[openstack-dev] [all][policy][keystone] Better Policy Model and Representing Capabilites

Morgan Fainberg morgan.fainberg at gmail.com
Tue Oct 14 17:31:30 UTC 2014


On Tuesday, October 14, 2014, Nathan Kinder <nkinder at redhat.com> wrote:

>
>
> On 10/14/2014 07:42 AM, Tim Hinrichs wrote:
> > First, some truth in advertising: I work on Congress (policy as a
> service), so I’ve mostly given thought to this problem in that context.
> >
> > 1) I agree with the discussion below about creating a token that encodes
> all the permitted actions for the user.  The cons seem substantial.
>
> +1

>
> > (i) The token will get stale, requiring us to either revoke it when
> policy/roles change or to live with incorrect access control enforcement
> until the token expires.
>
> This is a very good point.
>

Totally valid point. Worth avoiding making this problem worse than today.
We have this to a minor extent because roles are static within an issued
token (policy file could be changed to mitigate).


>
> > (ii) The token could become large, complex, or both.  Suppose the policy
> is granular enough to put restrictions on the arguments a user is permitted
> to provide to an action.  The token might end up encoding a significant
> portion of the policy itself.  Checking if the token permits a given action
> could be similar computationally to checking the original policy.json file.
> >
> >
> > 2) I like the idea of an out-of-band service that caches a copy of all
> the policy.jsons and allows users to interrogate/edit them.  I’ve
> definitely talked to operators who would like this kind of thing.  This
> would be a low-risk, low-friction solution to the problem because nothing
> about OpenStack today would need to change.  We’d just add an extra service
> and tell people to use it—sort of a new UI for the policy.json files.  And
> we could add interesting functionality, e.g. hypothetical queries such as
> “if I were to add role X, what changes would that make in my rights?"
> >
> > Perhaps some more context about why users want to know all of the
> actions they are permitted to execute might help.
>
> I think that there are two questions that a user may have here:
>
> 1) What actions can I perform using a particular token?
>


This is an important question to answer for tools like Horizon, we don't
want to show capabilities or lock out capabilities so we don't need to
"try" to know if it will succeed. This is purely UX.



> 2) What role(s) do I need to perform a particular action?
>
> For me, the second question is more interesting.  A user likely already
> has an idea of a task that they want to perform.  With question number
> 1, what do I do as a user if the response says that I'm not allowed to
> perform the task I'm trying to accomplish?  The answer really doesn't
> give me a way to move forward and perform my task.
>
> With question 2, I'm able to find out what exact roles are needed to
> perform a specific action.  With this information, I could request a
> Keystone token with a subset of my roles that is authorized to perform
> the task while leaving out roles that might have a higher level of
> authorization.  For instance, why should I need to send a token with the
> 'admin' role to Nova just to launch an instance if '_member_' is all
> that's required?
>
> Another real use case is determining what roles are needed when creating
> a trust in Keystone.  If I want to use a trust to allow a service like
> Heat or Neutron's LBaaS to perform an action on my behalf, I want to
> minimize the authorization that I'm delegating to those services.
> Keystone trusts already have the ability to explicitly define the roles
> that will be present in the issues trust tokens, but I have no way of
> knowing what roles are required to perform a particular action without
> consulting the policy


This sums up the large(er) part of or starting this conversation.


