[openstack-dev] [Keystone] Trusts (Preauth) and LDAP
Adam Young
ayoung at redhat.com
Thu Nov 29 14:54:40 UTC 2012
On 11/28/2012 06:00 PM, Matt Joyce wrote:
> Adam,
>
> In this model can I do a...
>
> grant trust key for user foo that is read on keystone, constrained
> to tenant uuid bar ?
Yes.
"read on keystone" might need to be slightly more defined, as it needs
to be something controlled by policy. So lets say a user has the
"read_keystone" role (we might want to make a handful of implicit roles
that every user has on all tenants...interesting thought) tehn you
would add that role to the trust:
The create call would have a payload along these lines.
{
trustor: foo,
trustee: cinder,
tenant: bar,
roles: [read_keystone],
endpoints: [https://10.10.2.1/keystone/]
}
And you hould be able to see how that would map to the tokens.
>
> That's probably enough for my needs.
>
> -Matt
>
> On Wed, Nov 28, 2012 at 2:53 PM, Adam Young <ayoung at redhat.com
> <mailto:ayoung at redhat.com>> wrote:
>
> On 11/28/2012 05:23 PM, heckj wrote:
>
> To be a little more specific, what I'm trying to understand is
> the workflow beyond the initial request to a service with the
> trust concept already set up -
>
> Say Joe requests a snapshot to be taken of a volume, and wants
> that dumped into object storage. The service doing the
> snapshot takes a while (sorry, it's just slow) - and 30
> minutes later the service (cinder in my little example) wants
> to write data to object storage (swift) - what allows this to
> happen? What interactions and with what data stored where?
>
> OK, let me get a better write up going. I'll try to post
> something in the next couple of days as far as how I think this is
> supposed to work, but the short form:
>
>
> user joe creates a trust. trustor is joe, trustee is cinder,
> tenant is joes_restaurant (eat at Joes!) and the role is what ever
> is required to write to swift, so we will call it swift_write.
>
> when cinder goes to perform the action for joe, it authenticates
> to keystone passing its service token and the trust id. In
> return, it gets back a token that has joe as the user_id, as well
> as all the other information specified by the trust. It uses that
> token to write to swift.
>
> So swift would have to be modified to know about trusts.
>
> so the APIs would be something like
>
> POST v3/trusts (create a new one)
> DELETE v3/trusts/<id> (create a new one)
> POST v3/tokens (get a token for a trust)
>
> But I'll write it up in more detail.
>
>
>
>
> -joe
>
> On Nov 28, 2012, at 2:14 PM, heckj <heckj at mac.com
> <mailto:heckj at mac.com>> wrote:
>
> Hey Adam -
>
> so what I'm missing on all of this is
>
> 1) what's the API and how does a service and user interact
> with it?
>
> 2) what's the gist of the code - have it in a github repo
> or something to see your initial implementation?
>
> Trust, delegation, impersonation - whatever - the need
> that you laid out in your blog post is great. Glance and
> Nova have the exact same needs
> (the blog post isn't a spec, by the way - you should
> update the BP to point to something other than your
> motivations for making it)
>
> In terms of the choices, I'd like to see the API and how
> you've taken a stab at implementing it to suggest some
> possible solutions. With no other knowledge, I'm tempted
> to assert it should be it's own backend, even knowing
> that's relatively heavy weight.
>
> -joe
>
> On Nov 28, 2012, at 7:45 AM, Adam Young <ayoung at redhat.com
> <mailto:ayoung at redhat.com>> wrote:
>
> I have a very rudimentary Trust (what I used to call
> Preauth
> https://blueprints.launchpad.net/keystone/+spec/trusts) implementation
> working with the SQL backend for Identity.
>
> With LDAP, I am not sure where I would store the trust
> information. The data for the trust itself is simply
> the uuid user_ids for the trustor and trustee and
> tenant Id. There is also a table for the roles, and a
> second table for the endpoints associated with the
> trust.While we could shoehorn this into the user
> object, I am not sure that there is an intuitive way
> to implement it in LDAP.
>
> I see three choices.
>
> 1. Leave the Trusts in the identity schema. This has
> the nice effect of keeping the user-ids as foreign
> keys. It has the drawback of forcing an LDAP backend
> solution.
> 2. Move the Trusts into the Token backend. This will
> get avoid the issue of LDAP support. It does mean
> that tokens, which is a schema that is high volume,
> read intensive, and populated by short lifespan
> entities, gets mixed with trusts, which is low volume,
> and long lived.
> 3. Move it into its own backend. This seems a little
> heavy weight.
>
>
> Thoughts?
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> <mailto:OpenStack-dev at lists.openstack.org>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> <mailto:OpenStack-dev at lists.openstack.org>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> <mailto:OpenStack-dev at lists.openstack.org>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> <mailto:OpenStack-dev at lists.openstack.org>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20121129/be0a47a5/attachment.html>
More information about the OpenStack-dev
mailing list