[openstack-dev] revocation and duration times

David Chadwick d.w.chadwick at kent.ac.uk
Tue Nov 12 09:29:56 UTC 2013

I dont see how the account paymaster can tell when a user from an IDP 
has been revoked or had his privileges curtailed, but if he can, then 
cutting off the account is simply another type of revocation message. 
Whether revocation comes directly from the IDP or from the account 
paymaster is irrelevant from the perspective of Keystone having the 
ability to receive revocation messages and being able to act upon them. 
Its simply a matter of access control as to who is trusted/allowed to 
send revocation messages. YOu cannot allow anyone to do this otherwise 
it becomes a source of DOS attacks



On 12/11/2013 02:19, Adam Young wrote:
> I suspect that the majority of the Federation cases will fall along
> these lines, and that this rule will be too restrictive.
> A SAML assertion will be short lived.  A Virtual machine agreement will
> be longer (for the most part) and most IdPs will not be sending out
> revocation events.  I'd argue that most people are ok with this in
> general, but will want to have some sort of "I pay for the account, I
> can cut off the account" agreement from a specific user or set of users.
> On 11/08/2013 07:18 AM, David Chadwick wrote:
>> Hi Guys
>> we discussed what to do in federation when the assertions have a
>> particular time duration, but the user wishes to delegate permissions
>> or start a job for longer than this duration. What should we do?
>> Firstly we should not do this in general as it is an escalation of
>> privileges.
>> However, if the IDP says, when the federation is set up (as part of
>> the federation agreement), that it will send user revocation
>> notifications to those SPs to whom it has issued user assertions
>> within a specified time frame (this time would be federation specific,
>> but could be set to say 7 days for assertions of duration 24 hours)
>> then the SPs now have a maximum time that they can escalate a user's
>> assertion up to, if the user starts a job or delegates privileges etc.
>> from an assertion of shorter duration.
>> regards
>> David

More information about the OpenStack-dev mailing list