[OpenStack-Infra] Refstack workflow discussion. Using OpenstackID as auth provider for application with Web UI and CLI client

Jimmy McArthur jimmy at tipit.net
Thu Apr 23 20:07:00 UTC 2015


Thank you for a really interesting discussion. You can code something and
think you planned for everything, but there is always a corner case to keep
you in check! I think adding ppk is a fine idea, but definitely something
that needs to be custom developed and thought through. Hopefully the lack
of it won't be a blocker for refstack.

Thanks,
Jimmy McArthur <jimmy at tipit.net>
512.965.4846


On Apr 23, 2015, at 2:58 PM, Sergey Slypushenko <sslypushenko at mirantis.com>
wrote:

It is interesting, that it is possible to receive OpenID token just with
curl and a parser. In any way, for successful authorization with curl you
should put our OpenID credentials in CLI. It is requires deep trust to our
application (which we actually  we don't have). We try to avoid that kind
of issues.

We decided to change  authorization with OpenID creds to auth with pubkeys
for CLI client. It is a single reason why refstack needs pubkeys
management. So, here we don't discuss a way how to manage pubkeys with
OpenStackID. I mentioned pubkeys only as a alternative for CLI auth. It
would be great if some other appropriate alternative exists.

On Thu, Apr 23, 2015 at 7:43 PM, Jimmy Mcarthur <jimmy at tipit.net> wrote:

> No question openID and oAuth are meant as web solutions. OpenStackID was
> designed for integration, authentication, and data auth for OpenStack web
> projects. Leaving public key auth aside for a moment, it's still possible
> with curl and a parser to authenticate from the command line by posting to
> openID, receiving a token, then posting back to oAuth for authorization.
> Maybe it's not pretty, but it's working within the confines of OpenStackID
> as it exists.
>
> Could we/should we talk about adding ppk to OpenStackID is probably a
> separate discussion that should be had. One which you've started here:
> http://lists.openstack.org/pipermail/openstack-infra/2015-April/002673.html
>
> IMO, it would be best to work within the existing system, even if it's a
> bit cumbersome, and discuss how we can improve or change OpenStackID once
> we get additional community input on the need for ppk.
>
>
>
>
>
> Sergey Slypushenko wrote:
>
> Thanks that our discussion was brought back to mailing list.
>
> The most hard use case here is providing access to some private resources
> from CLI client without using any GUI tools. As far as you understand, CLI
> tool can not pass through common OpenID auth procedure without
> workarounds(like opening browser, for example). Also, I think that passing
> user creds in CLI client it isn't appropriate solution, too.
>
> Using key pairs for auth from CLI looks like a good solution, because any
> sensitive information won't be shared in this case. Also it should be
> pretty secure. As for me, main disadvantage of this kind of auth, that it
> is not implemented in OpenID/oAuth workflow(or I don't know about that).
> Maybe I am missing something about OpenID/oAuth?
>
> On. Wed, Apr 22, 2015 at 11:28 PM, Jimmy McArthur <jimmy at tipit.net> wrote:
>
>> Sergey,
>>
>> I looks like this mailing thread is broken. I didn't receive your
>>> response.
>>>
>>
>> I think a lot of the responses aren't getting through b/c the Infra list
>> was dropped from the discussion. I think it's important to have this
>> discussion on a public forum, so adding back in.
>>
>>>
>>> We thought about using tokens generated by OpenstackID, but I didn't
>>> find how a CLI client can get such kind of token.
>>> If you know how to get oAuth token from CLI tool, please shared it with
>>> me.
>>>
>>
>> At the moment, we have not implemented that oauth2 workflow:
>> https://tools.ietf.org/html/rfc6749#section-4.3 There are some security
>> concerns about passing credentials:
>>
>> The resource owner password credentials grant type is suitable in
>>    cases where the resource owner has a trust relationship with the
>>    client, such as the device operating system or a highly privileged
>>
>>    application.  The authorization server should take special care when
>>    enabling this grant type and only allow it when other flows are not
>>    viable.
>>
>>
>> As you can see, this is doable, but not something we'd prefer for
>> security reasons. Perhaps if you could clarify the use case? Maybe with a
>> bit more information, we could understand why you need to get a token for
>> the CLI app. It feels like this is still a desire to use oauth2 for some
>> type of authentication.
>>
>>
>> --
>> Jimmy McArthur / Tipit.net <http://tipit.net/> < jimmy at tipit.net>
>> 512.965.4846
>>
>>
>>> On Mon, Apr 20, 2015 at 6:49 PM, Sergey Slypushenko <
>>> sslypushenko at mirantis.com> wrote:
>>>
>>>> Jimmy,
>>>>
>>>> Thank you for your comment! That diagram was kind of outdated. I have
>>>> updated it already.
>>>>
>>>> We are planning to use OpenID for authentication and we have been
>>>> already working on it.
>>>>
>>>> Regards,
>>>> Sergey
>>>>
>>>>
>>>>
>>>> On Mon, Apr 20, 2015 at 6:30 PM, Jimmy McArthur <jimmy at tipit.net>
>>>> wrote:
>>>>
>>>>> Sergey,
>>>>>
>>>>> The biggest thing that stands out is the lack of authentication
>>>>> through OpenID. It appears that you're still authenticating through oAuth2,
>>>>> which is against security best practices and not how OpenStackID is
>>>>> designed. For a primer on the difference and why it's set up this way:
>>>>> http://nat.sakimura.org/2011/05/15/dummys-guide-for-the-difference-between-oauth-authentication-and-openid/
>>>>> (forgive the title, but it does a nice job of illustrating the issue)
>>>>>
>>>>> I'm adding Sebastian here to chime in on potential technical details
>>>>> and the possibility of setting up your own resource server. The important
>>>>> thing though is to follow the steps outlined in the OpenStackID
>>>>> documentation for proper authentication.
>>>>>
>>>>> --
>>>>> Jimmy McArthur / Tipit.net < jimmy at tipit.net>
>>>>> 512.965.4846
>>>>>
>>>>>
>>>>> On Thu, Apr 16, 2015 at 4:49 AM, Sergey Slypushenko <
>>>>> sslypushenko at mirantis.com> wrote:
>>>>>
>>>>>> Here you can find slides with general user stories:
>>>>>>
>>>>>>    - create user account
>>>>>>    - access to resource required user auth in Web UI
>>>>>>    - access to resource required user auth in CLI client
>>>>>>
>>>>>>
>>>>>> https://docs.google.com/presentation/d/1v7exKKL1zSA102Xu8FkY1u9rMVUE6BjwUCoWGYYvbaI/edit#slide=id.g9870fa983_0_0
>>>>>>
>>>>>> Any comments related to this topic will be very appreciated.
>>>>>>
>>>>>> Regards,
>>>>>> Sergey Slipushenko,
>>>>>>
>>>>>> Software Developer,
>>>>>> Kharkiv, Ukraine,
>>>>>> Mirantis Inc.
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OpenStack-Infra mailing list
>>>>>> OpenStack-Infra at lists.openstack.org
>>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-infra/attachments/20150423/c9a121c8/attachment-0001.html>


More information about the OpenStack-Infra mailing list