Skip to content

Keystone: RoleAssignment Controller#774

Draft
dlaw4608 wants to merge 2 commits intok-orc:mainfrom
dlaw4608:role_assignment
Draft

Keystone: RoleAssignment Controller#774
dlaw4608 wants to merge 2 commits intok-orc:mainfrom
dlaw4608:role_assignment

Conversation

@dlaw4608
Copy link
Copy Markdown
Contributor

@dlaw4608 dlaw4608 commented May 1, 2026

This RoleAssignment follows a similar pattern to Kubernetes RBAC RoleBindings

The RoleAssignmentResourceSpec enforces:

  • XOR validation: Exactly one of userRef OR groupRef must be set
  • XOR validation: Exactly one of projectRef OR domainRef must be set
  • Immutability: The entire spec is immutable after creation (like Kubernetes RoleBinding's roleRef)

Created 3 KUTTL E2E test suites for verification

References:

dlaw4608 added 2 commits April 20, 2026 17:09
@dlaw4608
Initial Commit Used Scaffolding tool to create skeleton RoleAssignmen…
d80cf95 
…t Controller

Signed-off-by: Daniel Lawton <dlawton@redhat.com>
@dlaw4608
RoleAssignmet Controller:
1494538 
Immutable spec: Role assignments can't be modified after creation (matching Kubernetes RBAC)
Synthetic ID: Format role:<id>:user:<id>:project:<id> since OpenStack doesn't assign IDs to role assignments
Deletion guards: All dependencies (Role, User/Group, Project/Domain) are protected from deletion while in use

Signed-off-by: Daniel Lawton <dlawton@redhat.com>
@github-actions github-actions Bot added the semver:major Breaking change label May 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

semver:major Breaking change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dlaw4608