-NGK
>
> >
> > Tim
> >
> >
> >
> > On Oct 14, 2014, at 1:56 AM, David Chadwick <d.w.chadwick at kent.ac.uk
> <javascript:;>> wrote:
> >
> >>
> >>
> >> On 14/10/2014 01:25, Nathan Kinder wrote:
> >>>
> >>>
> >>> On 10/13/2014 01:17 PM, Morgan Fainberg wrote:
> >>>> Description of the problem: Without attempting an action on an
> >>>> endpoint with a current scoped token, it is impossible to know what
> >>>> actions are available to a user.
> >>>>
> >>
> >> This is not unusual in the physical world. If you think about all the
> >> authz tokens you carry around in your pocket (as plastic cards), very
> >> few of them (if any) list what you are entitled to do with them. This
> >> gives the issuers and SPs flexibility to dynamically change your
> >> accesses rights without changing your authorisation. What you can do, in
> >> general terms, may be written in policy documents that you can consult
> >> if you wish. So you may wish to introduce a service that is equivalent
> >> to this (i.e. user may optionally consult some policy advice service).
> >>
> >> If you introduce a service to allow a user to dynamically determine his
> >> access rights (absolutely), you have to decide what to do about the
> >> dynamics of this service compared to the lifetime of the keystone token,
> >> as the rights may change more quickly than the token's lifetime.
> >>
> >>>>
> >>>> Horizon makes some attempts to solve this issue by sourcing all of
> >>>> the policy files from all of the services to determine what a user
> >>>> can accomplish with a given role. This is highly inefficient as it
> >>>> requires processing the various policy.json files for each request
> >>>> in multiple places and presents a mechanism that is not really
> >>>> scalable to understand what a user can do with the current
> >>>> authorization. Horizon may not be the only service that (in the
> >>>> long term) would want to know what actions a token can take.
> >>>
> >>> This is also extremely useful for being able to actually support
> >>> more restricted tokens as well.  If I as an end user want to request
> >>> a token that only has the roles required to perform a particular
> >>> action, I'm going to need to have a way of knowing what those roles
> >>> are.  I think that is one of the main things missing to allow the
> >>> "role-filtered tokens" option that I wrote up after the last Summit
> >>> to be a viable approach:
> >>>
> >>>
> https://urldefense.proofpoint.com/v1/url?u=https://blog-nkinder.rhcloud.com/?p%3D101&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=%2FZ35AkRhp2kCW4Q3MPeE%2BxY2bqaf%2FKm29ZfiqAKXxeo%3D%0A&m=XcBszEjYqiYgkoy9iUk3baKeyYoE%2Bb20k6zm3jIXGAs%3D%0A&s=ff78352cef9982b47c9e6cca97aa001f38b13837387332a38b56ce30e1394b87
> >>>
> >>>>
> >>>> I would like to start a discussion on how we should improve our
> >>>> policy implementation (OpenStack wide) to help make it easier to
> >>>> know what is possible with a current authorization context
> >>>> (Keystone token). The key feature should be that whatever the
> >>>> implementation is, it doesn’t require another round-trip to a third
> >>>> party service to “enforce” the policy which avoids another scaling
> >>>> point like UUID Keystone token validation.
> >>
> >> Presumably this does not rule out the user, at his option, calling
> >> another service to ask for advice "what can I do with this token",
> >> bearing in mind that the response will be advice and not a definite
> >> answer (since the PDP will always be the one to provide the definitive
> >> answer).
> >>
> >>
> >>
> >>>>
> >>>> Here are a couple of ideas that we’ve discussed over the last few
> >>>> development cycles (and none of this changes the requirements to
> >>>> manage scope of authorization, e.g. project, domain, trust, ...):
> >>>>
> >>>> 1. Keystone is the holder of all policy files. Each service gets
> >>>> it’s policy file from Keystone and it is possible to validate the
> >>>> policy (by any other service) against a token provided they get the
> >>>> relevant policy file from the authoritative source (Keystone).
> >>
> >> Can I suggest that this is made more abstract, to say, there is a
> >> central policy administration service that stores all policies and
> >> allows them to be updated, deleted, created, inherited etc.
> >>
> >> Whether this service is combined with keystone or not in the
> >> implementation is a separate issue. Conceptually it is a new type of
> >> policy administration service for OpenStack.
> >>
> >>>>
> >>>> Pros: This is nearly completely compatible with the current policy
