[Openstack] [OpenStack][Keystone][new_service]

Eric K ekcs.openstack at gmail.com
Tue Aug 21 02:11:22 UTC 2018

On Fri, Aug 17, 2018 at 9:34 AM, B.M.Canning <bmc20 at kent.ac.uk> wrote:
> Hi Eric,
> Thanks for getting back to me.
> I'm not looking to develop a real, useful, new service for OpenStack but
> develop a dummy service that plugs into OpenStack's authorisation
> infrastructure in a way that it looks like an OpenStack service which
> integrates with Keystone, like, say the Swift service. See picture
> attached, where the swift object represents a resource in the dummy
> service.
> The dummy service itself is a web-based game of snakes and ladders
> written in JavaScript/jQuery which makes Ajax calls to its PEP, written
> in PHP. The PHP code interacts with Keystone via the PHP cURL library
> and also logs all game actions in a MariaDB database.
> The game has been written in a way that it can be exploited by malicious
> users who already have access to the system, e.g players can travel up
> the snakes or simply ignore the snakes. The idea is that an autonomic
> controller is recording the user's actions, analysing them, planning a
> response (if necessary) and executing a change. This change could be
> inserting a policy line into policy.json or via the congress API. It
> could also be removing a role from a user which denies them further
> access to the resource in Keystone.
> The aim of this research is to produce an effective and efficient means
> of mitigating against insider threats directed at computing resources
> and information systems. This idea has been previously examined with
> LDAP serving as an authentication service and PERMIS serving as an
> authorisation service [1]. What is of interest here is porting the setup
> to an authorisation infrastructure that is relevant to cloud computing.
> I've had a look at congress, I have it running on my game server and it
> is registered as a service in Keystone after following [2] (except I
> installed the software from CentOS 7 "cloud" repo, "openstack-queens"
> [3] but at the moment, calls to the API are returning "Service
> Unavailable (HTTP 503)". This may be because there are no datasources
> configured.
Ah I think the issue is that there is no rabbitmq server running. We
should probably make that clear in docs.
> I started to write a driver for the dummy service [4] but as
> the game itself does not have a RESTful API, I'm not sure what approach
> to take here. I note that this distinction may favour a driver which is
> a subclass of PushedDataSourceDriver, rather than
> PollingDataSourceDriver.
I think there is no need to make a driver. Rather, your service can
simply make API calls to Congress the same way it calls Keystone.
> Failing that, I might pursue the Oslo policy
> library route, but again, I'm having difficulty in finding where to
> start. How might you suggest going about making a new, dummy service,
> such as that which I have described?
oslo policy is the stardard used by most openstack services. So if
your goal is to demonstrate doing something using the standard
framework, then that's the way to go. Though since it's a python
library you'd need some kind of bridge between your PHP web service
and oslo policy.

unfortunately it's not the most obvious how to get started. Here's a
simple example (from congress code):
step 1: define enforcement function using oslo policy library
step 2: call the enforcement function to check for valid authorization
before taking action

More api reference here:

On the other hand, if you don't want to involve python, you can use
directly make API calls to Congress service using PHP.

More information about the Openstack mailing list