subject:"\[Openstack\] \[openstack\-dev\] Fwd\: \[keystone\] Tokens representing authorization to projects\/tenants in the Keystone V3 API"

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

2012-11-16 Thread Dolph Mathews

I'm just pointing out that the same data used for validating belongsTo on
the server-side is included in the response body (assuming a GET and not
HEAD).


-Dolph


On Thu, Nov 15, 2012 at 2:51 PM, Jorge Williams 
jorge.willi...@rackspace.com wrote:

  (inline)

  On Nov 15, 2012, at 2:06 PM, Dolph Mathews wrote:

 Without belongsTo, you can still validate the tenant scope client-side, so
 it's a bit redundant.


  Not sure what you mean.  Can you be more specific?

 However, if you're making a HEAD call to validate the token, you obviously
 need the server to do that additional validation for you.


  Right.


  -Dolph


 On Thu, Nov 15, 2012 at 8:20 AM, Jorge Williams 
 jorge.willi...@rackspace.com wrote:

 No, it's optional.

 Token validation returns what it normally does.  The only thing belongs
 to does is that you fail token validation if the given tenant is not
 covered by the scope of the token.

 -jOrGe W.

 On Nov 14, 2012, at 11:18 PM, Yee, Guang wrote:

  Is belongsTo mandatory? If not, what will token validation API return?
 
  {access: [list of tokens]}
 
  ?
 
 
  Guang
 
 
  -Original Message-
  From: Jorge Williams [mailto:jorge.willi...@rackspace.com]
  Sent: Wednesday, November 14, 2012 2:47 PM
  To: OpenStack Development Mailing List
  Cc: openstack@lists.launchpad.net (openstack@lists.launchpad.net)
  Subject: Re: [openstack-dev] [Openstack] Fwd: [keystone] Tokens
 representing
  authorization to projects/tenants in the Keystone V3 API
 
  From an API perspective the changes required are the following:
 
1.  The validate call returns a list of tenants instead of a
 single
  tenant.
 
  If the tenant id is in the URI of the API, then the validation
 middleware
  can assert that the tenant id is in the list of IDs.
 
  Not sure if there's any additional changes, but I don't think so.
 
  An alternative approach is to use the belongsTo query parameter in the
  validate call.  So if you know the tenantId of the resource, you can
 issue a
  validate with ?belongsTo=tenatId  and validation if the tenant is not
 in
  the list of tenatIds for the token.  The belongsTo query parameter is
 in the
  validate token call in the API today
 
 
 http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_val
 
 idateToken_v2.0_tokens__tokenId__Admin_API_Service_Developer_Operations-d1e1
  356.html
 
  And we use it quite a bit in our implementation, when we validate
 tokens --
  that is in the case where a token may have access to multiple tenants.
 
  Thoughts?
 
  -jOrGe W.
 
 
  On Nov 14, 2012, at 3:53 PM, heckj wrote:
 
  If we're going to assert it's supported, we're doing an incredible
  dis-service to writing a spec to not implement that aspect of the spec,
 as
  that kind of set up just leads to incompatibilities and confusion when
  asserting how the spec should be used to provide interoperability.
 
  If we accept this as a spec addition, then we MUST have an
 implementation
  that makes it clear how we expect to interoperate with that aspect of
 the
  specification, even if it's a configuration option that we don't
 normally
  enable. If we don't test and validate it to prove interoperability,
 then the
  spec is a worthless digital piece of paper.
 
  So under that pretext, I welcome suggestions on how to interpret the
 spec
  you're proposing to some concrete implementations that can be verified
 for
  interoperability, and that are compatible with the existing and/or
 upcoming
  implementations for V3 API.
 
  -joe
 
  On Nov 14, 2012, at 1:35 PM, Joe Savak joe.sa...@rackspace.com
 wrote:
  Hi Joe,
  If I'm working across multiple tenants, I'd prefer one token that
 I
  can securely handle that proves access rights to the tenants I'm working
  with. Handling multiple tokens increases the complexity of clients
 needing
  to provide multi-tenancy access to an authenticated identity. It also
 adds
  more calls to keystone.
 
