[openstack-dev] [Keystone] Trust Specification Updated

Adam Young ayoung at redhat.com
Tue Dec 4 14:58:58 UTC 2012


On 12/04/2012 06:19 AM, Bhandaru, Malini K wrote:
> Hello Adam!
>
> Not surprised that this is morphing into something like certificates, and chains and revocations! :-)
> Good work!
Well, we already have those, but this is similar.  We have the advantage 
of a centralized location to clear them, which makes it easier to 
implement thatn a truely distributed form like X509.


>
> What do you  mean by arbitrary attributes in phase-2.
See the ABAC proposal by David Chadwick.

>
> Would we ever log tokens? If yes, might it not be possible for the wily log reader to re-create token objects
> and misuse system.
>
> Regards
> Malini
>
> -----Original Message-----
> From: David Chadwick [mailto:d.w.chadwick at kent.ac.uk]
> Sent: Tuesday, December 04, 2012 2:48 AM
> To: Adam Young
> Cc: OpenStack Development Mailing List
> Subject: Re: [openstack-dev] [Keystone] Trust Specification Updated
>
> Hi Adam
>
> in terms of delegation duration, it is more common to specify a start time (defaults to now) and an end time (defaults to infinity) rather than a delta (which implies a start time of now in every case)
>
> regards
>
> David
>
>
> On 04/12/2012 04:16, Adam Young wrote:
>> On 12/03/2012 04:19 PM, David Chadwick wrote:
>>> Hi Adam
>>>
>>> yes this is nice work. I have added a few minor mods to the wiki
>>> version to pick up a few missing pieces. I have annotated these with
>>> <David> so that you can easily spot them
>> Good changes all.  I took two of them pretty much as is (DELETE  and
>> the optional fields).  I also added this
>> http://wiki.openstack.org/Keystone/Trusts#Token_Format_Changes to
>> account for tracking the chain of responsibility.
>>
>>> regards
>>>
>>> David
>>>
>>>
>>> On 03/12/2012 16:34, Adam Young wrote:
>>>> I realize we have had a little bit of disagreement on what to call
>>>> this.  I am going to continue to call it "Trusts" as it is a subset
>>>> of the set of mechanisms for delegation.
>>>>
>>>> I've wikified the Specification.  Big thanks to David Chatwick for
>>>> making this a much better spec.
>>>>
>>>> http://wiki.openstack.org/Keystone/Trusts
>>>>
>>>> Blueprint is still at
>>>>
>>>> https://blueprints.launchpad.net/keystone/+spec/trusts
>>>>
>>>>
>>>> I will continue to work on this, to include, for example, how to
>>>> specifiy duration and start times, but there should be enough here
>>>> for people to understand.
>>>>
>>>> My initial write up:
>>>>
>>>> http://adam.younglogic.com/2012/10/preauthorization-in-keystone/
>>>>
>>>> _______________________________________________
>>>> OpenStack-dev mailing list
>>>> OpenStack-dev at lists.openstack.org
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




More information about the OpenStack-dev mailing list