[openstack-dev] [magnum][keystone] clusters, trustees and projects
Lance Bragstad
lbragstad at gmail.com
Mon Feb 26 15:45:35 UTC 2018
On 02/26/2018 10:17 AM, Ricardo Rocha wrote:
> Hi.
>
> We have an issue on the way Magnum uses keystone trusts.
>
> Magnum clusters are created in a given project using HEAT, and require
> a trust token to communicate back with OpenStack services - there is
> also integration with Kubernetes via a cloud provider.
>
> This trust belongs to a given user, not the project, so whenever we
> disable the user's account - for example when a user leaves the
> organization - the cluster becomes unhealthy as the trust is no longer
> valid. Given the token is available in the cluster nodes, accessible
> by users, a trust linked to a service account is also not a viable
> solution.
>
> Is there an existing alternative for this kind of use case? I guess
> what we might need is a trust that is linked to the project.
This was proposed in the original application credential specification
[0] [1]. The problem is that you're sharing an authentication mechanism
with multiple people when you associate it to the life cycle of a
project. When a user is deleted or removed from the project, nothing
would stop them from accessing OpenStack APIs if the application
credential or trust isn't rotated out. Even if the credential or trust
were scoped to the project's life cycle, it would need to be rotated out
and replaced when users come and go for the same reason. So it would
still be associated to the user life cycle, just indirectly. Otherwise
you're allowing unauthorized access to something that should be protected.
If you're at the PTG - we will be having a session on application
credentials tomorrow (Tuesday) afternoon [2] in the identity-integration
room [3].
[0] https://review.openstack.org/#/c/450415/
[1] https://review.openstack.org/#/c/512505/
[2] https://etherpad.openstack.org/p/application-credentials-rocky-ptg
[3] http://ptg.openstack.org/ptg.html
>
> I believe the same issue would be there using application credentials,
> as the ownership is similar.
>
> Cheers,
> Ricardo
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180226/e3a60772/attachment.sig>
More information about the OpenStack-dev
mailing list