  Again, I think that having the keystone reference implementation
 restrict
  tokens to 1 tenant is fine. We shouldn't have such arbitrary
 restrictions in
  the API contract though. It needs to be extensible and flexible to
 allow for
  the all sorts of use cases that are likely to occur.
 
  Thanks,
  joe
 
  -Original Message-
  From: heckj [mailto:he...@mac.com]
  Sent: Tuesday, November 13, 2012 3:59 PM
  To: Joe Savak
  Cc: OpenStack Development Mailing List; openstack@lists.launchpad.net
  (openstack@lists.launchpad.net)
  Subject: Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens
  representing authorization to projects/tenants in the Keystone V3 API
 
  Hey Joe:
 
  Currently a user scoped token doesn't include a service catalog -
 mostly
  because I think the service catalog generally requires tenant_id's to
  interpolate into the values to provide it. That doesn't mean we can't
 put
  in/include service catalog endpoints where that value doesn't need to be
  determined.
 
  I'm also questioning the value

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

2012-11-15 Thread Jorge Williams

No, it's optional.

Token validation returns what it normally does.  The only thing belongs to does 
is that you fail token validation if the given tenant is not covered by the 
scope of the token.

-jOrGe W.

On Nov 14, 2012, at 11:18 PM, Yee, Guang wrote:

 Is belongsTo mandatory? If not, what will token validation API return?
 
 {access: [list of tokens]}
 
 ?
 
 
 Guang
 
 
 -Original Message-
 From: Jorge Williams [mailto:jorge.willi...@rackspace.com] 
 Sent: Wednesday, November 14, 2012 2:47 PM
 To: OpenStack Development Mailing List
 Cc: openstack@lists.launchpad.net (openstack@lists.launchpad.net)
 Subject: Re: [openstack-dev] [Openstack] Fwd: [keystone] Tokens representing
 authorization to projects/tenants in the Keystone V3 API
 
 From an API perspective the changes required are the following:
 
   1.  The validate call returns a list of tenants instead of a single
 tenant.
 
 If the tenant id is in the URI of the API, then the validation middleware
 can assert that the tenant id is in the list of IDs.
 
 Not sure if there's any additional changes, but I don't think so.
 
 An alternative approach is to use the belongsTo query parameter in the
 validate call.  So if you know the tenantId of the resource, you can issue a
 validate with ?belongsTo=tenatId  and validation if the tenant is not in
 the list of tenatIds for the token.  The belongsTo query parameter is in the
 validate token call in the API today
 
 http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_val
 idateToken_v2.0_tokens__tokenId__Admin_API_Service_Developer_Operations-d1e1
 356.html
 
 And we use it quite a bit in our implementation, when we validate tokens --
 that is in the case where a token may have access to multiple tenants.
 
 Thoughts?
 
 -jOrGe W.
 
 
 On Nov 14, 2012, at 3:53 PM, heckj wrote:
 
 If we're going to assert it's supported, we're doing an incredible
 dis-service to writing a spec to not implement that aspect of the spec, as
 that kind of set up just leads to incompatibilities and confusion when
 asserting how the spec should be used to provide interoperability.
 
 If we accept this as a spec addition, then we MUST have an implementation
 that makes it clear how we expect to interoperate with that aspect of the
 specification, even if it's a configuration option that we don't normally
 enable. If we don't test and validate it to prove interoperability, then the
 spec is a worthless digital piece of paper.
 
 So under that pretext, I welcome suggestions on how to interpret the spec
 you're proposing to some concrete implementations that can be verified for
 interoperability, and that are compatible with the existing and/or upcoming
 implementations for V3 API.
 
 -joe
 
 On Nov 14, 2012, at 1:35 PM, Joe Savak joe.sa...@rackspace.com wrote:
 Hi Joe,
 If I'm working across multiple tenants, I'd prefer one token that I
 can securely handle that proves access rights to the tenants I'm working
 with. Handling multiple tokens increases the complexity of clients needing
 to provide multi-tenancy access to an authenticated identity. It also adds
 more calls to keystone. 
 
