccc64a8e52cdada3b69a46396595d75c0408f -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/gtema
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@21bccc64a8e52cdada3b69a46396595d75c0408f -
Trigger Event:
push
-
Statement type:
