On 02/26/2018 10:17 AM, Ricardo Rocha wrote: > Hi. > > We have an issue on the way Magnum uses keystone trusts. > > Magnum clusters are created in a given project using HEAT, and require > a trust token to communicate back with OpenStack services - there is > also integration with Kubernetes via a cloud provider. > > This trust belongs to a given user, not the project, so whenever we > disable the user's account - for example when a user leaves the > organization - the cluster becomes unhealthy as the trust is no longer > valid. Given the token is available in the cluster nodes, accessible > by users, a trust linked to a service account is also not a viable > solution. > > Is there an existing alternative for this kind of use case? I guess > what we might need is a trust that is linked to the project. This was proposed in the original application credential specification [0] [1]. The problem is that you're sharing an authentication mechanism with multiple people when you associate it to the life cycle of a project. When a user is deleted or removed from the project, nothing would stop them from accessing OpenStack APIs if the application credential or trust isn't rotated out. Even if the credential or trust were scoped to the project's life cycle, it would need to be rotated out and replaced when users come and go for the same reason. So it would still be associated to the user life cycle, just indirectly. Otherwise you're allowing unauthorized access to something that should be protected.
If you're at the PTG - we will be having a session on application credentials tomorrow (Tuesday) afternoon [2] in the identity-integration room [3]. [0] https://review.openstack.org/#/c/450415/ [1] https://review.openstack.org/#/c/512505/ [2] https://etherpad.openstack.org/p/application-credentials-rocky-ptg [3] http://ptg.openstack.org/ptg.html > > I believe the same issue would be there using application credentials, > as the ownership is similar. > > Cheers, > Ricardo > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
signature.asc
Description: OpenPGP digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev