[openstack-dev] [Openstack] [Keystone] Help extending Keystone JSON documents with custom attributes, safe?
Phillip Guerin
pguerin at sandvine.com
Thu May 22 13:29:41 UTC 2014
To be a bit more succinct, if I PATCH existing Keystone JSON documents (projects, roles, users, etc) with my own custom JSON attributes, can I expect this to be a safe practice?
Meaning, I'd like to add my own custom attributes and be able to query them back at a later time when I look up the user or verify the authentication token.
Is this a behavior that we can count on working in the future?
If it is an appropriate way to add the metadata we want, are there naming conventions we must preserve in our custom attributes to avoid name collisions in the future?
Thank you very much for your time, help, and consideration,
-PG
-----Original Message-----
From: Phillip Guerin
Sent: Thursday, May 15, 2014 4:16 PM
To: 'openstack at lists.openstack.org'
Subject: [Openstack] [Keystone] Extending Keystone JSON documents with custom attributes, safe?
Hello,
We're working on a project that uses a REST interface that exposes a set of APIs to our internal systems. We'd like to leverage the Keystone data models for our own fine grained authorization by adding our own custom attributes to Keystone 'projects', 'users', etc.
For example:
"user": {
"domain": {
"id": "1789d1",
"links": {
"self": "http://identity:35357/v3/domains/1789d1"
},
"name": "example.com"
},
"id": "0ca8f6",
"links": {
"self": "http://identity:35357/v3/users/0ca8f6"
},
"name": "Joe"
--------------------------------------------------------------------------------
"sandvine": {
"authorization": {
"requests": ["url", "url?fields=a,b,c"]
"attributes": {
"obfuscation": ["attr1"]
}
}
"accounting": {
}
}
--------------------------------------------------------------------------------
}
While I've done some simple tests and it essentially works, is this procedure of PATCHing Keystone user/role/etc... documents acceptable practice from your point of view?
Is this a behaviour that we can count on working in the future?
If it is an appropriate way to add the metadata we want, are there naming conventions we must preserve in our custom attributes to avoid name collisions in the future?
While this works on the direct objects I update, I don't see my custom fields when I verify the associated user token. Meaning, I can add my own attributes to 'user', but when I verify the token, I only see a subset of the 'user' attributes in the response payload. I don't see my own custom attributes and I don't see the 'links' attribute either. Whereas when I do a GET on the 'user' I just PATCHed, I see 'links' and my own custom attributes as well.
Is this by design, or am I potentially missing something in my token verification request or configuration that would return the full data model associated with the token?
- My work flow is to create a user, PATCH the user, GET the user to
confirm, then GET the token to ensure the PATCHed data has been
associated to it. I see changes to pre-existing Keystone attributes
when I GET the token, I just don't see my custom additions.
If this isn't appropriate, is there an alternative method to add custom metadata to elements in the data model (users/roles/etc..)?
For example, we've also considered building a single nested JSON document and serializing that into the 'blob' section of the 'policy'
attribute.
Our service is not an Openstack service, so we cannot take advantage of writing policy to handle fine grained authorization of the APIs we're exploring through our own REST interface. The above is how we're trying to bridge that gap.
Thanks a lot for your time and feedback!
Phillip Guerin
Software Engineer
+1-519-572-4668
skype: phillip.guerin
More information about the OpenStack-dev
mailing list