On 11/11/2013 03:00 PM, Morgan Fainberg wrote:
David,
My concern with this approach is that keystone currently doesn't have
the mechanisms to handle a "polling" job (no such thing as "periodic"
tasks like in nova) and we go to some fairly extreme effort to not use
eventlet anywhere. We also recommend keystone be run under apache (or
even if we have multiple keystone processes running) would be a
challenge to determine where to run this "task". It might be hard to
implement a "polling" module elegantly without doing something along
the lines of polling when an IdP backed user tries to take an action
(each time), which could be significant overhead.
We could implement this as a stand alone service, though, which would
poll on behalf of Keystone.
--Morgan Fainberg
On Mon, Nov 11, 2013 at 11:13 AM, David Chadwick
<d.w.chadw...@kent.ac.uk> wrote:
Hi Guys
I want to revise my earlier take on this, after giving it some more thought.
we discussed what to do in federation when the assertions have a particular
time duration, but the user wishes to delegate permissions or start a job
for longer than this duration. What should we do?
Firstly we should not do this in general as it is an escalation of
privileges.
However, if the IDP allows callbacks we can do it by building a polling
module in Keystone which will poll the IDP every time the assertion duration
expires, up to and including the time that the delegated permission expires.
If the callback succeeds we know the user is still active and not revoked,
but if the callback fails, we know the user has been revoked and his
delegated task should also be revoked.
OAuth2/OpenID Connect has the concept of refresh tokens. This allows the RP
(keystone) to call back to the IDP once the normal token has expired in
order to get a new one. This could be used to support extended duration of
delegations.
SAML allows the IDP to be queried for user attributes. So if Keystone sends
an attribute request to the SAML IDP once the original assertion has
expired, then if the user is still present the IDP will return his
attributes. The Keystone polling module can do this until the delegation
expires.
I dont think the previous idea was very sensible since it is no different to
the IDP supporting revocation lists. (To refresh, the original idea was for
the IDP to say, when the federation is set up (as part of the federation
agreement), that it will send user revocation notifications to those SPs to
whom it has issued user assertions within a specified time frame (this time
would be federation specific, but could be set to say 7 days for assertions
of duration 24 hours) then the SPs now have a maximum time that they can
escalate a user's assertion up to, if the user starts a job or delegates
privileges etc. from an assertion of shorter duration.)
regards
David
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
