[openstack-dev] [swift] [keystone] Keystone v3 API domains in Swift
Ali, Haneef
haneef.ali at hp.com
Fri Feb 1 21:16:15 UTC 2013
Do we really want swift to make ACL decision based on an attribute which may or may not be there( since it is optional)?
Thanks
Haneef
From: Adam Young [mailto:ayoung at redhat.com]
Sent: Friday, February 01, 2013 12:47 PM
To: openstack-dev at lists.openstack.org
Subject: Re: [openstack-dev] [swift] [keystone] Keystone v3 API domains in Swift
On 02/01/2013 01:27 PM, Dolph Mathews wrote:
It's not; we dropped it from the list of required attributes, but you can still provide one.
According to GYee's latest submission, it would be in
extra:{email:address}
But we haven;t yet nailed down that proposal
-Dolph
On Fri, Feb 1, 2013 at 11:56 AM, Ali, Haneef <haneef.ali at hp.com<mailto:haneef.ali at hp.com>> wrote:
Are you sure that token contains email-address? I don't see that as required field in user creation in v3.
Thanks
Haneef
-----Original Message-----
From: David Chadwick [mailto:d.w.chadwick at kent.ac.uk<mailto:d.w.chadwick at kent.ac.uk>]
Sent: Friday, February 01, 2013 3:06 AM
To: OpenStack Development Mailing List
Subject: Re: [openstack-dev] [swift] [keystone] Keystone v3 API domains in Swift
Since the token contains the email address of the user, isnt it possible to use this in the ACL?
regards
David
On 23/01/2013 10:23, Alexandra Shulman-Peleg wrote:
> Hi,
>
> I would like to get back to this discussion and specify the exact
> syntax of ACLs that can be used when removing the global uniqueness
> constraint on user names. I wander whether we really need to prefix
> both the project_name and the username with the domain id? Especially,
> since on ACLs we mainly need to properly identify the user and not the project.
> So the notion of a project may not be required in this context? For
> example, in NFSv4 ACLs (also adopted by CDMI) users are identified by
> username at domain. So I wander whether on ACLs, in V3 we can simply
> switch from tenant_id:username to domain_id:username? This seems to
> fulfill the identification requirements and will give a very simple
> solution for the migration of existing v2 customers to private domains
> in V3 - assigning the new domain_id to match the old tenant_id will
> allow preserving all of the stored containers without the need to
> modify the containers' meta data.
>
> Best Regards,
> Alex.
>
>
>
> From: "Yee, Guang" <guang.yee at hp.com<mailto:guang.yee at hp.com>>
> To: OpenStack Development Mailing List
> <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>,
> Date: 11/01/2013 10:31 PM
> Subject: Re: [openstack-dev] [swift] [keystone] Keystone v3 API
> domains in Swift
> ----------------------------------------------------------------------
> --
>
>
>
> As long as Swift URL stay the same we should be OK. Frankly, there
> aren't any strong arguments for changing it at this point. Whenever we
> remove the globally uniqueness constraint on names, new Swift ACLs
> probably will need to switch over to using namespacing.
>
> domain_name.project_name:domain_name.username
>
> something like that. Existing Swift ACLs should work fine since if the
> given domain is the default (migrated) system domain, auth_token
> middleware should not set the domains headers.
>
>
> Guang
>
>
> -----Original Message-----
> From: David Chadwick [mailto:d.w.chadwick at kent.ac.uk<mailto:d.w.chadwick at kent.ac.uk>]
> Sent: Friday, January 11, 2013 8:36 AM
> To: OpenStack Development Mailing List
> Subject: Re: [openstack-dev] [swift] [keystone] Keystone v3 API
> domains in Swift
>
> Hi Chuck
>
> On 11/01/2013 15:59, Chuck Thier wrote:
> > The Tenant_ID is in the URL
> > (https://{SWIFT_IP}/v1/AUTH_{TENANT_ID}/{CONTAINER}/{OBJECT})
> >
> > I think we have beaten this part to death a bit now, as we seem to
> all > agree that we can continue this pattern with the V3 API. The
> one > concern that I still have is how the ACLs will work, and
> weather or > not that will need to change.
> >
> > I'm also curious how the Keystone V3 API will work alongside V2 apis.
>
> My opinion (only, I dont speak for anyone else) is as follows:
>
> 1. A v2 API system has no problems as it is working OK today 2. A v3
> API system only, with domains added, should work OK tomorrow otherwise
> the v3 API has problems 3. So the main point as you say is how do v2
> and v3 systems interwork. I suggest there is an intercept module, say
> in the Keystone pipeline, that knows it is operating in a v2/v3
> environment, and when it receives a v2 request already containing a
> tenant_ID it knows it will comprise domain:project and it can unpack
> it, and give the separate elements to the rest of the V3 code for
> processing as in a v3 system. When the intercept module receives a v2
> request that needs a tenant ID returning to it, it will encode up the
> domain and project as a tenant ID, and return this to the v2 client.
