[openstack-dev] [Keystone] Trust Specification Updated

David Chadwick d.w.chadwick at kent.ac.uk
Tue Dec 4 14:10:58 UTC 2012


Once we migrate from RBAC to a more generic ABAC, then delegation 
(currently called trusts) should allow an attribute holder to delegate 
one or more of his attributes to a delegate. So this will be more than 
the current tenant and role. This is what I think Adam means by 
arbitrary attribute. Note that it will be part of the semantic 
definition of an attribute whether it can be delegated or not. So the 
Age attribute will be defined as non-delegatable, whereas the 
groupMember attribute will be defined as delegatable. (The definition is 
provided by the Attribute Authority).

Wrt logging tokens, this is a separate issue to recording who has 
delegated what to whom. Keystone must do the latter. What is logged is 
surely a matter for the administrator to decide.

regards

David

On 04/12/2012 11:19, Bhandaru, Malini K wrote:
> Hello Adam!
>
> Not surprised that this is morphing into something like certificates, and chains and revocations! :-)
> Good work!
>
> What do you  mean by arbitrary attributes in phase-2.
>
> Would we ever log tokens? If yes, might it not be possible for the wily log reader to re-create token objects
> and misuse system.
>
> Regards
> Malini
>
> -----Original Message-----
> From: David Chadwick [mailto:d.w.chadwick at kent.ac.uk]
> Sent: Tuesday, December 04, 2012 2:48 AM
> To: Adam Young
> Cc: OpenStack Development Mailing List
> Subject: Re: [openstack-dev] [Keystone] Trust Specification Updated
>
> Hi Adam
>
> in terms of delegation duration, it is more common to specify a start time (defaults to now) and an end time (defaults to infinity) rather than a delta (which implies a start time of now in every case)
>
> regards
>
> David
>
>
> On 04/12/2012 04:16, Adam Young wrote:
>> On 12/03/2012 04:19 PM, David Chadwick wrote:
>>> Hi Adam
>>>
>>> yes this is nice work. I have added a few minor mods to the wiki
>>> version to pick up a few missing pieces. I have annotated these with
>>> <David> so that you can easily spot them
>>
>> Good changes all.  I took two of them pretty much as is (DELETE  and
>> the optional fields).  I also added this
>> http://wiki.openstack.org/Keystone/Trusts#Token_Format_Changes to
>> account for tracking the chain of responsibility.
>>
>>>
>>> regards
>>>
>>> David
>>>
>>>
>>> On 03/12/2012 16:34, Adam Young wrote:
>>>> I realize we have had a little bit of disagreement on what to call
>>>> this.  I am going to continue to call it "Trusts" as it is a subset
>>>> of the set of mechanisms for delegation.
>>>>
>>>> I've wikified the Specification.  Big thanks to David Chatwick for
>>>> making this a much better spec.
>>>>
>>>> http://wiki.openstack.org/Keystone/Trusts
>>>>
>>>> Blueprint is still at
>>>>
>>>> https://blueprints.launchpad.net/keystone/+spec/trusts
>>>>
>>>>
>>>> I will continue to work on this, to include, for example, how to
>>>> specifiy duration and start times, but there should be enough here
>>>> for people to understand.
>>>>
>>>> My initial write up:
>>>>
>>>> http://adam.younglogic.com/2012/10/preauthorization-in-keystone/
>>>>
>>>> _______________________________________________
>>>> OpenStack-dev mailing list
>>>> OpenStack-dev at lists.openstack.org
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



More information about the OpenStack-dev mailing list