[openstack-dev] [solum] [mistral] [heat] keystone chained trusts / oauth

Angus Salkeld angus.salkeld at RACKSPACE.COM
Wed May 28 22:35:20 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 28/05/14 12:04, Steve Martinelli wrote:
> Hey Angus,
> 
> If I understand the scenario correctly, I think you might run into the same 
> problem with OAuth Access Tokens.
> 
>  >> We currently use a trust token and that fails because both mistral and
>  >> heat want to create trust tokens as well :-O (trust tokens can't be
>  >> rescoped).
> 
> i.e.: Use OAuth Access Token (oa) to get a Keystone token (kt), then use that 
> Keystone token (kt) to get another Keystone token? (scoped or not, the request 
> will be denied to prevent chaining)

In solum we have an access token (it's within an autonomous action) and
we want to create a heat stack. Heat (on stack create) will want to
create it's own access token of it's own so it can do something later.

You are saying that keystone will deny that last step (creation of an
access token from an access token)?

(please excuse any terminology errors)

- -Angus

> 
>  >> I believe there might be some limitations to oauth (are roles supported?).
> 
> You may specify any number of roles to be delegated in an OAuth Access Token, 
> the only limitation I can think of, is that only projects are supported, not 
> domains.
> 
> 
> Regards,
> 
> *Steve Martinelli*
> Software Developer - Openstack
> Keystone Core Member
> --------------------------------------------------------------------------------
> *Phone:*1-905-413-2851*
> E-mail:*_stevemar at ca.ibm.com_ <mailto:stevemar at ca.ibm.com> 	
> 8200 Warden Ave
> Markham, ON L6G 1C7
> Canada
> 
> 
> 
> 
> 
> 
> From: Angus Salkeld <angus.salkeld at RACKSPACE.COM>
> To: "OpenStack Development Mailing List (not for usage questions)" 
> <openstack-dev at lists.openstack.org>,
> Date: 05/27/2014 08:58 PM
> Subject: [openstack-dev] [solum] [mistral] [heat] keystone chained trusts /     
>     oauth
> --------------------------------------------------------------------------------
> 
> 
> 
> Hi all
> 
> During our Solum meeting it was felt we should make sure that all three
> team are on the same page wrt $subject.
> 
> I'll describe the use case we are trying to solve and hopefully get some
> guidance from the keystone team about the best way forward.
> 
> Solum implements a ci/cd pipeline that we want to trigger based on a git
> receive hook. What we do is generate a magic webhook (should be
> ec2signed url - on the todo list) and when it is hit we want
> to call mistral-execution-create (which runs a workflow that calls
> to other openstack services (heat is one of them).
> 
> We currently use a trust token and that fails because both mistral and
> heat want to create trust tokens as well :-O (trust tokens can't be
> rescoped).
> 
> So what is the best mechanism for this? I spoke to Steven Hardy at
> summit and he suggested (after talking to some keystone folks) we all
> move to using the new oauth functionality in keystone.
> 
> I believe there might be some limitations to oauth (are roles supported?).
> 
> Basically I want to make sure we are doing the right (and compatible)
> thing so autonomous actions can be carried out across services.
> 
> Regards
> Angus
> 
> refs:
> https://blueprints.launchpad.net/mistral/+spec/mistral-oauth
> https://blueprints.launchpad.net/solum/+spec/solum-oauth
> https://blueprints.launchpad.net/heat/+spec/heat-oauth
> 
> other interesting stuff:
> http://adam.younglogic.com/2013/03/trusts-and-oauth/
> http://homakov.blogspot.com.au/2013/03/oauth1-oauth2-oauth.html
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJThmSoAAoJEFrDYBLxZjWobEUH/1tp8+mGovGGyLjBc5fiM0gN
uOtZiYDEtp3g5SpGo6JZV/p4WtUYnwXbdM+kIBeIDi1R6h9RMSXcRlycv1hCS5Wk
H6dzBRmc6zhb9oNvI3sjMFyVS1J2XRN3PBTyVaD1yzeGPQXMrwu0CVzRH775Y8ON
bjv/nsgkfGQDoNSWnHM1vc8Z1uWQIh52oNJXuVBPGXYFBxh0LcPs0Tnf3cIM4DwI
DESNtaFAmdWF9pTwchBUvu2RYl/7By0i4Ahv4vdgqBBNxHJNUzZJBl1PsfzwwUrj
ykjn4q7eZ3QWmCJD62C1zxkSokGy5t3bJn1zivsFFrDCuvcltI4tB0yJWUQHPaA=
=/kiZ
-----END PGP SIGNATURE-----



More information about the OpenStack-dev mailing list