As of the Havana release, keystone provides an API to list all existing role assignments in the system. However, inheritance and group assignments expasion occur at controller level in an inefficient way.
Filtering on returned list of role assignments occurs at controller level, after getting all available entities on the system from calling the manager and driver levels, which is very inefficient. This is the first problem addressed by this change proposal.
The second problem addressed is the expansion of inherited and group role assignments, which occur at controller level, when it should be placed at manager, since it is the level where additional business logic should be put.
Although not explicitly addressed in this spec, having a manager level method that lists role assignments while taking account of filtering and inheritance, would allow a number of other existing manager methods to use it rather than duplicate the inheritance and group processing logic – as it is today.
Basically, three main changes are proposed:
In order to have a global view on how will be the flow of operations after the proposed change, consider the following sequence of operations:
The performance of the list role assignments API will be impacted positively.
In terms of memory use, since only the needed data will be coming from driver to manager level, it will be significantly decreased in the cases where filters by attributes are provided.
Regarding computational effort, since the manager will expand only inherited and group role assignments that match the provided filters, it will be significantly decreased as well.
The list role assignments method at assignment manager will become the single entry point for querying role assignments for a given user or group. It will be specially used when issuing a token, which actually uses alternative methods to compute effective role assignments.
The patches that implement this specification are already under review and may be found at the links below.