[openstack-dev] [Keystone] V3 auth API design input
Adam Young
ayoung at redhat.com
Fri Jan 25 02:34:14 UTC 2013
Wrote really long answer to this, and then realized I missed the
point. Lets talk soon, ou raise some interesting ideas, but I have a
lot of short term goals I need to get through before I can give you my
undivided attention.
On 01/24/2013 06:37 PM, Matt Joyce wrote:
> A thought about tokens and cloud
> =========================
>
> Below is a quick thought I've been mulling over on and off in my free
> time. It relates to how we build authentication structures for use
> inside of the cloud.
>
>
> The Dream
> ========
>
> Imagine if you will an alternate future:
>
> I spin up an instance on my openstack cloud. I do NOT inject a key.
> I instead try to log in directly using my keystone credentials (
> whatever they may be, maybe two factor? ). This means that cloud
> providers can cut perms on running instances remotely with simple
> changes to keystone or backend authentication systems. They can also
> allow users to begin to login to systems they previously did not have
> access to without sharing keys or injecting anything into those
> instances. In short this gets us non suck ACL control on instances
> from keystone.
>
> Some folks will point out this is not cross cloud friendly. It's
> totally not. And maybe IAM is the solution for that. But maybe we'll
> need this for real IAM support.
>
> The history
> ========
>
> A long while back I tried to build pam authentication services for
> keystone. This was a great idea that resulted in terrible failure.
>
> The fundamental problem I ran into basically stems from all ssh
> clients wanting to perform an getpwnam() on a user requesting to
> authenticate BEFORE handing auth creds off to PAM.
>
> In short, if the instance can't query by user name for posix schema
> information ( uid, gid, home_dir, etc ) BEFORE any authentication
> query can occur the authentication will fail. And there is just no
> way around that without modifying the way ssh works. Which is
> probably never going to happen as the radius folks have tried and
> failed for years to do so.
>
> So what we need is an NSS ( Name Switch Service ) access to keystone.
>
> I mean sure, if you backend to LDAP and allow anonymous read queries
> from your instance network space, you can just use the nss module to
> ldap. However that's not very portable between openstack clouds. And
> it means building administrative utilities for LDAP in addition to
> openstack.
>
> But the problem becomes more fundamental when you consider the issue....
>
> The problem
> =========
>
> This got me to thinking about the fundamental nature of cloud
> instances and performing any sort of elevated permissions query or
> unauthenticated query to our APIs. We need a service ticket
> functionality but we can't protect anything we place on instances.
>
> However instances can be fully qualified as part of the cloud. You can
> in effect tie a token to an instance and ensure that when the token is
> used it's being used on an instance it's intended for. Do we want
> that? What does it get us REALLY?
>
> Then there's single use tokens... do they get used once and die? do
> they only allow for a reduced set of queries? can there bet a
> getpwnam only token?
>
> In effect the issue we face is a very complex one. I don't think we
> should try to solve every problem, but we will want a token structure
> that is flexible as we can possibly make it. Because there's a good
> chance we'll end up running in a few different directions before we
> settle on something we like. And I don't want use to be revisiting
> token structure in v4 api.
>
> Token Structure
> ============
>
> looking at the straw man...
>
> {
> user : { id, other user specific attributes },
> domain : {id},
> project : { roles [role ids]},
> auth_mechanisms[],
> services:[
> compute: [https://nova/endpoint],
> identity: [https://keystone/endpoint],
> ...
> ]
> }
>
> We'll want for the user attributes to be expandable to include things
> like posix schema... or windows domain schema... or who knows.
>
> Domain ID works for me... but I am a fan of comment fields that can be
> NULL but also be there in case someone wants to send some extra info
> down the line.
>
> projects... an interesting question.
>
> I think the multiple token spanning token is... interesting. I think
> roles could be an answer for some of the ACL control for a token...
> but i have not trodden that path yet.
>
> projects : [{ id: id1, roles [role1, role2]}, { id: id2, roles [role1,
> role3]},
>
> service identifiers are great. again you may want to make internal vs
> public url tokens that are idenfitied as such on the backend... with a
> quick identifier on the front end just to let you know they are?
>
> I think also on the backend allowing a token to be reserved for use
> with a specific instance id and a means to verify that instance id is
> the query origin.
>
> I think that matters.
>
> Also the question for external queries becomes an issue. What happens
> when i need to make a query from outside to the publicurl by nest some
> internal query structure? No idea if we'd ever need to... but it's
> good to leave an area to plug something in if we need it.
>
>
> Conclusion
> ========
>
> I don't have one.
>
> Just a few thoughts. And I think they can help.
>
> -Matt
>
>
>
> On Thu, Jan 24, 2013 at 7:03 AM, Adam Young <ayoung at redhat.com
> <mailto:ayoung at redhat.com>> wrote:
>
> On 01/24/2013 04:06 AM, David Chadwick wrote:
>
>
>
> On 24/01/2013 00:50, Adam Young wrote:
>
>
> By the way, introducing holder of key into tokens
> solves the bearer
> problem and does not require SSL/TLS. What it requires
> is simply that
> the client signs the message containing the token with
> the key and
> includes a nonce/timestamp in the signed message so
> that the recipient
> can validate that the user is the holder of the token
> and the token
> has not been replayed.
>
> Are you saying that the whole web requests would then be
> signed? Yes,
> that would work, and would be very effecient, but it would
> require
> extending all of the HTML aware parts to allow for
> signatures. I think
> that would be a very valuable extension.
>
>
> The body of the POST needs to be signed. This does not stop a
> MITM, but then neither does SSL if you have a forged cert in
> the name of the sender.
>
> David
>
>
> Just thinking this through:
>
> Keystone still is the authority on keys and signing, so I think
> this might actually prevent a man-in-the-middle attack. The key
> signed in the token is the one used to sign the message. The
> token is signed by the keystone server. The token is
> authenticated against keystone. So a man in the middle either
> has to try to use the secret key associated with the public key
> from the token, which they won't have access to, or they have to
> inject their own key.
>
> If they inject their own key, they need to get a new token. Which
> means they would need to convince Keystone that they are the
> original user, and that keystone should sign a different key.
> That is a pretty high barrier to overcome.
>
>
> Am I missing something?
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> <mailto:OpenStack-dev at lists.openstack.org>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130124/1a8f825c/attachment.html>
More information about the OpenStack-dev
mailing list