[openstack-dev] [Keystone][Marconi][Heat] Creating accounts in Keystone

Zane Bitter zbitter at redhat.com
Fri Aug 22 21:35:38 UTC 2014

Here's an interesting fact about Zaqar (the project formerly known as 
Marconi) that I hadn't thought about before this week: it's probably the 
first OpenStack project where a major part of the API primarily faces 
software running in the cloud rather than facing the user.

That is to say, nobody is going to be sending themselves messages on 
their laptop, from their laptop, via a cloud. At least one end of any 
given queue is likely to be on a VM in the cloud.

That makes me wonder: how does Zaqar authenticate users who are sending 
and receiving messages (as opposed to setting up the queues in the first 
place)? Presumably using Keystone, in which case it will run into a 
problem we've been struggling with in Heat since the very early days.

Keystone is generally a front end for an identity store with a 1:1 
correspondence between users and actual natural persons. Only the 
operator can add or remove accounts. This breaks down as soon as you 
need to authenticate automated services running in the cloud - in 
particular, you never ever want to store the credentials belonging to an 
actual natural person in a server in the cloud.

Heat has managed to work around this to some extent (for those running 
the Keystone v3 API) by creating users in a separate domain and more or 
less doing our own authorisation for them. However, this requires action 
on the part of the operator, and isn't an option for the end user. I 
guess Zaqar could do something similar and pass out sets of credentials 
good only for reading and writing to queues (respectively), but it seems 
like it would be better if the user could create the keystone accounts 
and set their own access control rules on the queues.

On AWS the very first thing a user does is create a bunch of IAM 
accounts so that they virtually never have to use the credentials 
associated with their natural person ever again. There are both user 
accounts and service accounts - the latter IIUC have 
automatically-rotating keys. Is there anything like this planned in 
Keystone? Zaqar is likely only the first (I guess second, if you count 
Heat) of many services that will need it.

I have this irrational fear that somebody is going to tell me that this 
issue is the reason for the hierarchical-multitenancy idea - fear 
because that both sounds like it requires intrusive changes in every 
OpenStack project and fails to solve the problem. I hope somebody will 
disabuse me of that notion in 3... 2... 1...


More information about the OpenStack-dev mailing list