[openstack-dev] revocation and duration times

Adam Young ayoung at redhat.com
Tue Nov 12 02:40:59 UTC 2013

On 11/11/2013 03:00 PM, Morgan Fainberg wrote:
> David,
> My concern with this approach is that keystone currently doesn't have
> the mechanisms to handle a "polling" job (no such thing as "periodic"
> tasks like in nova) and we go to some fairly extreme effort to not use
> eventlet anywhere.  We also recommend keystone be run under apache (or
> even if we have multiple keystone processes running) would be a
> challenge to determine where to run this "task".  It might be hard to
> implement a "polling" module elegantly without doing something along
> the lines of polling when an IdP backed user tries to take an action
> (each time), which could be significant overhead.

We could implement this as a stand alone service, though, which would 
poll on behalf of Keystone.

> --Morgan Fainberg
> On Mon, Nov 11, 2013 at 11:13 AM, David Chadwick
> <d.w.chadwick at kent.ac.uk> wrote:
>> Hi Guys
>> I want to revise my earlier take on this, after giving it some more thought.
>> we discussed what to do in federation when the assertions have a particular
>> time duration, but the user wishes to delegate permissions or start a job
>> for longer than this duration. What should we do?
>> Firstly we should not do this in general as it is an escalation of
>> privileges.
>> However, if the IDP allows callbacks we can do it by building a polling
>> module in Keystone which will poll the IDP every time the assertion duration
>> expires, up to and including the time that the delegated permission expires.
>> If the callback succeeds we know the user is still active and not revoked,
>> but if the callback fails, we know the user has been revoked and his
>> delegated task should also be revoked.
>> OAuth2/OpenID Connect has the concept of refresh tokens. This allows the RP
>> (keystone) to call back to the IDP once the normal token has expired in
>> order to get a new one. This could be used to support extended duration of
>> delegations.
>> SAML allows the IDP to be queried for user attributes. So if Keystone sends
>> an attribute request to the SAML IDP once the original assertion has
>> expired, then if the user is still present the IDP will return his
>> attributes. The Keystone polling module can do this until the delegation
>> expires.
>> I dont think the previous idea was very sensible since it is no different to
>> the IDP supporting revocation lists. (To refresh, the original idea was for
>> the IDP to say, when the federation is set up (as part of the federation
>> agreement), that it will send user revocation notifications to those SPs to
>> whom it has issued user assertions within a specified time frame (this time
>> would be federation specific, but could be set to say 7 days for assertions
>> of duration 24 hours) then the SPs now have a maximum time that they can
>> escalate a user's assertion up to, if the user starts a job or delegates
>> privileges etc. from an assertion of shorter duration.)
>> regards
>> David

More information about the OpenStack-dev mailing list