> >>>> system. The biggest change is that policy files are published to
> >>>> Keystone instead of to a local file on disk. This also could open
> >>>> the door to having keystone build “stacked” policies
> >>>> (user/project/domain/endpoint/service specific) where the deployer
> >>>> could layer policy definitions (layering would allow for stricter
> >>>> enforcement at more specific levels, e.g. users from project X
> >>>> can’t terminate any VMs).
> >>>
> >>> I think that there are a some additional advantages to centralizing
> >>> policy storage (not enforcement).
> >>>
> >>> - The ability to centralize management of policy would be very nice.
> >>> If I want to update the policy for all of my compute nodes, I can do
> >>> it in one location without the need for external configuration
> >>> management solutions.
> >>>
> >>> - We could piggy-back on Keystone's signing capabilities to allow
> >>> policy to be signed, providing protection against policy tampering on
> >>> an individual endpoint.
> >>>
> >>>>
> >>>> Cons: This doesn’t ease up the processing requirement or the need
> >>>> to hold (potentially) a significant number of policy files for each
> >>>> service that wants to evaluate what actions a token can do.
> >>
> >> if you separate out an optional advice service from the
> >> decision/enforcement service, this might provide the flexibility and
> >> performance that you need. E.g. the advice service could cache results
> >> and computations, whilst the decision service would not. The advice
> >> service could be part of the policy administration service, and separate
> >> from the decision/enforcement service.
> >>
> >>>
> >>> Are you thinking of there being a call to keystone that answers
> >>> "what can I do with token A against endpoint B"?  This seems similar
> >>> in concept to the LDAP "get effective rights" control.  There would
> >>> definitely be some processing overhead to this though you could set
> >>> up multiple keystone instances and replicate the policy to spread out
> >>> the load.  It also might be possible to index the enforcement points
> >>> by role in an attempt to minimize the processing for this sort of
> >>> call.
> >>>
> >>>>
> >>>>
> >>>> 2. Each enforcement point in a service is turned into an
> >>>> attribute/role, and the token contains all of the information on
> >>>> what a user can do (effectively shipping the entire policy
> >>>> information with the token).
> >>>>
> >>>> Pros: It is trivial to know what a token provides access to: the
> >>>> token would contain something like `{“nova”: [“terminate”, “boot”],
> >>>> “keystone”: [“create_user”, “update_user”], ...}`. It would be
> >>>> easily possible to allow glance “get image” nova “boot” capability
> >>>> instead of needing to know the roles for policy.json for both
> >>>> glance and nova work for booting a new VM.
> >>>>
> >>>> Cons: This would likely require a central registry of all the
> >>>> actions that could be taken (something akin to an IANA port list).
> >>>> Without a grouping to apply these authorizations to a user (e.g.
> >>>> keystone_admin would convey “create_project, delete_project,
> >>>> update_project, create_user, delete_user, update_user, ...”) this
> >>>> becomes unwieldy. The “roles” or “attribute” that convey
> >>>> capabilities are also relatively static instead of highly dynamic
> >>>> as they are today. This could also contribute to token-bloat.
> >>
> >> Another con is the time lapse, since the token is created at time a with
> >> the access rights applicable at that time, but is used some time later
> >> at time b, when the rights might have changed, but the token has not. So
> >> unless the token is a one time immediate use token, you have the problem
> >> of revocation due to it containing rights that should now be withdrawn.
> >>
> >> regards
> >>
> >> David
> >>
> >>>
> >>> I think we really want to avoid additional token bloat.
> >>>
> >>> Thanks, -NGK
> >>>
> >>>>
> >>>>
> >>>>
> >>>> I’m sure there are more ways to approach this problem, so please
> >>>> don’t hesitate to add to the conversation and expand on the
> >>>> options. The above options are by no mean exhaustive  nor fully
> >>>> explored. This change may not even be something to be expected
> >>>> within the current development cycle (Kilo) or even the next, but
> >>>> this is a conversation that needs to be started as it will help
> >>>> make OpenStack better.
> >>>>
> >>>> Thanks, Morgan
> >>>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20141014/e0ab5791/attachment.html>


More information about the OpenStack-dev mailing list