 Again, I think that having the keystone reference implementation restrict
 tokens to 1 tenant is fine. We shouldn't have such arbitrary restrictions in
 the API contract though. It needs to be extensible and flexible to allow for
 the all sorts of use cases that are likely to occur.
 
 Thanks,
 joe
 
 -Original Message-
 From: heckj [mailto:he...@mac.com] 
 Sent: Tuesday, November 13, 2012 3:59 PM
 To: Joe Savak
 Cc: OpenStack Development Mailing List; openstack@lists.launchpad.net
 (openstack@lists.launchpad.net)
 Subject: Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens
 representing authorization to projects/tenants in the Keystone V3 API
 
 Hey Joe:
 
 Currently a user scoped token doesn't include a service catalog - mostly
 because I think the service catalog generally requires tenant_id's to
 interpolate into the values to provide it. That doesn't mean we can't put
 in/include service catalog endpoints where that value doesn't need to be
 determined.
 
 I'm also questioning the value of providing a token scoped to all tenants
 associated with a user - that seems to have the same value as just using a
 user token. 
 
 In fact, even if we allow some arbitrary set of tenants to be scoped into
 a token along with a user, what on earth should be in the service catalog?
 Endpoints relevant to every possible tenant?
 
 This just seems to be a potential explosion of data that is poorly scoped
 from a security perspective.
 
 -joe
 
 On Nov 13, 2012, at 1:42 PM, Joe Savak joe.sa...@rackspace.com wrote:
 Will user-scoped token include the full service catalog? 
 
 Also, I thought the consensus was to allow the API contract to be
 flexible on how many tenants we can scope the token to. The ref impl can
 enforce 1 tenant-scoped token. Are we diverging from this?
 
 Thanks,
 joe
 
 -Original Message

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

2012-11-15 Thread Dolph Mathews

Without belongsTo, you can still validate the tenant scope client-side, so
it's a bit redundant. However, if you're making a HEAD call to validate the
token, you obviously need the server to do that additional validation for
you.


-Dolph


On Thu, Nov 15, 2012 at 8:20 AM, Jorge Williams 
jorge.willi...@rackspace.com wrote:

 No, it's optional.

 Token validation returns what it normally does.  The only thing belongs to
 does is that you fail token validation if the given tenant is not covered
 by the scope of the token.

 -jOrGe W.

 On Nov 14, 2012, at 11:18 PM, Yee, Guang wrote:

  Is belongsTo mandatory? If not, what will token validation API return?
 
  {access: [list of tokens]}
 
  ?
 
 
  Guang
 
 
  -Original Message-
  From: Jorge Williams [mailto:jorge.willi...@rackspace.com]
  Sent: Wednesday, November 14, 2012 2:47 PM
  To: OpenStack Development Mailing List
  Cc: openstack@lists.launchpad.net (openstack@lists.launchpad.net)
  Subject: Re: [openstack-dev] [Openstack] Fwd: [keystone] Tokens
 representing
  authorization to projects/tenants in the Keystone V3 API
 
  From an API perspective the changes required are the following:
 
1.  The validate call returns a list of tenants instead of a single
  tenant.
 
  If the tenant id is in the URI of the API, then the validation middleware
  can assert that the tenant id is in the list of IDs.
 
  Not sure if there's any additional changes, but I don't think so.
 
  An alternative approach is to use the belongsTo query parameter in the
  validate call.  So if you know the tenantId of the resource, you can
 issue a
  validate with ?belongsTo=tenatId  and validation if the tenant is not
 in
  the list of tenatIds for the token.  The belongsTo query parameter is in
 the
  validate token call in the API today
 
 
 http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_val
 
 idateToken_v2.0_tokens__tokenId__Admin_API_Service_Developer_Operations-d1e1
  356.html
 
  And we use it quite a bit in our implementation, when we validate tokens
 --
  that is in the case where a token may have access to multiple tenants.
 
  Thoughts?
 
  -jOrGe W.
 
