<font size=2 face="sans-serif">Hi Adam, all, </font>
<br>
<br><font size=2 face="sans-serif">While working on Object Storage, we
recognized two important delegation requirements: (1) fine-grained delegation
(e.g. at the object level); (2) direct user-to-user or application-to-application
delegation (without involving any cloud management entity). To achieve
these , I would like to propose the following two enhancements to the delegation
specification. </font>
<br>
<br><font size=2 face="sans-serif">First, I suggest to broaden the specification
of the delegation subject. It seems that the current proposal focuses on
the delegation of roles, while for some services we might be interested
in delegation of access to resources. For example, in Swift we might be
interested to delegate an access to a single object. With the role delegation
model, you might violate the principle of least privilege by giving more
access rights than required. Thus, I think it will be good to have a generic
field of "resource descriptor" in the token. Depending on the
service that uses this mechanism, this field may refer to an object, container,
vm or any other resource that can be of interest as a delegation subject.
</font>
<br>
<br><font size=2 face="sans-serif">Second, I suggest to broaden the delegation
mechanism. I think that it will be good to have a user-to-user or application-to-application
delegation which can be done by users independently of Keystone. However,
Keystone should be able to verify the integrity of the entire chain. </font>
<br>
<br><font size=2 face="sans-serif">You can see additional details of the
delegation chaining mechanism, as well as the requirements and the token
fields in the following paper: </font>
<br><a href=http://www.scpe.org/site/index.php/scpe/article/view/727/325><font size=2 face="sans-serif">http://www.scpe.org/site/index.php/scpe/article/view/727/325</font></a><font size=2 face="sans-serif">-
see the full reference below. </font>
<br>
<br><font size=2 face="sans-serif">I will be glad to jointly work on adding
these two enhancements. </font>
<br>
<br><font size=2 face="sans-serif">Thank you very much,</font>
<br><font size=2 face="sans-serif">Alex. </font>
<br><font size=2 face="sans-serif"> </font>
<br><font size=2 face="sans-serif">Paper reference: </font>
<br><a href=http://www.scpe.org/site/index.php/scpe/article/view/727><font size=2 face="Arial">Secure
Access Mechanism for Cloud Storage</font></a>
<br><font size=2 face="Arial">D Harnik, E K Kolodner, S Ronen, J Satran, </font><a href="http://researcher.watson.ibm.com/researcher/view.php?person=il-SHULMANA"><font size=2 face="Arial">A
Shulman-Peleg</font></a><font size=2 face="Arial">, S Tal <br>
Scalable Computing: Practice and Experience 12(3), 2011 </font>
<br>
<br><font size=2 face="sans-serif">----------------------------------------------------------<br>
Alexandra Shulman-Peleg, PhD<br>
Storage Research, Cloud Platforms Dept.<br>
IBM Haifa Research Lab<br>
Tel: +972-3-7689530 | Fax: +972-3-7689545</font>
<br>
<br>
<br>
<br><font size=1 color=#5f5f5f face="sans-serif">From:
</font><font size=1 face="sans-serif">Adam Young <ayoung@redhat.com></font>
<br><font size=1 color=#5f5f5f face="sans-serif">To:
</font><font size=1 face="sans-serif">David Chadwick <d.w.chadwick@kent.ac.uk>,
</font>
<br><font size=1 color=#5f5f5f face="sans-serif">Cc:
</font><font size=1 face="sans-serif">OpenStack Development
Mailing List <openstack-dev@lists.openstack.org></font>
<br><font size=1 color=#5f5f5f face="sans-serif">Date:
</font><font size=1 face="sans-serif">04/12/2012 06:18 AM</font>
<br><font size=1 color=#5f5f5f face="sans-serif">Subject:
</font><font size=1 face="sans-serif">Re: [openstack-dev]
[Keystone] Trust Specification Updated</font>
<br>
<hr noshade>
<br>
<br>
<br><tt><font size=2>On 12/03/2012 04:19 PM, David Chadwick wrote:<br>
> Hi Adam<br>
><br>
> yes this is nice work. I have added a few minor mods to the wiki <br>
> version to pick up a few missing pieces. I have annotated these with
<br>
> <David> so that you can easily spot them<br>
<br>
Good changes all. I took two of them pretty much as is (DELETE and
the <br>
optional fields). I also added this <br>
</font></tt><a href=http://wiki.openstack.org/Keystone/Trusts#Token_Format_Changes><tt><font size=2>http://wiki.openstack.org/Keystone/Trusts#Token_Format_Changes</font></tt></a><tt><font size=2>
to <br>
account for tracking the chain of responsibility.<br>
<br>
><br>
> regards<br>
><br>
> David<br>
><br>
><br>
> On 03/12/2012 16:34, Adam Young wrote:<br>
>> I realize we have had a little bit of disagreement on what to
call<br>
>> this. I am going to continue to call it "Trusts"
as it is a subset of<br>
>> the set of mechanisms for delegation.<br>
>><br>
>> I've wikified the Specification. Big thanks to David Chatwick
for<br>
>> making this a much better spec.<br>
>><br>
>> </font></tt><a href=http://wiki.openstack.org/Keystone/Trusts><tt><font size=2>http://wiki.openstack.org/Keystone/Trusts</font></tt></a><tt><font size=2><br>
>><br>
>> Blueprint is still at<br>
>><br>
>> </font></tt><a href="https://blueprints.launchpad.net/keystone/+spec/trusts"><tt><font size=2>https://blueprints.launchpad.net/keystone/+spec/trusts</font></tt></a><tt><font size=2><br>
>><br>
>><br>
>> I will continue to work on this, to include, for example, how
to<br>
>> specifiy duration and start times, but there should be enough
here for<br>
>> people to understand.<br>
>><br>
>> My initial write up:<br>
>><br>
>> </font></tt><a href="http://adam.younglogic.com/2012/10/preauthorization-in-keystone/"><tt><font size=2>http://adam.younglogic.com/2012/10/preauthorization-in-keystone/</font></tt></a><tt><font size=2><br>
>><br>
>> _______________________________________________<br>
>> OpenStack-dev mailing list<br>
>> OpenStack-dev@lists.openstack.org<br>
>> </font></tt><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"><tt><font size=2>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</font></tt></a><tt><font size=2><br>
<br>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
OpenStack-dev@lists.openstack.org<br>
</font></tt><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"><tt><font size=2>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</font></tt></a><tt><font size=2><br>
<br>
</font></tt>
<br>