openstack team mailing list archive

["Rouault, Jason (Cloud Services)" <jason.rouault@xxxxxx>]

In typical RBAC systems you specify the role you will be acting in when you gain access.  This is the principal of least privilege.

 

Jason

 

From: Yuriy Taraday [mailto:yorik.sar@xxxxxxxxx] 
Sent: Friday, July 15, 2011 11:27 AM
To: Nguyen, Liem Manh
Cc: openstack@xxxxxxxxxxxxxxxxxxx; Ziad Sawalha; Rouault, Jason (Cloud Services)
Subject: Re: [Openstack] Keystone tenants vs. Nova projects

 

Yeah, I agree that we should not duplicate user-tenant link this way.

But I cannot understand why should we have anything default. I think, everything should be explicit here. It'll make both code and experience simpler and clearer.

So, as I said, user will have to have either some global role or some explicit connection to tenant through role to authenticate in some tenant.

 

Kind regards, Yuriy.

 

On Fri, Jul 15, 2011 at 20:14, Nguyen, Liem Manh <liem_m_nguyen@xxxxxx> wrote:

Hi Yuriy,

 

The “dual” link concept between user and tenant (user <-> tenant, and user <-> role <-> tenant) is a little bit confusing for me (perhaps, I don’t understand the nuances of it).  What happens if a user belongs to a tenant but has no role in it?  It seems to me that instead of having a default tenant for a user, we should have a default role for a user instead.  With a default role, we can always make sure that the user is authenticated.

 

Regards,

Liem

 

From: Yuriy Taraday [mailto:yorik.sar@xxxxxxxxx] 
Sent: Thursday, July 14, 2011 10:37 PM


To: openstack@xxxxxxxxxxxxxxxxxxx

Cc: Ziad Sawalha; Rouault, Jason (Cloud Services); Nguyen, Liem Manh


Subject: Re: [Openstack] Keystone tenants vs. Nova projects

 

I think, there should not be such thing as default tenant.

If user does not specify tenant in authentication data, ones token should not be bound to any tenant, and user should have access to resources based on global role assignments.

If user specify tenant, one should be either explicitly bound to tenant (probably through UserRoleAssignment model, but it is not the best way) or in some global role. Then one will have access to resources based on global role assignments and tenant role assignments.

I'm not sure whether users should be added to a tenant and then to roles in this tenant or we should remove totally direct link between user and tenant, so that user is in tenant if and only if one is in any role in this tenant.


Kind regards, Yuriy.

 

 

On Fri, Jul 15, 2011 at 00:07, Nguyen, Liem Manh <liem_m_nguyen@xxxxxx> wrote:

When one creates a user, should a user always have a tenant associated with her?  If that’s the case, then the “default” tenant is the tenant that the user is associated with at creation time?  Sorry for responding to the question with another question, but it is unclear for me from looking at the model (there is no non-null constraint on the tenant_id fk on the user table).

 

Thanks,

Liem

 

From: openstack-bounces+liem_m_nguyen=hp.com@xxxxxxxxxxxxxxxxxxx [mailto:openstack-bounces+liem_m_nguyen <mailto:openstack-bounces%2Bliem_m_nguyen> =hp.com@xxxxxxxxxxxxxxxxxxx] On Behalf Of Ziad Sawalha
Sent: Thursday, July 14, 2011 12:22 PM


To: Rouault, Jason (Cloud Services); Yuriy Taraday; openstack@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Openstack] Keystone tenants vs. Nova projects

 

In the example I gave below they are not members of any group and have no roles assigned to them. Should they still be authenticated?

 

From: "Rouault, Jason (Cloud Services)" <jason.rouault@xxxxxx>
Date: Thu, 14 Jul 2011 16:25:22 +0000
To: Ziad Sawalha <ziad.sawalha@xxxxxxxxxxxxx>, Yuriy Taraday <yorik.sar@xxxxxxxxx>, "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
Subject: RE: [Openstack] Keystone tenants vs. Nova projects

 

A user can specify a tenantID at the time of authentication.  If no tenantID is specified during authentication, then I would expect the ‘default’ tenant for the user would apply.  The capabilities of User1 on TenantA (in this case the default tenant for the user) would be determined by their role and group assignments within the context of TenantA.  

 

Jason

 

From: Ziad Sawalha [mailto:ziad.sawalha@xxxxxxxxxxxxx] 
Sent: Wednesday, July 13, 2011 10:35 PM
To: Rouault, Jason (Cloud Services); Yuriy Taraday; openstack@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Openstack] Keystone tenants vs. Nova projects

 

What if:

 

-          User1 has TenantA as her default tenant

 

Should the service authenticate the user against TenantA? And if so, why? What does the 'default tenant' grant User1 on TenantA? It's some nebulous,  implied role…

 

 

 

From: "Rouault, Jason (Cloud Services)" <jason.rouault@xxxxxx>
Date: Wed, 13 Jul 2011 13:18:44 +0000
To: Ziad Sawalha <ziad.sawalha@xxxxxxxxxxxxx>, Yuriy Taraday <yorik.sar@xxxxxxxxx>, "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
Subject: RE: [Openstack] Keystone tenants vs. Nova projects

 

If a user is bound to their default tenant, why wouldn’t any role assignments for that user in their default tenant apply?

 

 

User1 authenticates specifying TenantB, this binds User1 into the context of TenantB.  In subsequent web service requests using the token received after authentication, the Auth component filter would decorate the headers with RoleY.

If User1 authenticates specifying TenantA, or specifying no Tenant,  this binds User1 into the context of TenantA.  The headers would then be decorated with RoleX.

 

Jason

 

From: openstack-bounces+jason.rouault=hp.com@xxxxxxxxxxxxxxxxxxx [mailto:openstack-bounces+jason.rouault=hp.com@xxxxxxxxxxxxxxxxxxx] On Behalf Of Ziad Sawalha
Sent: Tuesday, July 12, 2011 10:09 PM
To: Yuriy Taraday; openstack@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Openstack] Keystone tenants vs. Nova projects

 

Our goal is to support Nova use cases right now. You can provide access to multiple tenants using a role assignment (assigning a user a role on a specific tenant effectively binds them to that tenant).

 

However, this raises the issue of what the 'implied' role of a user is when they are bound to their default tenant. So we're considering how to alter the model to clean that up. No great solution yet. Any suggestions are welcome….

 

Ziad

 

From: Yuriy Taraday <yorik.sar@xxxxxxxxx>
Date: Tue, 28 Jun 2011 16:59:08 +0400
To: <openstack@xxxxxxxxxxxxxxxxxxx>
Subject: [Openstack] Keystone tenants vs. Nova projects

 

Currently Keystone model assumes that user is bound to exactly one tenant. It conflicts with the fact that in Nova user can have access to several projects. 

Which way will it be?


Kind regards, Yuriy.

_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@xxxxxxxxxxxxxxxxxxx Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp This email may include confidential information. If you received it in error, please delete it.

This email may include confidential information. If you received it in error, please delete it.

This email may include confidential information. If you received it in error, please delete it.

 

-- PASS THROUGH -- 

 

-- PASS THROUGH --

Attachment: smime.p7s
Description: S/MIME cryptographic signature