Identity Tenants

Description

Stories

8.0.0.0 (06/02/2016)

  1. Role reduction on single tenant -

8.7.3.0 (11/17/2017)

  1. String out extraneous data -

8.8.1.0 (02/15/2018)

  1. Split Keystone filter - REP-6158, REP-6390,

  2. Multi-tenant Keystone filter changes - REP-6447,

  3. Multi-tenant RBAC filter changes - REP-6468,

  4. Repose release -

8.8.2.0 (03/23/2018)

  1. Valkyrie filter support - REP-6550,

  2. Multi-tenant RBAC filter changes -

Future

  1. Documentation Recipe -

Out of scope

  • These stories will be covered in a different epic:

    1. Lint script check for identity:tenant-access role usage -

    2. Masking support - REP-6544,

Description:
Only roles that match the tenant and global roles (roles that have no tenant) should go through. Roles that don't match the tenant should not go through. This means that the tenant check needs to happen pretty early on (assuming it needs to happen at all).

Of note, the tenant checks would eliminate the identity:tenant-access thing.

Single-tenant mode example
Say you have a bunch of roles:

1 2 3 4 5 6 7 8 role1: tenant1, role2: tenant1, role3: tenant2, role3, tenant1, identity:tenant-access:tenant1, identity:tenant-access:tenant2, identity:tenant-access:tenant3, role4 (global role)
  1. Get rid of all of the identity:tenant-access role tenants.

  2. Assume the tenant from the URI is: tenant2

  3. Output:

    • tenant: tenant2

    • roles: role4, role3

Multi-tenant mode example
Say you have the same roles and tenants.

  1. Assume the tenant from the URI is: tenant2

  2. Output:

    • tenant: tenant2;q=1, tenant1;q=0.5,tenant1;q=0.5

    • roles: role4, role3

RCN / RAN
tenant1 / tenant2

Proposed New Header (X-Map-Roles)
Add new roles header with mapped data (in addition to the existing roles header that we will be keeping). This header would be generated based on the tenant checks (i.e. it is not a representation of the values straight from Identity as that value may have additional tenants that should not be given to the origin service).

1 X-Map-Roles: {"tenant1": ["role2", "role1", "role4"], "tenant2": ["role3", "role4"]}

X-Roles will contain a union of the roles of the matching tenants.

We're going to pass the Identity token through a request attribute.

rax:roles
rax:roles="role/tenant"

1 resource="/foo/to/bar/{RCN}/{notRCN}" rax:roles="admin/{RCN}"

X-Tenants
What about this header? Send in the RCN and the RAN.

Single Tenant Mode
In single tenant mode, we only match on one tenant, so however we solve multi-tenant mode, it should work for single tenant mode, just with n = 1. Always pass applyRcnRoles to Identity in single tenant mode. Right now it's a configurable parameter in Repose, but in single tenant mode, it doesn't break anything to leave it on and makes things easier for us.

Lint script
One task will need to be to add a check in the Lint script to verify that the identity:tenant-access role is not configured in an API's WADL.

Environment

None

Status

Assignee

Unassigned

Reporter

Mario Lopez

Labels

None

External issue ID

None

External issue ID

None

External issue ID

None

External issue ID

None

External issue ID

None

External issue ID

None

CoAssignee

None

Capitalizable

True

Priority

Medium

Epic Name

Identity Tenants
Configure