[Openstack] [Keystone] Extending Keystone JSON documents with custom attributes, safe?

Phillip Guerin pguerin at sandvine.com
Thu May 15 20:16:28 UTC 2014


We're working on a project that uses a REST interface that exposes a set 
of APIs to our internal systems. We'd like to leverage the Keystone data 
models for our own fine grained authorization by adding our own custom 
attributes to Keystone 'projects', 'users', etc.

For example:

"user": {
	"domain": {
		"id": "1789d1",
		"links": {
			"self": "http://identity:35357/v3/domains/1789d1"
		"name": "example.com"
	"id": "0ca8f6",
	"links": {
		"self": "http://identity:35357/v3/users/0ca8f6"
	"name": "Joe"
	"sandvine": {
		"authorization": {
			"requests": ["url", "url?fields=a,b,c"]
			"attributes": {
				"obfuscation": ["attr1"]
		"accounting": {			

While I've done some simple tests and it essentially works, is this
procedure of PATCHing Keystone user/role/etc... documents acceptable
practice from your point of view?

Is this a behaviour that we can count on working in the future?

If it is an appropriate way to add the metadata we want, are there
naming conventions we must preserve in our custom attributes to avoid
name collisions in the future?

While this works on the direct objects I update, I don't see my custom
fields when I verify the associated user token. Meaning, I can add my
own attributes to 'user', but when I verify the token, I only see a subset
of the 'user' attributes in the response payload. I don't see my own 
custom attributes and I don't see the 'links' attribute either. Whereas
when I do a GET on the 'user' I just PATCHed, I see 'links' and my own
custom attributes as well.

Is this by design, or am I potentially missing something in my token 
verification request or configuration that would return the full data 
model associated with the token? 
 - My work flow is to create a user, PATCH the user, GET the user to 
   confirm, then GET the token to ensure the PATCHed data has been 
   associated to it. I see changes to pre-existing Keystone attributes
   when I GET the token, I just don't see my custom additions.

If this isn't appropriate, is there an alternative method to add custom
metadata to elements in the data model (users/roles/etc..)?

For example, we've also considered building a single nested JSON
document and serializing that into the 'blob' section of the 'policy'

Our service is not an Openstack service, so we cannot take advantage
of writing policy to handle fine grained authorization of the APIs we're
exploring through our own REST interface. The above is how we're 
trying to bridge that gap.

Thanks a lot for your time and feedback!

Phillip Guerin
Software Engineer
skype: phillip.guerin

More information about the Openstack mailing list