 
  On Nov 14, 2012, at 3:53 PM, heckj wrote:
 
  If we're going to assert it's supported, we're doing an incredible
  dis-service to writing a spec to not implement that aspect of the spec,
 as
  that kind of set up just leads to incompatibilities and confusion when
  asserting how the spec should be used to provide interoperability.
 
  If we accept this as a spec addition, then we MUST have an
 implementation
  that makes it clear how we expect to interoperate with that aspect of the
  specification, even if it's a configuration option that we don't normally
  enable. If we don't test and validate it to prove interoperability, then
 the
  spec is a worthless digital piece of paper.
 
  So under that pretext, I welcome suggestions on how to interpret the
 spec
  you're proposing to some concrete implementations that can be verified
 for
  interoperability, and that are compatible with the existing and/or
 upcoming
  implementations for V3 API.
 
  -joe
 
  On Nov 14, 2012, at 1:35 PM, Joe Savak joe.sa...@rackspace.com wrote:
  Hi Joe,
  If I'm working across multiple tenants, I'd prefer one token that I
  can securely handle that proves access rights to the tenants I'm working
  with. Handling multiple tokens increases the complexity of clients
 needing
  to provide multi-tenancy access to an authenticated identity. It also
 adds
  more calls to keystone.
 
  Again, I think that having the keystone reference implementation
 restrict
  tokens to 1 tenant is fine. We shouldn't have such arbitrary
 restrictions in
  the API contract though. It needs to be extensible and flexible to allow
 for
  the all sorts of use cases that are likely to occur.
 
  Thanks,
  joe
 
  -Original Message-
  From: heckj [mailto:he...@mac.com]
  Sent: Tuesday, November 13, 2012 3:59 PM
  To: Joe Savak
  Cc: OpenStack Development Mailing List; openstack@lists.launchpad.net
  (openstack@lists.launchpad.net)
  Subject: Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens
  representing authorization to projects/tenants in the Keystone V3 API
 
  Hey Joe:
 
  Currently a user scoped token doesn't include a service catalog -
 mostly
  because I think the service catalog generally requires tenant_id's to
  interpolate into the values to provide it. That doesn't mean we can't put
  in/include service catalog endpoints where that value doesn't need to be
  determined.
 
  I'm also questioning the value of providing a token scoped to all
 tenants
  associated with a user - that seems to have the same value as just using
 a
  user token.
 
  In fact, even if we allow some arbitrary set of tenants to be scoped
 into
  a token along with a user, what on earth should be in the service
 catalog?
  Endpoints relevant to every possible tenant?
 
  This just seems to be a potential explosion of data

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

2012-11-15 Thread Jorge Williams

(inline)

On Nov 15, 2012, at 2:06 PM, Dolph Mathews wrote:

Without belongsTo, you can still validate the tenant scope client-side, so it's 
a bit redundant.

Not sure what you mean.  Can you be more specific?

However, if you're making a HEAD call to validate the token, you obviously need 
the server to do that additional validation for you.


Right.


-Dolph


On Thu, Nov 15, 2012 at 8:20 AM, Jorge Williams 
jorge.willi...@rackspace.commailto:jorge.willi...@rackspace.com wrote:
No, it's optional.

Token validation returns what it normally does.  The only thing belongs to does 
is that you fail token validation if the given tenant is not covered by the 
scope of the token.

-jOrGe W.

On Nov 14, 2012, at 11:18 PM, Yee, Guang wrote:

 Is belongsTo mandatory? If not, what will token validation API return?

 {access: [list of tokens]}

 ?


 Guang


 -Original Message-
 From: Jorge Williams 
 [mailto:jorge.willi...@rackspace.commailto:jorge.willi...@rackspace.com]
 Sent: Wednesday, November 14, 2012 2:47 PM
 To: OpenStack Development Mailing List
 Cc: openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net 
 (openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net)
 Subject: Re: [openstack-dev] [Openstack] Fwd: [keystone] Tokens representing
 authorization to projects/tenants in the Keystone V3 API

 From an API perspective the changes required are the following:

   1.  The validate call returns a list of tenants instead of a single
 tenant.

 If the tenant id is in the URI of the API, then the validation middleware
 can assert that the tenant id is in the list of IDs.

