[openstack-dev] [Keystone] Trusts (Preauth) and LDAP

Adam Young ayoung at redhat.com
Fri Nov 30 14:53:33 UTC 2012


On 11/28/2012 11:05 AM, David Chadwick wrote:
> Hi Adam
>
> I have seen your spec and commented on it. This is yet another case of 
> delegation is it not?
OK,  we've had a long discussion on this, and I think I can clarify.

1.  We've used "delegation" to mean many things.  I was using it to mean 
delegation from one Keystone server to another, in a(n) hierarchy. Maybe 
I am showing the effects of my time in the Army, but to me delegation is 
something that goes down from superiod to subordinate.

2.  There are two related Legal terms I considered: Proxy and Trusts.  I 
ruled out the term "Proxy" due to its compete overuse.

3.  Regardless of whether we call it delegation or trust, we are 
discussing the same thing.
 From David Chadwich"

"Keystone is the Delegation Service that handles all the delegations for 
users. It is trusted to ensure that

i) a delegator cannot delegate an attribute he has not already been 
assigned
ii) a delegator cannot delegate once the delegation depth has been consumed
iv) a delegator cannot delegate outside the validity period of his own 
delegation.

In other words, a delegator can only delegate less than (or equal to) 
what he already has, and not more than it. "

I think that is a great prelude to the design discussion.

Right now, a user delegates in a short term fashion using tokens. Once a 
token has been granted to a user, he hands that off to another (service) 
user in order to prove his identity and authorization to perform some 
set of actions.  In addition, since tokens are not scoped to a specific 
endpoint, they are currently passed on from one endpoint to another.  
This is not a secure approach.  If any endpoint along the way is 
compromised, all the tokens in that endpoint are usable against any 
other service that accepts tokens.

So  we limit the scope of tokens to only that single endpoint, and we 
remove the attack.  As a result, we also remove the ability of the 
remote service user  to request additional operations from additional 
remote services on behalf of the original user.  This is a problem that 
the trusts are designed to serve.

A trust is a promise to allow delegation at some point in the future.  
The actual delegation is performed in the token.  The trust is used to 
get the token.

Now,  as far as implementation goes, I would like to propose two phases.

1.  Trusts get implemented today "hard wired" with the attributes that 
are currently exposed in a token:  (trustor) user, tenant, roles, endpoints.
2.  Tokens that get generated from the trusts will look just like normal 
tokens.  They will have an additional field "trustee".  This will allow 
the current consumers of tokens to continue to use a trust token just 
like they do now.

Phase 2.
1.  Modify the token architecture to allow arbitrary sets of attributes.
2.  Modify the trust architecture to specify arbitrary sets of 
attributes to be used in a token.



Regarding my original question, I am going to move the trust driver into 
the token back end.  It has become apparent that this is where it 
belongs, as it has the exact same dependencies and usage patterns as the 
tokens, and it is the Keystone "application specific" data.






>
> regards
>
> David
>
> On 28/11/2012 15:45, Adam Young wrote:
>> I have a very rudimentary Trust  (what I used to call Preauth
>> https://blueprints.launchpad.net/keystone/+spec/trusts) implementation
>> working with the SQL backend for Identity.
>>
>> With LDAP, I am not sure where I would store the trust information. The
>> data for the trust itself is simply the uuid user_ids for the trustor
>> and  trustee and tenant Id.  There is also a table for the roles, and a
>> second table for the endpoints associated with the trust.While we could
>> shoehorn this into the user object, I am not sure that there is an
>> intuitive way to implement it in LDAP.
>>
>> I see three choices.
>>
>> 1.  Leave the Trusts in the identity schema.  This has the nice effect
>> of keeping the user-ids as foreign keys.  It has the drawback of forcing
>> an LDAP backend solution.
>> 2.  Move the Trusts into the Token backend.  This will get avoid the
>> issue of LDAP support.  It does mean that tokens, which is a schema that
>> is high volume, read intensive, and populated by short lifespan
>> entities, gets mixed with trusts, which is low volume, and long lived.
>> 3. Move it into its own backend.  This seems a little heavy weight.
>>
>>
>> Thoughts?
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




More information about the OpenStack-dev mailing list