[openstack-dev] [Keystone][Oslo] User mapping and X509 for signing

Wed, 08 Oct 2014 13:59:35 -0700

When gyee posted his X509 server-side auth plugin patch, the feedback we gave was that it should be using the mapping code from Federation to transform the environment variables set by the web server to the Keystone userid, username, domain name, and so forth.
The PKI token format currently allows for a single signing cert. I have a proposal to allow for multiple signers. One issue, though, is how to map from the certificates signer-info to the Keystone server that signed the data. signer-data is part of the CMS message format, and can be used to uniquely identify the certificate that signed the document. From the signer-data, we can fetch the certificate. 


SO, we could build a system that allowed us to fetch multiple certs for 
checking signatures.  But then the question is, which cert maps to "the 
entity authorized to sign for this data."



OpenStack lacks a way to enumerate the systems, endpoints or otherwise.  
I'm going to propose that we create a service domain and that any system 
responsible for signing a document have a user created inside that 
domain.  I think we want to make the endpoint id match the user ID for 
endpoints, and probably something comparable for Nova Compute services.



This means we can use the associated keystone user to determine what 
Compute node signed a message.  It gives us PKI based, asymetric Oslo 
message signing.


This same abstraction should be extended to Kite for symmetric keys.


In order to convert the certificate data to the Keystone User ID, we can 
use the Mapping mechanism from Federation, just like we are planning on 
for the X509 Auth Plugin.



One thing I want to make explicit, and get some validation on from the 
community:  is it acceptable to say that there needs to be a mappable 
link between AL  X509 certificates distributed by a certain CA, for a 
certain Domain and the users in there?  It seems to me to be comparable 
to the LDAP constraints.  Is this a reasonable assumption?  If not, it 
seems like the X509 mechanism is really not much more than a naked 
Public Key.


_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev






















					Reply via email to