Mailing List Archive: OpenStack: Dev

[keystone] Multi-tenants per user, authentication tokens and global roles

Index | Next | Previous | View Threaded

rlane at wikimedia

Jul 26, 2012, 5:30 PM

Post #1 of 5 (229 views)
Permalink

[keystone] Multi-tenants per user, authentication tokens and global roles

I'm working on upgrading to essex, which means I need to start using
keystone. My use case seems to not fit keystone very well, though...

In my environment, one user can be a member of many projects (some
users are in up to 20-30 projects). Management of projects is done
nearly completely though the web interface, and users may work on
resources in multiple projects at the same time. Our web interface can
show all or a subset of user's project's resources in the same view.

In Nova, using the EC2 API, I could query all resources for a user on
their behalf using an admin user, or I could use their access/secret
key and change the tenant for requesting each project.

>From what I can tell in Keystone, when a user authenticates, they get
a token directly linked with a tenant. If I want to do API calls on a
user's behalf in a tenant, I must authenticate them for that tenant.
It seems there's no way for me to make requests on a user's behalf for
multiple projects without authenticating them for every single tenant.
Is this the case? Is there any way for me to handle this? I'd really
like to avoid authenticating a user 30 times on login, then needing to
store all 30 of their tokens.

I have another issue as well. My environment is meant to be integrated
and more of a private-style cloud. We have a group of administrators
that should be able to manage all instances, networks, etc. In Nova's
auth there were global groups. In Keystone there are no global groups.
Will this ever be added into keystone? It's really annoying to need to
constantly add/remove ourselves from projects to manage them.

- Ryan

_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to : openstack [at] lists
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp

ayoung at redhat

Jul 26, 2012, 7:33 PM

Post #2 of 5 (209 views)
Permalink

Re: [keystone] Multi-tenants per user, authentication tokens and global roles [In reply to]

On 07/26/2012 08:30 PM, Ryan Lane wrote:
> I'm working on upgrading to essex, which means I need to start using
> keystone. My use case seems to not fit keystone very well, though...
>
> In my environment, one user can be a member of many projects (some
> users are in up to 20-30 projects). Management of projects is done
> nearly completely though the web interface, and users may work on
> resources in multiple projects at the same time. Our web interface can
> show all or a subset of user's project's resources in the same view.
>
> In Nova, using the EC2 API, I could query all resources for a user on
> their behalf using an admin user, or I could use their access/secret
> key and change the tenant for requesting each project.
>
> >From what I can tell in Keystone, when a user authenticates, they get
> a token directly linked with a tenant. If I want to do API calls on a
> user's behalf in a tenant, I must authenticate them for that tenant.
> It seems there's no way for me to make requests on a user's behalf for
> multiple projects without authenticating them for every single tenant.
> Is this the case? Is there any way for me to handle this? I'd really
> like to avoid authenticating a user 30 times on login, then needing to
> store all 30 of their tokens.

Not in Essex. When we discussed the Domains blueprint, one issue that
I brought up was nested groups/projects. That would solve your
problem. It is not currently being developed.

>
> I have another issue as well. My environment is meant to be integrated
> and more of a private-style cloud. We have a group of administrators
> that should be able to manage all instances, networks, etc. In Nova's
> auth there were global groups. In Keystone there are no global groups.
> Will this ever be added into keystone? It's really annoying to need to
> constantly add/remove ourselves from projects to manage them.
Again, this is really a group nesting problem. I am not sure if the
domain blueprint would help you out here:
https://review.openstack.org/#/c/8114/
https://blueprints.launchpad.net/keystone/+spec/keystone-domains
http://etherpad.openstack.org/keystone-domains

>
> - Ryan
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack [at] lists
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp

_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to : openstack [at] lists
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp

rlane at wikimedia

Jul 26, 2012, 9:50 PM

Post #3 of 5 (215 views)
Permalink

Re: [keystone] Multi-tenants per user, authentication tokens and global roles [In reply to]

> Not in Essex. When we discussed the Domains blueprint, one issue that I
> brought up was nested groups/projects. That would solve your problem. It
> is not currently being developed.
>

Ok. I can deal with handling tens of thousands of tokens, but I need
some way to ensure a user doesn't need to continuously authenticate
when changing between projects. I'm totally fine saving a long-lived
token that can be used for authentication, then re-authenticating with
that token to receive other project tokens. This way the web interface can use
the long-lived token on the user's behalf for authentication between projects.

I'm using the LDAP backend. I'm assuming I'm going to have to modify
the authenticate method to handle this. Would doing this be enough to
make this work, or will I need to patch more extensively for this solution?

I definitely want to solve this legitimately for folsom or grizzly as
this completely breaks my use case (and likely the use case of most
private cloud users).

> Again, this is really a group nesting problem. I am not sure if the domain
> blueprint would help you out here:
> https://review.openstack.org/#/c/8114/
> https://blueprints.launchpad.net/keystone/+spec/keystone-domains
> http://etherpad.openstack.org/keystone-domains
>

I can likely live with adding/removing admins from groups. I'd prefer
not to, but we require this to some extent right now anyway. I'd
definitely like to resolve this by grizzly at least, though.

- Ryan

_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to : openstack [at] lists
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp

ayoung at redhat

Jul 27, 2012, 6:34 AM

Post #4 of 5 (218 views)
Permalink

Re: [keystone] Multi-tenants per user, authentication tokens and global roles [In reply to]

On 07/27/2012 12:50 AM, Ryan Lane wrote:
>> Not in Essex. When we discussed the Domains blueprint, one issue that I
>> brought up was nested groups/projects. That would solve your problem. It
>> is not currently being developed.
>>
> Ok. I can deal with handling tens of thousands of tokens, but I need
> some way to ensure a user doesn't need to continuously authenticate
> when changing between projects. I'm totally fine saving a long-lived
> token that can be used for authentication, then re-authenticating with
> that token to receive other project tokens. This way the web interface can use
> the long-lived token on the user's behalf for authentication between projects.

You can use a token to get a token. Look at the authenticate code in
keystone/service.py

Have the user initially get a non-tenant specific token. Pass that in
the x-auth header to POST /tokens/ along with a tenantid and you will
get a new one scoped to the tenant

>
> I'm using the LDAP backend. I'm assuming I'm going to have to modify
> the authenticate method to handle this. Would doing this be enough to
> make this work, or will I need to patch more extensively for this solution?

Tokens are not stored in LDAP. There are separate back ends for:
identity, tokens, and service catalog. LDAP is only wired up for
Identity. For Token, the default is KVS, which is in memory only. You
probably want to use memcached or SQL for the token back end, otherwise
a reboot of the keystone server will lose you all the tokens.
>
> I definitely want to solve this legitimately for folsom or grizzly as
> this completely breaks my use case (and likely the use case of most
> private cloud users).
>
>> Again, this is really a group nesting problem. I am not sure if the domain
>> blueprint would help you out here:
>> https://review.openstack.org/#/c/8114/
>> https://blueprints.launchpad.net/keystone/+spec/keystone-domains
>> http://etherpad.openstack.org/keystone-domains
>>
> I can likely live with adding/removing admins from groups. I'd prefer
> not to, but we require this to some extent right now anyway. I'd
> definitely like to resolve this by grizzly at least, though.
>
> - Ryan

_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to : openstack [at] lists
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp

rlane at wikimedia

Jul 27, 2012, 11:20 AM

Post #5 of 5 (204 views)
Permalink

Re: [keystone] Multi-tenants per user, authentication tokens and global roles [In reply to]

> You can use a token to get a token. Look at the authenticate code in
> keystone/service.py
>
> Have the user initially get a non-tenant specific token. Pass that in the
> x-auth header to POST /tokens/ along with a tenantid and you will get a new
> one scoped to the tenant
>

Ah. This is perfect, thanks!

>> I'm using the LDAP backend. I'm assuming I'm going to have to modify
>> the authenticate method to handle this. Would doing this be enough to
>> make this work, or will I need to patch more extensively for this
>> solution?
>
>
> Tokens are not stored in LDAP. There are separate back ends for: identity,
> tokens, and service catalog. LDAP is only wired up for Identity. For
> Token, the default is KVS, which is in memory only. You probably want to use
> memcached or SQL for the token back end, otherwise a reboot of the keystone
> server will lose you all the tokens.
>

I was planning on hacking in a method of pulling a long-lived token
from LDAP, but your previous comment makes that unneeded.

- Ryan

_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to : openstack [at] lists
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads