[openstack-dev] [Keystone] Group changes must revoke tokens
ayoung at redhat.com
Wed Dec 19 15:40:20 UTC 2012
On 12/19/2012 09:56 AM, David Chadwick wrote:
> Hi Adam
> I believe our attribute mapping work is orthogonal to and independent of
> revocation of roles or tokens, since attribute mapping takes place
> before the token is created. if a role is revoked subsequently to it
> being assigned by the attribute mapping service, then it will remain
> What could potentially effect the mapping, is if the user's
> organisational attributes (or group memberships, if groups were to use
> mappings) are revoked whilst he is accessing the cloud. Currently this
> would not cause his current session to be terminated or his mapped
> roles to be revoked since there is no mechanism for the IDP to inform
> OpenStack about this. But when the user tries to activate a new
> session he would not be able to since he would no longer have the
> correct organisational attributes (or groups) and could therefore no
> longer be assigned a role.
> However, I need you to answer one question
> You said " When a users roles change,..." How do they change? Who
> changes them and how
It would need to happen when either the user attribute changes, or the
mapping changes. Whenever a user would no longer have a role that they
used to have, all tokens that would have had that role need to be revoked.
Say a user is a member of group admins. Then they get promoted. They
are removed from admins, and added to supervisors.
both admins and supervisors have the role "VMManagers" that allows
them to do things like create new vms and so forth, as enforced by
RBAC. But we realize that we should not trust managers to do this. So
we unmap the role "VMManagers" from the group "supervisors." All tokens
for supervisors must now be revoked.
Now when a user is promoted from admin to supervisor, we change their
group membership, and their tokens must be revoked at that point.
Both are "role changes" and both are revokable events.
> On 19/12/2012 14:30, Henry Nash wrote:
>> Hi Adam,
>> Quite right. The api blueprint for user groups specifies that this
>> should happen (Dolph had been reviewing this) and the server code is
>> using the same revoke mechanism that happens when a user role
>> changes. I'll see if I can refactor this so it is more general and
>> will then be obvious how we could plug in the mapping triggers.
>> Henry On 19 Dec 2012, at 14:25, Adam Young wrote:
>>> Since both of you are working on stuff invloving how Roles are
>>> assigned to users, I want you to both be aware of an important
>>> issue. When a users roles change, their tokens get invalidated.
>>> Since both the group and mapping blueprints will affect Role
>>> assignments, both can have significant effects on the number of
>>> users whose tokens get revoked.
>>> Please update both of your blueprints to reflect this. We will
>>> need a common mechanism for determining which tokens to revoke.
>>> This must happen before anything that changes role assignments can
>>> be merged.
>> _______________________________________________ OpenStack-dev mailing
>> list OpenStack-dev at lists.openstack.org
More information about the OpenStack-dev