[openstack-dev] [Sahara] Why Sahara request user to give username/password for accessing the job binary in Swift ?

michael mccune msm at redhat.com
Fri Jun 26 12:54:43 UTC 2015

On 06/25/2015 09:54 PM, Li, Chen wrote:
> Thanks for the reply.
> My puzzle here is :
> 	I create containers & objects by my own, why other users can access them ?
> As mentioned in your article[1], the domain " sahara_proxy" is created by user "admin" in project "openstack".
> But I'm working under user "demo" in project "demo", and other people are in other project with other users.

those are good questions Chen.

to address your puzzle, if you create containers/objects in your own 
project then others cannot access them without your credentials. but 
keep in mind that any user in your project can also view those objects.

there are 2 main reasons we created the proxy domain feature

1. increase security. by using proxy domains, sahara is not responsible 
for storing a user's credentials in its database, or distributing them 
to the nodes of the cluster.

2. convenience. when creating several job binaries and data sources you 
will need to enter credentials for each one. this is not necessary with 
the proxy domain usage.

with that being said, it may not be a feature that fits well with your 
usage pattern.

as to the question about "admin" project versus "demo" project, the 
domain is an extra layer of scoping that can be applied to tokens. it 
does not map 1:1 with projects as it is at a different layer than the 
project scoping. so, it is possible to have users from different domains 
accessing the same project, in this case by using trusts.

on the security issue, using proxy users also helps to create another 
layer of separation in the event that an intruder were able to gain the 
credentials stored in sahara or on the cluster nodes.

for example, if not using proxy domains, a user will store their 
credentials in sahara's database to access their objects. if an intruder 
learns this information they will have access to everything that the 
user does. but, if using proxy domains then the only credentials to be 
gained are those of the proxy user which has its permissions limited by 
the trust. additionally the trust will be removed when the job is complete.

i hope this clears things up =)


More information about the OpenStack-dev mailing list