[openstack-dev] [OSSG] [keystone] Trusts: delegation and impersonation

Dolph Mathews dolph.mathews at gmail.com
Thu Mar 14 18:59:17 UTC 2013


This is a feature that just landed in Grizzly which could certainly use
some extra security-focused eyes.

There's two use cases being addressed:

1) Scoped role delegation with optional impersonation: "I trust user X to
perform role Y on project Z, optionally for some duration of time, and
optionally while impersonating me."
2) Impersonation: "I trust user X to impersonate me, optionally for some
duration of time."

In short, a trust is created by a trustor; the trustee must first
authenticate as themselves, and then may consume the trust by specifying
it's ID (which is not necessarily a secret); the trustee then receives a
token with the project and associated roles as specified by the trustor;
the generated token may also reflect the trustor's identity, instead of the
trustees (but will contain an impersonation flag to indicate this behavior).

The original blueprint [1] outlines the goal of the feature and contains
links to relevant patches. The Identity API v3 specification contains a
fairly thorough overview of the final concept [2] along with a examples for
each of the related API calls [3]. The implementation is mostly housed in
the keystone.trust package [4] although it also affects both v3 and v2 auth
flows, in the keystone.auth [5] and keystone.token [6] packages,
respectively.

[1]: https://blueprints.launchpad.net/keystone/+spec/trusts

[2]:
https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md#trusts

[3]:
https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md#trusts-1

[4]: https://github.com/openstack/keystone/tree/master/keystone/trust

[5]: https://github.com/openstack/keystone/tree/master/keystone/auth

[6]: https://github.com/openstack/keystone/tree/master/keystone/token

Thanks for all your hard work, Adam!

-Dolph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130314/780b82b2/attachment.html>


More information about the OpenStack-dev mailing list