 Not sure if there's any additional changes, but I don't think so.

 An alternative approach is to use the belongsTo query parameter in the
 validate call.  So if you know the tenantId of the resource, you can issue a
 validate with ?belongsTo=tenatId  and validation if the tenant is not in
 the list of tenatIds for the token.  The belongsTo query parameter is in the
 validate token call in the API today

 http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_val
 idateToken_v2.0_tokens__tokenId__Admin_API_Service_Developer_Operations-d1e1
 356.html

 And we use it quite a bit in our implementation, when we validate tokens --
 that is in the case where a token may have access to multiple tenants.

 Thoughts?

 -jOrGe W.


 On Nov 14, 2012, at 3:53 PM, heckj wrote:

 If we're going to assert it's supported, we're doing an incredible
 dis-service to writing a spec to not implement that aspect of the spec, as
 that kind of set up just leads to incompatibilities and confusion when
 asserting how the spec should be used to provide interoperability.

 If we accept this as a spec addition, then we MUST have an implementation
 that makes it clear how we expect to interoperate with that aspect of the
 specification, even if it's a configuration option that we don't normally
 enable. If we don't test and validate it to prove interoperability, then the
 spec is a worthless digital piece of paper.

 So under that pretext, I welcome suggestions on how to interpret the spec
 you're proposing to some concrete implementations that can be verified for
 interoperability, and that are compatible with the existing and/or upcoming
 implementations for V3 API.

 -joe

 On Nov 14, 2012, at 1:35 PM, Joe Savak 
 joe.sa...@rackspace.commailto:joe.sa...@rackspace.com wrote:
 Hi Joe,
 If I'm working across multiple tenants, I'd prefer one token that I
 can securely handle that proves access rights to the tenants I'm working
 with. Handling multiple tokens increases the complexity of clients needing
 to provide multi-tenancy access to an authenticated identity. It also adds
 more calls to keystone.

 Again, I think that having the keystone reference implementation restrict
 tokens to 1 tenant is fine. We shouldn't have such arbitrary restrictions in
 the API contract though. It needs to be extensible and flexible to allow for
 the all sorts of use cases that are likely to occur.

 Thanks,
 joe

 -Original Message-
 From: heckj [mailto:he...@mac.commailto:he...@mac.com]
 Sent: Tuesday, November 13, 2012 3:59 PM
 To: Joe Savak
 Cc: OpenStack Development Mailing List; 
 openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net
 (openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net)
 Subject: Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens
 representing authorization to projects/tenants in the Keystone V3 API

 Hey Joe:

 Currently a user scoped token doesn't include a service catalog - mostly
 because I think the service catalog generally requires tenant_id's to
 interpolate into the values to provide it. That doesn't mean we can't put
 in/include service catalog endpoints where that value doesn't need to be
 determined.

 I'm also questioning the value of providing a token scoped to all tenants
 associated with a user - that seems to have the same value as just using a
 user token

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

2012-11-14 Thread Joe Savak

Hi Joe,
If I'm working across multiple tenants, I'd prefer one token that I can 
securely handle that proves access rights to the tenants I'm working with. 
Handling multiple tokens increases the complexity of clients needing to provide 
multi-tenancy access to an authenticated identity. It also adds more calls to 
keystone. 

Again, I think that having the keystone reference implementation restrict 
tokens to 1 tenant is fine. We shouldn't have such arbitrary restrictions in 
the API contract though. It needs to be extensible and flexible to allow for 
the all sorts of use cases that are likely to occur.

Thanks,
joe

-Original Message-
From: heckj [mailto:he...@mac.com] 
Sent: Tuesday, November 13, 2012 3:59 PM
To: Joe Savak
Cc: OpenStack Development Mailing List; openstack@lists.launchpad.net 
(openstack@lists.launchpad.net)
Subject: Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing 
authorization to projects/tenants in the Keystone V3 API

Hey Joe:

Currently a user scoped token doesn't include a service catalog - mostly 
because I think the service catalog generally requires tenant_id's to 
interpolate into the values to provide it. That doesn't mean we can't put 
in/include service catalog endpoints where that value doesn't need to be 
determined.