> The v2 client will be blissfully unaware that what it thinks is a
> tenant ID is actually a combination of domain and project.
>
> regards
>
> david
>
>
>
> >
> > --
> > Chuck
> >
> > On Thu, Jan 10, 2013 at 4:16 AM, David Chadwick
> <d.w.chadwick at kent.ac.uk<mailto:d.w.chadwick at kent.ac.uk>>
> wrote:
> >> You have to ask, where does the Swift client get the tenant_Id from?
> Isnt
> it
> >> Keystone? So if Keystone returns project_ID:tenant_Id to swift as
> the >> project_id string, then Swift can continue to use this as if
> nothing has >> changed. Its just a string whose content has no
> meaning to Swift, but whose >> content does have meaning to Keystone.
> The Swift policy simply needs to >> change the value of the tenant_id
> in its policy to the new value and it >> should work the same >> >>
> regards >> >> David >> >> >> On 09/01/2013 20:21, heckj wrote:
> >>>
> >>> Given that domains are a segmentation of projects/tenants, then I
> wouldn't >>> expect to want to change it from a project_id
> representation to anything >>> else.
> >>>
> >>> -joe
> >>>
> >>> On Jan 9, 2013, at 12:13 PM, Chuck Thier <cthier at gmail.com<mailto:cthier at gmail.com>> wrote:
> >>>>
> >>>> Things are always easy, until you start thinking about backwards
> >>>> compatibility. The storage urls for swift with keystone are
> currently >>>> keyed off of the tenant_id (soon to be project_id), so
> you end up with >>>> an endpoint url that looks something like >>>>
> http://{SWIFT_IP}/v1/AUTH_{TENANT_ID} if you change that by adding
> >>>> the domain, then you break any current users in your system, and
> you >>>> can't use v2 and v3 auth contracts simultaneously.
> >>>>
> >>>> --
> >>>> Chuck
> >>>>
> >>>> On Wed, Jan 9, 2013 at 1:37 PM, David Chadwick
> <d.w.chadwick at kent.ac.uk<mailto:d.w.chadwick at kent.ac.uk>> >>>> wrote:
> >>>>>
> >>>>> I would have thought that the solution is conceptually rather
> >>>>> straightforward. If domains can have their own project names and
> >>>>> usernames, >>>>> then you prefix the names with the domain ID
> or domain name to make them >>>>> globally unique again.
> >>>>>
> >>>>> regards
> >>>>>
> >>>>> David
> >>>>>
> >>>>>
> >>>>>
> >>>>> On 09/01/2013 19:14, Yee, Guang wrote:
> >>>>>>
> >>>>>>
> >>>>>> Yes. Swift ACLs <tenant_id>:<user_name>,
> <tenant_id>:<user_name>, and >>>>>> *:<user_name> will be impacted if
> project (formely tenant) name and >>>>>> user >>>>>> name are no
> longer globally unique. We'll need to figure out a >>>>>> migration
> >>>>>> path before relaxing that constraint.
> >>>>>>
> >>>>>>
> >>>>>> Guang
> >>>>>>
> >>>>>>
> >>>>>> -----Original Message-----
> >>>>>> From: Chuck Thier [mailto:cthier at gmail.com<mailto:cthier at gmail.com>] >>>>>> Sent:
> Wednesday, January 09, 2013 10:48 AM >>>>>> To: OpenStack Development
> Mailing List >>>>>> Subject: Re: [openstack-dev] [swift] [keystone]
> Keystone v3 API domains >>>>>> in >>>>>> Swift >>>>>> >>>>>> Se
> responses inline:
> >>>>>>
> >>>>>> On Wed, Jan 9, 2013 at 4:01 AM, Henry Nash
> <henryn at linux.vnet.ibm.com<mailto:henryn at linux.vnet.ibm.com>> >>>>>> wrote:
> >>>>>>>
> >>>>>>>
> >>>>>>> So there are a couple of issues intertwined in this thread:
> >>>>>>>
> >>>>>>> 1) Uniqueness of identifiers in Swift given the keystone
> Identity v3 >>>>>>> api.
> >>>>>>> This is the issue of whether Swift uses tenant names (now
> called >>>>>>> project >>>>>>> names) at all to uniquely identify
> any objects - if it did, then it >>>>>>> would >>>>>>> need to also
> consider storing a domain name or id. From the >>>>>>> discussion,
> >>>>>> >>>>>> >>>>>> it >>>>>>> >>>>>>> >>>>>>> sounds like
> tenant/project ID is used instead, which (from a >>>>>>> uniqueness
> >>>>>>> point of view) is fine. A separate issue exists needs to be
> discussed >>>>>>> around swift ACLs and whether username potentially
> becoming unique >>>>>>> only >>>>>>> within a domain will have an
> impact.
