[openstack-dev] [Keystone] Federated Identity Management and user creation

Adam Young ayoung at redhat.com
Thu Jan 31 18:33:02 UTC 2013

On 01/31/2013 10:40 AM, David Chadwick wrote:
> this is missing the whole point of federation and ABAC. We do not want 
> to base access on unique IDs (or the lack of them) but rather on the 
> identity attributes that users posses. Your proposal would only work 
> if all users from the same IDP had the same set of identity 
> attributes. But this is obviously not the case.


WHat matters is what is in the token.  The User ID is just a 
book-keeping tool in this case.

> As I said in a previous posting, a new way of thinking about authz is 
> needed, one that is not based on the unique user IDs that Keystone 
> assigns.

Think of it his way.  If i invite you to the Open Stack table via 
Federation, I am responsible for you.  The common userID is the account 
responsible for the actions of the ephemeral users.

The token will have a set of identity attributes in it, signed by 
Keystone.  That is all the user needs, not a separate account in 
Keystone's user table.

Another way of saying it is that we already have an ephemeral user 
construct, it is the token.

> For a start, when you first configure your federated OpenStack system, 
> there wont be any users in the database and so there wont be any 
> unique Keystone user IDs, so services wont be able to create ACLs 
> based on them.
Not true.  There are mechanisms for pre-populateing the users, part of 
the install system.  You don't need to completely pull yourself up by 
your own bootstraps.
> However, the users *do* exist, and they do have identity attributes 
> that will be asserted by the IDPs. So the services *can* build their 
> access controls at initialisation time, before any users are created 
> in Keystone (I am only taking about end users not admin users which 
> will exist). The services do this by deciding which keystone 
> attributes (project, roles etc) they will give the users in exchange 
> for their IDP asserted attributes via the new attribute mapping 
> service we have built.
> So when a user does log in, via his IDP, a temporary user entry in 
> Keystone is created for the session, his IDP attributes are mapped 
> into the correct set of roles and projects (tenants), and the service 
> gives the user the correct set of access rights. When the session is 
> completed, the user entry will be automatically deleted from Keystone.
> Its clean and simple. Kristy is already building this
> regards
> David
> On 31/01/2013 15:29, Adam Young wrote:
>> Create a user per federated source. Federated users with no unique IDs
>> are associated with the common user account.  That account should be
>> able to access the set of all resources that anyone in the account can
>> have.  It should not have a password, and users should not be able to
>> log in as that Federated user account.
>> On 01/29/2013 07:41 AM, David Chadwick wrote:
>>> Hi Adam
>>> I have addressed auditability in my previous post. Misuse can still be
>>> addressed even with transient IDs and transient users, so no further
>>> comments here on that issue.
>>> In our initial implementation of FIM we did indeed create new users in
>>> Keystone for every new user arriving from an IDP. This has two
>>> negative consequences
>>> a) we cannot deal with users with transient IDs (as can be produced by
>>> Shibboleth) so we have to mandate that permanent IDs are used by all
>>> IDPs (which Shibboleth can do). Still its a (minor) limitation.
>>> b) we have a housekeeping problem of knowing when to delete old users
>>> from the user database. In our initial implementation we did not
>>> address this, so the database just keeps on growing unless manual
>>> intervention takes place. This is a tricky problem to solve. When
>>> should an entry be deleted? Time limits is not an adequate solution.
>>> My account at Kent has been active for 8 years and growing, whereas
>>> students accounts are deleted each year. Should the IDP notify
>>> Keystone every time its database is updated? Or something else?
>>> So we thought that a better option would be to only hold transient
>>> user entries in Keystone for the duration of the validity time of the
>>> identity assertion from the IdP. This solves the user management
>>> problem, as well as the rights revocation problem, since a user now
>>> only has rights for the duration of his session. (If you want active
>>> revocation in the middle of a session this is a different issue.) User
>>> management is pushed right back to the IDP, which is the right place
>>> for it. The IDP keeps its user database up to date, and only current
>>> users will be given credentials to access Keystone.
>>> As far as I can tell the only negative consequence is on a service
>>> which currently uses the user ID in its access control list. Since
>>> Keystone creates this ID automatically when a user entry is created,
>>> then the same user will have different ID for different sessions. So
>>> the user ID ACL system wont work without either
>>> a) Federated Keystone having a different way of assigning unique IDs
>>> to user entries, so that the IDs can be the same for the same user
>>> even if the entry is deleted then created again, or
>>> b) services using a different attribute type in their ACLs (one that
>>> still contains a permanent unique ID for the user).
>>> regards
>>> David
>>> On 28/01/2013 17:50, Adam Young wrote:
>>>> On 01/28/2013 08:20 AM, K.W.S.Siu wrote:
>>>>> Hello,
>>>>> When Federated Identity Management is used, the authentication
>>>>> statement issued by the external Identity Provider(s) may contain a
>>>>> temporary (or transient) identifier for the user rather than a
>>>>> permanent (or persistent) one. Because of this, it is not possible to
>>>>> always uniquely identify the user each time when federated
>>>>> authentication is used in Keystone (unless one of the user's identity
>>>>> attributes is globally unique, such as an email address). As an
>>>>> existing user is required to issue tokens, it is necessary to 
>>>>> create a
>>>>> new user each time authentication takes place which could result in
>>>>> the backend storage becoming full of redundant data. As a solution to
>>>>> this, we propose the addition of a validity time field in the user
>>>>> entity which can be used to remove expired user data and allow
>>>>> temporary users to be created based on the ID provided by the 
>>>>> Identity
>>>>> Provider. Determining the details of the new user account will be 
>>>>> done
>>>>> by the proposed attribute mapping service.
>>>> That is a pretty important distinction.  It would potentially have
>>>> impacts on Auditability.  Once you say the user object is 
>>>> transient, it
>>>> n longer has an authority to address misuse, at which point it falls
>>>> back on the organization that is Federated to Keystone. Would it be a
>>>> cleaner solution to link the tokens with a single federated 
>>>> account, and
>>>> then to use that account to create all tokens?  The tokens could 
>>>> have a
>>>> subset of roles and access to a subset of endpoints based on the data
>>>> approved by the Federated organization.  It would just be a metter of
>>>> nailing down how the ephemera ids are issued.  I would almost want 
>>>> them
>>>> to be stored in a separate table from the users, which is what the 
>>>> token
>>>> table already is.
>>>> Is it essential that we modify the user object, or are you just
>>>> proposing it as a "path of least resistance?"
>>>>> At the moment we are wondering how people feel about this, and if
>>>>> anyone has any comments or suggestions.
>>>>> Many thanks,
>>>>> Kristy
>>>>> _______________________________________________
>>>>> OpenStack-dev mailing list
>>>>> OpenStack-dev at lists.openstack.org
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>> _______________________________________________
>>>> OpenStack-dev mailing list
>>>> OpenStack-dev at lists.openstack.org
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list