I'm also questioning the value of providing a token scoped to all tenants 
associated with a user - that seems to have the same value as just using a user 
token. 

In fact, even if we allow some arbitrary set of tenants to be scoped into a 
token along with a user, what on earth should be in the service catalog? 
Endpoints relevant to every possible tenant?

This just seems to be a potential explosion of data that is poorly scoped from 
a security perspective.

-joe

On Nov 13, 2012, at 1:42 PM, Joe Savak joe.sa...@rackspace.com wrote:
 Will user-scoped token include the full service catalog? 
 
 Also, I thought the consensus was to allow the API contract to be flexible on 
 how many tenants we can scope the token to. The ref impl can enforce 1 
 tenant-scoped token. Are we diverging from this?
 
 Thanks,
 joe
 
 -Original Message-
 From: openstack-bounces+joe.savak=rackspace@lists.launchpad.net 
 [mailto:openstack-bounces+joe.savak=rackspace@lists.launchpad.net] On 
 Behalf Of heckj
 Sent: Tuesday, November 13, 2012 1:34 PM
 To: OpenStack Development Mailing List
 Cc: openstack@lists.launchpad.net (openstack@lists.launchpad.net)
 Subject: Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing 
 authorization to projects/tenants in the Keystone V3 API
 
 
 On Nov 13, 2012, at 11:01 AM, Jorge Williams jorge.willi...@rackspace.com 
 wrote:
 On Nov 13, 2012, at 11:35 AM, heckj wrote:
 So maintaining a token scoped to just the user, and a mechanism to scope it 
 to a tenant sound like all goodness. We can absolutely keep the API such 
 that it can provide either. 
 
 Right now, our auth_token middleware implicitly requires a tenant in that 
 scoping to work. If someone wanted to support a token scoped to just a user 
 for the services, they'd need a different middleware there. Keystone as a 
 service *doesn't* use the auth_token middleware, so with the V3 API we can 
 make it provide services appropriately based on a token scoped only to the 
 user.
 
 All that in place, allow a token to be indeterminate scoped to multiple 
 tenants is fraught with security flaws, and if we continue to provide 
 unscoped tokens, that should obviate the need for token scoped to multiple 
 tenants. 
 
 I'm not sure I'm following you there.  I don't see how unscoped tokens 
 obviate the need to scope to multiple tenants, these may be driven by  
 different concerns. 
 
 Again, I think we need to have some flexibility in how we scope tokens. The 
 API should be flexible enough to support different models -- I think that 
 scoping a token to multiple tenants is useful in cases such as delegation -- 
 where a single identity may be issued revokable access to a set of resources 
 in multiple projects.
 
 The consensus from the folks weighing in on this from a security perspective 
 seems to be that it's kosher to restrict tokens further (the least privilege 
 thing). Broadening the scope to multiple tenants or sets of tenants doesn't 
 appear to follow those best practices. If you wanted to accept a less-scoped 
 token than the scoped to single tenant, you can accept and use a user-scoped 
 token, at least by my read.
 
 -joe
 
 
 
 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

2012-11-14 Thread heckj

If we're going to assert it's supported, we're doing an incredible dis-service 
to writing a spec to not implement that aspect of the spec, as that kind of set 
up just leads to incompatibilities and confusion when asserting how the spec 
should be used to provide interoperability.

If we accept this as a spec addition, then we MUST have an implementation that 
makes it clear how we expect to interoperate with that aspect of the 
specification, even if it's a configuration option that we don't normally 
enable. If we don't test and validate it to prove interoperability, then the 
spec is a worthless digital piece of paper.

So under that pretext, I welcome suggestions on how to interpret the spec 
you're proposing to some concrete implementations that can be verified for 
interoperability, and that are compatible with the existing and/or upcoming 
implementations for V3 API.