> >>>>>>>
> >>>>>>
> >>>>>> For AuthN, you are correct, in that it only relies on
> tenant/project >>>>>> ID. So, nothing has to be changed from that
> perspective. AuthZ is a >>>>>> little more tricky. For ACLs with
> keystone, they are set as >>>>>> TENANT:USER in any of the following
> patterns:
> >>>>>>
> >>>>>> *:user_name - that user from any tenant has access >>>>>>
> tenant_id:user_name - that user from that tenant id has access >>>>>>
> tenant_name:user_name - that user from that tenant name has access
> >>>>>> >>>>>> If project_name will not be unique in v3, then the
> >>>>>> tenant_name:user_name format may have to be deprecated.
> >>>>>>
> >>>>>> I would be interested to hear from providers that are using
> keystone >>>>>> with swift and hear which of the above use cases they are using.
> >>>>>>
> >>>>>>
> >>>>>>> 2) Given that keystone identity v3 domains are likely to be
> usually >>>>>>> used >>>>>> >>>>>> >>>>>> to >>>>>>> >>>>>>>
> >>>>>>> represent an enterprise (or "account holder" in common cloud
> >>>>>>> terminology) >>>>>>> and contain the collection of projects
> owned by that enterprise, is it >>>>>>> important for Swift to have
> that domain knowledge? Will there be >>>>>> >>>>>> >>>>>>
> operations >>>>>>> >>>>>>> >>>>>>> either within swift (or more
> likely layered on top of swift) that need >>>>>> >>>>>> >>>>>> that
> >>>>>>> >>>>>>> >>>>>>> information? E.g. How would someone layer a
> billing engine on top of >>>>>> >>>>>> >>>>>> swift >>>>>>>
> >>>>>>> >>>>>>> that could collate all the swift containers that were
> part of one >>>>>>> domain?
> >>>>>>> Obviously that engine could call keystone with each
> project_id in turn >>>>>>> and >>>>>>> find the domain_id.....but
> that sounds pretty inefficient.
> >>>>>>>
> >>>>>>
> >>>>>> As is, containers can already be collated for a given
> tenant/project >>>>>> id. The containers for a domain is then an
> aggregate of the project >>>>>> ids associated to that domain.
> >>>>>>
> >>>>>> I think the default should be that domains are not mapped in swift.
> I
> >>>>>> believe that this will also be required to facilitate
> backwards >>>>>> compatibility, which brings up another interesting
> question -- Is >>>>>> there an expectation that people will be able
> to run keystone auth >>>>>> v2.0 and v3.0 side by side?
> >>>>>>
> >>>>>> --
> >>>>>> Chuck
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> OpenStack-dev mailing list
> >>>>>> OpenStack-dev at lists.openstack.org<mailto:OpenStack-dev at lists.openstack.org> >>>>>>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> OpenStack-dev mailing list
> >>>>>> OpenStack-dev at lists.openstack.org<mailto:OpenStack-dev at lists.openstack.org> >>>>>>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> OpenStack-dev mailing list
> >>>>> OpenStack-dev at lists.openstack.org<mailto:OpenStack-dev at lists.openstack.org> >>>>>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> OpenStack-dev mailing list
> >>>> OpenStack-dev at lists.openstack.org<mailto:OpenStack-dev at lists.openstack.org> >>>>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> OpenStack-dev mailing list
> >>> OpenStack-dev at lists.openstack.org<mailto:OpenStack-dev at lists.openstack.org> >>>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>>
> >>
> >> _______________________________________________
> >> OpenStack-dev mailing list
> >> OpenStack-dev at lists.openstack.org<mailto:OpenStack-dev at lists.openstack.org>
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
> > _______________________________________________
> > OpenStack-dev mailing list
> > OpenStack-dev at lists.openstack.org<mailto:OpenStack-dev at lists.openstack.org>
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org<mailto:OpenStack-dev at lists.openstack.org>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> [attachment "smime.p7s" deleted by Alexandra Shulman-Peleg/Haifa/IBM]
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org<mailto:OpenStack-dev at lists.openstack.org>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org<mailto:OpenStack-dev at lists.openstack.org>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org<mailto:OpenStack-dev at lists.openstack.org>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org<mailto:OpenStack-dev at lists.openstack.org>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org<mailto:OpenStack-dev at lists.openstack.org>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130201/c013d456/attachment.html>
More information about the OpenStack-dev
mailing list