yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #78900
[Bug 1832848] [NEW] Set Project ID for synchronization across servers
Public bug reported:
Identifiers
Each resource in Keystone has a unique identifier. For the majority of
resources, the identifiers are currently generated as UUIDs. In
addition, the identifiers are assigned by the system, and are not
something an end user can specify when creating the resource. The theory
is that this would prevent identifier squatting, where a user creates a
resource with a specified ID in order to deny that ID to another user,
or hijack the use of the identifier for some other reason. In practice
it means that two Keystone deployments will have different identifiers
for resources that should be common, such as role, project, or user
groups.
This identifier skew means that to track something for audit purposes
you can only correlate on the resource name. But resource names are
modifiable.
The limiting fact for using the API to duplicate data from one Keystone
system to another is the generation of the identifier. Since a new
record always gets a new identifier, and the the value for the
identifier can only be generated, the API does not allow matching of
records.
However, allowing all users to specify the identifiers when creating
records would create the potential for "squatting" on the identifier,
and also prevent synchronization.
Thus, for normal record generation, the identifiers should be generated
by the system, and explicit identifier specification should be reserved
for the synchronization use case only.
With the advent of System scoped roles, we can split the RBAC
enforcement on the creation APIs. Normal creation should require a
project or domain scoped token. Synchronization should require a system
scoped token.
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1832848
Title:
Set Project ID for synchronization across servers
Status in OpenStack Identity (keystone):
New
Bug description:
Identifiers
Each resource in Keystone has a unique identifier. For the majority of
resources, the identifiers are currently generated as UUIDs. In
addition, the identifiers are assigned by the system, and are not
something an end user can specify when creating the resource. The
theory is that this would prevent identifier squatting, where a user
creates a resource with a specified ID in order to deny that ID to
another user, or hijack the use of the identifier for some other
reason. In practice it means that two Keystone deployments will have
different identifiers for resources that should be common, such as
role, project, or user groups.
This identifier skew means that to track something for audit purposes
you can only correlate on the resource name. But resource names are
modifiable.
The limiting fact for using the API to duplicate data from one
Keystone system to another is the generation of the identifier. Since
a new record always gets a new identifier, and the the value for the
identifier can only be generated, the API does not allow matching of
records.
However, allowing all users to specify the identifiers when creating
records would create the potential for "squatting" on the identifier,
and also prevent synchronization.
Thus, for normal record generation, the identifiers should be
generated by the system, and explicit identifier specification should
be reserved for the synchronization use case only.
With the advent of System scoped roles, we can split the RBAC
enforcement on the creation APIs. Normal creation should require a
project or domain scoped token. Synchronization should require a
system scoped token.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1832848/+subscriptions
