[Openstack] Authentication and Authorisation in Keystone

Joe Savak joe.savak at RACKSPACE.COM
Tue Sep 6 19:15:42 UTC 2011


Hi Nathan,
	Role is mentioned in the admin guide (https://github.com/openstack/keystone/blob/master/keystone/content/admin/identityadminguide.pdf). When a service attempts to validate a token, a list of roles that a user has for a tenant (or multiple tenants) is returned. It is up to the service to determine how to enforce these roles.

I hope this helps to clarify. If not, let me know!

Thanks,
Joe

-----Original Message-----
From: openstack-bounces+joe.savak=rackspace.com at lists.launchpad.net [mailto:openstack-bounces+joe.savak=rackspace.com at lists.launchpad.net] On Behalf Of Nathan Sowatskey
Sent: Tuesday, September 06, 2011 6:08 AM
To: openstack at lists.launchpad.net
Subject: [Openstack] Authentication and Authorisation in Keystone

http://forums.openstack.org/viewtopic.php?f=23&t=268&p=955#p955

Hi

I am trying to understand the role that authorisation plays in Keystone, as I don't see any mention of it in the identitydevguide.pdf.

In other identity systems such as SAML or OAuth, authentication is used to obtain a token that is used for authorisation; either a SAML assertion or an OAuth token. Separating authentication and authorisation is normal practice for a variety of reasons that are well discussed elsewhere. For example:

http://www.duke.edu/~rob/kerberos/authvauth.html

In the devguide we have, for example, this section:

"Most calls on the Admin API require authentication. The only calls available without authentication are the calls to discover the service (getting version info, WADL contract, dev guide, help, etc...) and the call to authenticate and get a token.

Authentication is performed by passing in a valid token in the X-Auth-Token header on the request from the client. Keystone will verify the token has (or belongs to a user that has) the Admin role."

I would have expected that to say:

"Most calls on the Admin API require *authorisation*. The only calls available without *authorisation* are the calls to discover the service (getting version info, WADL contract, dev guide, help, etc...) and the call to authenticate and get an *authorisation* token.

*Authorisation* is performed by passing in a valid token in the X-Auth-Token header on the request from the client. Keystone will verify the token has (or belongs to a user that has) the Admin role."

It is often the case that authentication and authorisation are mixed up by people new to the field, and that may be what is happening here.

Does anyone have any thoughts on this please?

Many thanks

Nathan
-- 
Nathan Sowatskey (nsowatsk at cisco.com) - Technical Leader, STG - +34-638-083-675


_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack at lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp
This email may include confidential information. If you received it in error, please delete it.





More information about the Openstack mailing list