• Type: Epic
    • Status: Resolved (View workflow)
    • Priority: Medium
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • Epic Name:
      Identity Tenants
    • Sprint:
    • Capitalizable:


      Stories (06/02/2016)

      1. Role reduction on single tenant - REP-6339 (11/17/2017)

      1. String out extraneous data - REP-6313 (02/15/2018)

      1. Split Keystone filter - REP-6158 Resolved , REP-6390 Resolved , REP-6400 Resolved
      2. Multi-tenant Keystone filter changes - REP-6447 Resolved , REP-6578 Resolved
      3. Multi-tenant RBAC filter changes - REP-6468 Resolved , REP-6470 Resolved
      4. Repose release - REP-6563 Resolved (03/23/2018)

      1. Valkyrie filter support - REP-6550 Resolved , REP-6604 Resolved
      2. Multi-tenant RBAC filter changes - REP-6448 Resolved


      1. Documentation Recipe - REP-6607 Resolved

      Out of scope

      Only roles that match the tenant and global roles (roles that have no tenant) should go through. Roles that don't match the tenant should not go through. This means that the tenant check needs to happen pretty early on (assuming it needs to happen at all).

      Of note, the tenant checks would eliminate the identity:tenant-access thing.

      Single-tenant mode example
      Say you have a bunch of roles:

      role1: tenant1,
      role2: tenant1,
      role3: tenant2,
      role3, tenant1,
      role4 (global role)
      1. Get rid of all of the identity:tenant-access role tenants.
      2. Assume the tenant from the URI is: tenant2
      3. Output:
        • tenant: tenant2
        • roles: role4, role3

      Multi-tenant mode example
      Say you have the same roles and tenants.

      1. Assume the tenant from the URI is: tenant2
      2. Output:
        • tenant: tenant2;q=1, tenant1;q=0.5,tenant1;q=0.5
        • roles: role4, role3

      RCN / RAN
      tenant1 / tenant2

      Proposed New Header (X-Map-Roles)
      Add new roles header with mapped data (in addition to the existing roles header that we will be keeping). This header would be generated based on the tenant checks (i.e. it is not a representation of the values straight from Identity as that value may have additional tenants that should not be given to the origin service).

      X-Map-Roles: {"tenant1": ["role2", "role1", "role4"], "tenant2": ["role3", "role4"]}

      X-Roles will contain a union of the roles of the matching tenants.

      We're going to pass the Identity token through a request attribute.


      resource="/foo/to/bar/{RCN}/{notRCN}" rax:roles="admin/{RCN}"

      What about this header? Send in the RCN and the RAN.

      Single Tenant Mode
      In single tenant mode, we only match on one tenant, so however we solve multi-tenant mode, it should work for single tenant mode, just with n = 1. Always pass applyRcnRoles to Identity in single tenant mode. Right now it's a configurable parameter in Repose, but in single tenant mode, it doesn't break anything to leave it on and makes things easier for us.

      Lint script
      One task will need to be to add a check in the Lint script to verify that the identity:tenant-access role is not configured in an API's WADL.




            • Assignee:
              mario.lopez Mario Lopez
            • Votes:
              0 Vote for this issue
              1 Start watching this issue


              • Created: