<div dir="ltr">Hi Anna,<div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Mar 13, 2014 at 8:36 AM, Anna A Sortland <span dir="ltr"><<a href="mailto:annasort@us.ibm.com" target="_blank">annasort@us.ibm.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><font face="sans-serif">[A] The current keystone LDAP community
driver returns all users that exist in LDAP via the API call v3/users,
instead of returning just users that have role grants (similar processing
is true for groups). This could potentially be a very large number of users.
We have seen large companies with LDAP servers containing hundreds and
thousands of users. We are aware of the filters available in keystone.conf
([ldap].user_filter and [ldap].query_scope) to cut down on the number of
results, but they do not provide sufficient filtering (for example, it
is not possible to set user_filter to members of certain known groups for
OpenLDAP without creating a memberOf overlay on the LDAP server). <br>
<br>
[Nathan Kinder] What attributes would you filter on? It seems to
me that LDAP would need to have knowledge of the roles to be able to filter
based on the roles. This is not necessarily the case, as identity
and assignment can be split in Keystone such that identity is in LDAP and
role assignment is in SQL. I believe it was designed this way to
deal with deployments<br>
where LDAP already exists and there is no need (or possibility) of adding
role info into LDAP. <br>
<br>
[A] That's our main use case. The users and groups are in LDAP and role
assignments are in SQL. <br>
You would filter on role grants and this information is in SQL backend.
So new API would need to query both identity and assignment drivers. <br></font></blockquote><div><br></div><div>From my perspective, it seems there is a chicken-and-egg problem with this proposal. If a user doesn't have a role assigned, the user does not show up in the list. But if the user doesn't show up in the list, the user doesn't exist. If the user doesn't exist, you cannot add a role to it.</div>
<div><br></div><div>Perhaps what is needed is just some sort of filter to listing users that only returns users with a role in the cloud?</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<font face="sans-serif">
<br>
[Nathan Kinder] Without filtering based on a role attribute in LDAP, I
don't think that there is a good solution if you have OpenStack and non-OpenStack
users mixed in the same container in LDAP.<br>
If you want to first find all of the users that have a role assigned to
them in the assignments backend, then pull their information from LDAP,
I think that you will end up with one LDAP search operation per user. This
also isn't a very scalable solution.<br>
<br>
[A] What was the reason the LDAP driver was written this way, instead of
returning just the users that have OpenStack-known roles? Was the creation
of a separate API for this function considered? <br>
Are other exploiters of OpenStack (or users of Horizon) experiencing this
issue? If so, what was their approach to overcome this issue? We have been
prototyping a keystone extension that provides an API that provides this
filtering capability, but it seems like a function that should be generally
available in keystone.</font>
<br><font face="sans-serif"><br>
[Nathan Kinder] I'm curious to know how your prototype is looking to handle
this. <br>
<br>
[A] The prototype basically first calls assignment API list_role_assignments()
to get a list of users and groups with role grants. It then iterates the
retrieved list and calls identity API list_users_in_group() to get the
list of users in these groups with grants and get_user() to get users that
have role grants but do not belong to the groups with role grants (a call
for each user). Both calls ignore groups and users that are not found in
the LDAP registry but exist in SQL (this could be the result of a user
or group being removed from LDAP, but the corresponding role grant was
not revoked). Then the code removes duplicates if any and returns the combined
list. <br>
<br>
The new extension API is /v3/my_new_extension/users. Maybe the better naming
would be v3/roles/users (list users with any role) - compare to existing
v3/roles/{role_id}/users (list users with a specified role).
<br>
<br>
Another alternative that we've tried is just a new identity driver that
inherits from keystone.identity.backends.ldap.LDAPIdentity and overrides
just the list_users() function. That's probably not the best approach from
OpenStack standards point of view but I would like to get community's feedback
on whether this is acceptable. </font>
<br>
<br>
<br><font face="sans-serif">I've posted this question to openstack-security
last week but could not get any feedback after Nathan's first reply. Reposting
to openstack-dev..</font>
<br>
<br><font face="sans-serif"><br>
<br>
Anna Sortland</font>
<br><font face="sans-serif">Cloud Systems Software Development</font>
<br><font face="sans-serif">IBM Rochester, MN<br>
<a href="mailto:annasort@us.ibm.com" target="_blank">annasort@us.ibm.com</a><br>
<br>
<br>
</font>
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div></div></div>