[openstack-dev] [keystone] naming case sensitive or not?
Dolph Mathews
dolph.mathews at gmail.com
Fri Mar 29 14:43:48 UTC 2013
On Fri, Mar 29, 2013 at 12:02 AM, Samuel Merritt <sam at swiftstack.com> wrote:
> On 3/28/13 8:06 AM, Dolph Mathews wrote:
>
>> That's basically up to the identity driver in use -- for example, with
>> the SQL driver, if your database is case sensitive, then keystone will
>> be as well.
>>
>
> That raises an interesting question about authorization with Keystone.
>
> In Swift, we have container ACLs that are of one of three* forms:
>
> (A) tenant_name:user_id
> (B) tenant_id:user_id
> (C) *:user_id
>
> Form A is the interesting one here. Let's say I have a container on which
> I have set a read ACL of "CamelCorp:12345". Then, a request comes in, and
> when Swift's keystoneauth middleware** gets called, it sees that the tenant
> name retrieved from Keystone is "Camelcorp" (different case!), and the user
> id is 12345 (a match).
>
> Should that request be allowed or not?
>
Absolutely not -- I didn't mean to suggest that case-insensitivity should
be supported. What I meant to suggest was that if you're seeing
case-insensitivity, something is either misconfigured or broken in
keystone's backend/driver.
As you alluded to the ID examples not being "interesting", it's worth
pointing out that's because ID's are all lowercase anyway (generally
produced by uuid4().hex), so there's not any risk there.
I also wrote some tests to ensure case sensitivity within identity drivers
as I think it's worth being paranoid about:
https://review.openstack.org/#/c/25713/
>
>
> * okay, there's the .r: stuff for referrer-based ACLs, but that's not
> germane to this discussion
>
> ** swift.common.middleware.**keystoneauth.KeystoneAuth, for those who
> wish to read the code
>
>
> ______________________________**_________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.**org <OpenStack-dev at lists.openstack.org>
> http://lists.openstack.org/**cgi-bin/mailman/listinfo/**openstack-dev<http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130329/9877a7b0/attachment.html>
More information about the OpenStack-dev
mailing list