<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body>
Some kind of intermediate mapping might be better. With ldap, I dont have control over the groups users are assigned since thats an enterprise/AD thing. There can be a lot of them. Groups to Role relations I guess do that mapping. Though maybe passing groups
directly when domains can have different group meanings might be a big problem.<br>
<br>
Does federation have a way to map a federated group to a local group somehow?<br>
<br>
Thanks,<br>
Kevin <strong>
<div><font face="Tahoma" color="#000000" size="2"> </font></div>
</strong>
<hr tabindex="-1">
<font face="Tahoma" size="2"><b>From:</b> Steve Martinelli<br>
<b>Sent:</b> Wednesday, June 03, 2015 8:19:16 PM<br>
<b>To:</b> OpenStack Development Mailing List (not for usage questions)<br>
<b>Subject:</b> Re: [openstack-dev] [keystone][barbican] Regarding exposing X-Group-xxxx in token validation<br>
</font><br>
<div></div>
<div><font size="2" face="sans-serif">Dozens to hundreds of roles or endpoints could cause an issue now :)</font>
<br>
<br>
<font size="2" face="sans-serif">But yeah, groups are much more likely to number in the dozens than roles or endpoints. But I think the Fernet token size is so small that it could probably handle this (since it does so now for the federated workflow).</font>
<br>
<font size="2" face="sans-serif"><br>
Thanks,<br>
<br>
Steve Martinelli<br>
OpenStack Keystone Core</font> <br>
<br>
<br>
<br>
<font size="1" color="#5f5f5f" face="sans-serif">From: </font><font size="1" face="sans-serif">"Fox, Kevin M" <Kevin.Fox@pnnl.gov></font>
<br>
<font size="1" color="#5f5f5f" face="sans-serif">To: </font><font size="1" face="sans-serif">"OpenStack Development Mailing List (not for usage questions)" <openstack-dev@lists.openstack.org></font>
<br>
<font size="1" color="#5f5f5f" face="sans-serif">Date: </font><font size="1" face="sans-serif">06/03/2015 11:14 PM</font>
<br>
<font size="1" color="#5f5f5f" face="sans-serif">Subject: </font><font size="1" face="sans-serif">Re: [openstack-dev] [keystone][barbican] Regarding exposing X-Group-xxxx in token validation</font>
<br>
<hr noshade="">
<br>
<br>
<br>
<font size="3">Will dozens to a hundred groups or so on one user cause issues? :)<br>
<br>
Thanks,<br>
Kevin </font><br>
<font size="2" face="Tahoma"><b> </b></font> <br>
<hr>
<font size="2" face="Tahoma"><b>From:</b> Morgan Fainberg<b><br>
Sent:</b> Wednesday, June 03, 2015 7:23:22 PM<b><br>
To:</b> OpenStack Development Mailing List (not for usage questions)<b><br>
Subject:</b> Re: [openstack-dev] [keystone][barbican] Regarding exposing X-Group-xxxx in token validation</font><font size="3"><br>
</font><br>
<font size="3">In general I am of the opinion with the move to Fernet there is no good reason we should avoid adding the group information into the token.
</font><br>
<br>
<font size="3">--Morgan<br>
<br>
Sent via mobile</font> <br>
<font size="3"><br>
On Jun 3, 2015, at 18:44, Dolph Mathews <</font><a href="mailto:dolph.mathews@gmail.com"><font size="3" color="blue"><u>dolph.mathews@gmail.com</u></font></a><font size="3">> wrote:<br>
</font><br>
<br>
<font size="3">On Wed, Jun 3, 2015 at 5:58 PM, John Wood <</font><a href="mailto:john.wood@rackspace.com" target="_blank"><font size="3" color="blue"><u>john.wood@rackspace.com</u></font></a><font size="3">> wrote:</font>
<br>
<font size="1" color="blue" face="Calibri">Hello folks,</font> <br>
<br>
<font size="1" color="blue" face="Calibri">There has been discussion about adding user group support to the per-secret access control list (ACL) feature in Barbican. Hence secrets could be marked as accessible by a group on the ACL rather than an individual
user as implemented now.</font> <br>
<br>
<font size="1" color="blue" face="Calibri">Our understanding is that Keystone does not pass along a user’s group information during token validation however (such as in the form of X-Group-Ids/X-Group-Names headers passed along via Keystone middleware).</font>
<br>
<br>
<font size="3">The pre-requisite for including that information in the form of headers would be adding group information to the token validation response. In the case of UUID, it would be pre-computed and stored in the DB at token creation time. In the case
of PKI, it would be encoded into the PKI token and further bloat PKI tokens. And in the case of Fernet, it would be included at token validation time.</font>
<br>
<br>
<font size="3">Including group information, however, would also let us efficient revoke tokens using token revocation events when group membership is affected in any way (user being removed from a group, a group being deleted, or a group-based role assignment
being revoked). The OS-FEDERATION extension is actually already including groups in tokens today, as a required part of the federated workflow. We'd effectively be introducing that same behavior into the core Identity API (see the federated token example):</font>
<br>
<br>
<font size="3"> </font><a href="https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3-os-federation-ext.rst#request-an-unscoped-os-federation-token"><font size="3" color="blue"><u>https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3-os-federation-ext.rst#request-an-unscoped-os-federation-token</u></font></a>
<br>
<br>
<font size="3">This would allow us to address bugs such as:</font> <br>
<br>
<font size="3"> </font><a href="https://bugs.launchpad.net/keystone/+bug/1268751"><font size="3" color="blue"><u>https://bugs.launchpad.net/keystone/+bug/1268751</u></font></a>
<br>
<br>
<font size="3">In the past, we shied away from including groups if only to avoid bloating the size of PKI tokens any further (but now we have Fernet tokens providing a viable alternative). Are there any other reasons not to add group information to the token
validation response?</font> <br>
<font size="3"> </font> <br>
<br>
<font size="1" color="blue" face="Calibri">Would the community consider this a useful feature? Would the community consider adding this support to Liberty?</font>
<br>
<br>
<font size="1" color="blue" face="Calibri">Thank you,</font> <br>
<font size="1" color="blue" face="Calibri">John</font> <br>
<br>
<font size="3"><br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: </font><a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank"><font size="3" color="blue"><u>OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</u></font></a><font size="3" color="blue"><u><br>
</u></font><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank"><font size="3" color="blue"><u>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</u></font></a><font size="3"><br>
</font><br>
<br>
<font size="3">__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: </font><a href="mailto:OpenStack-dev-request@lists.openstack.org"><font size="3" color="blue"><u>OpenStack-dev-request@lists.openstack.org</u></font></a><font size="3">?subject:unsubscribe</font><font size="3" color="blue"><u><br>
</u></font><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"><font size="3" color="blue"><u>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</u></font></a><tt><font size="2">__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe<br>
</font></tt><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"><tt><font size="2">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</font></tt></a><tt><font size="2"><br>
</font></tt><br>
</div>
</body>
</html>