[openstack-dev] [keystone] on-behalf-of proxy identities for applications running in-instance

heckj heckj at mac.com
Wed Oct 10 14:34:07 UTC 2012


On Oct 10, 2012, at 7:11 AM, Eoghan Glynn <eglynn at redhat.com> wrote:
>> On 10/10/2012 06:26 AM, Eoghan Glynn wrote:
>>> Folks,
>>> 
>>> One to think about in advance of any keystone roadmap discussions
>>> at the summit ...
>>> 
>>> As we build out the infrastructure, it's likely there will be more
>>> and more cases where applications running on instances will need
>>> to access openstack services securely (for example to use a
>>> notification, or queueing, or metrics service).
>> 
>> So this was along the lines of what I discussed with the Heat team.
>> When
>> heat runs, it is going to run as a specific user, and, more
>> importantly, in a constrained project (tenant).
>> I could see using the project as the analogue for the end-point, and
>> then the "constrained user" is a user with a constrained role within
>> a
>> project.
>> 
>> I could see a setup where, for High Availability (HA),  there is a
>> project for the set of resources assigned to the HA grouping.  Then,
>> a worker user account has limited abilities within that project:
>> migrate VM from one machine to another.  In addition, that same worker user
>> account is granted some minimal role inside the project that owns the
>> virtual machine.  Lets call that user account WORKER and the real
>> person originator REAL.    REAL then would create a pre-auth  for WORKER.
>> If some action needs to be done by WORKER as REAL,  WORKER makes a call
>> to Keystone to get a token associated with the pre-auth.
> 
> Thanks for the response Adam,
> 
> So the piece I'm missing is how the capabilities of WORKER can be
> constrained to be a small subset of REAL's capabilities, without
> lots of admin intervention.
> 
> In the example above, if we want WORKER to be allowed to do live
> migration, but not any other admin actions, then we'd need to
> extend nova's policy.json file changing:
> 
>  "compute_extension:admin_actions:migrateLive": [["rule:admin_api"]]
> 
> to something like:
> 
>  "compute_extension:admin_actions:migrateLive": [["rule:admin_api"],
>                                                  ["role:WORKER_ROLE"]],
> 
> (excuse the possibly wrong syntax there) and then role that change out
> across the fleet of nova-api hosts. Unless we pre-annotate the policy.json
> with lots of fine-grained roles, one per action or small group of related
> actions.
> 
> Also I'm not sure how we could recover the original identity (REAL) from
> the on-behalf-of proxy (WORKER).

Hey Eoghan, 

you're absolutely right - we don't have a nailed down mechanism to support this 
sort of thing, but I've been leaning towards using the PKI mechanisms to evolve 
into supporting signing a token so that we can write a policy rule that says "yeah, 
this request came from the user, and it was also approved/looked over by Service X
 (Heat, glance, whatever).

That policy mechanism extension would then be an "AND" around an 
"auth_token_signed_by" kind of thing.


> Cheers,
> Eoghan
> 
>>> 
>>> It would be great if keystone provided support for provisioning
>>> some form of proxy identity to instances that would allow the apps
>>> running in-instance to make API calls on behalf of the instance
>>> owner, within some constraints (on the services that may be invoked
>>> on).
>>> 
>>> Similar, basically, to the flexibility that AWS IAM roles provide
>>> currently.
>>> 
>>> I don't know if this is even feasible within the current set of
>>> keystone capabilities and the fairly static policy.json setup.
>>> However, if it is do-able, it might be a good feature to discuss
>>> for future roadmap consideration.
>>> 
>>> Cheers,
>>> Eoghan
>>> 
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> 
>> 
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> 
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




More information about the OpenStack-dev mailing list