-joe

On Nov 14, 2012, at 1:35 PM, Joe Savak joe.sa...@rackspace.com wrote:
 Hi Joe,
   If I'm working across multiple tenants, I'd prefer one token that I can 
 securely handle that proves access rights to the tenants I'm working with. 
 Handling multiple tokens increases the complexity of clients needing to 
 provide multi-tenancy access to an authenticated identity. It also adds more 
 calls to keystone. 
 
 Again, I think that having the keystone reference implementation restrict 
 tokens to 1 tenant is fine. We shouldn't have such arbitrary restrictions in 
 the API contract though. It needs to be extensible and flexible to allow for 
 the all sorts of use cases that are likely to occur.
 
 Thanks,
 joe
 
 -Original Message-
 From: heckj [mailto:he...@mac.com] 
 Sent: Tuesday, November 13, 2012 3:59 PM
 To: Joe Savak
 Cc: OpenStack Development Mailing List; openstack@lists.launchpad.net 
 (openstack@lists.launchpad.net)
 Subject: Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing 
 authorization to projects/tenants in the Keystone V3 API
 
 Hey Joe:
 
 Currently a user scoped token doesn't include a service catalog - mostly 
 because I think the service catalog generally requires tenant_id's to 
 interpolate into the values to provide it. That doesn't mean we can't put 
 in/include service catalog endpoints where that value doesn't need to be 
 determined.
 
 I'm also questioning the value of providing a token scoped to all tenants 
 associated with a user - that seems to have the same value as just using a 
 user token. 
 
 In fact, even if we allow some arbitrary set of tenants to be scoped into a 
 token along with a user, what on earth should be in the service catalog? 
 Endpoints relevant to every possible tenant?
 
 This just seems to be a potential explosion of data that is poorly scoped 
 from a security perspective.
 
 -joe
 
 On Nov 13, 2012, at 1:42 PM, Joe Savak joe.sa...@rackspace.com wrote:
 Will user-scoped token include the full service catalog? 
 
 Also, I thought the consensus was to allow the API contract to be flexible 
 on how many tenants we can scope the token to. The ref impl can enforce 1 
 tenant-scoped token. Are we diverging from this?
 
 Thanks,
 joe
 
 -Original Message-
 From: openstack-bounces+joe.savak=rackspace@lists.launchpad.net 
 [mailto:openstack-bounces+joe.savak=rackspace@lists.launchpad.net] On 
 Behalf Of heckj
 Sent: Tuesday, November 13, 2012 1:34 PM
 To: OpenStack Development Mailing List
 Cc: openstack@lists.launchpad.net (openstack@lists.launchpad.net)
 Subject: Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing 
 authorization to projects/tenants in the Keystone V3 API
 
 
 On Nov 13, 2012, at 11:01 AM, Jorge Williams jorge.willi...@rackspace.com 
 wrote:
 On Nov 13, 2012, at 11:35 AM, heckj wrote:
 So maintaining a token scoped to just the user, and a mechanism to scope 
 it to a tenant sound like all goodness. We can absolutely keep the API 
 such that it can provide either. 
 
 Right now, our auth_token middleware implicitly requires a tenant in that 
 scoping to work. If someone wanted to support a token scoped to just a 
 user for the services, they'd need a different middleware there. Keystone 
 as a service *doesn't* use the auth_token middleware, so with the V3 API 
 we can make it provide services appropriately based on a token scoped only 
 to the user.
 
 All that in place, allow a token to be indeterminate scoped to multiple 
 tenants is fraught with security flaws, and if we continue to provide 
 unscoped tokens, that should obviate the need for token scoped to multiple 
 tenants. 
 
 I'm not sure I'm following you there.  I don't see how unscoped tokens 
 obviate the need to scope to multiple tenants, these may be driven by  
 different concerns. 
 
 Again, I think we need to have some flexibility in how we scope tokens. The 
 API should be flexible enough to support different models -- I think that 
 scoping a token to multiple tenants is useful in cases such as delegation 
 -- where a single identity may

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

2012-11-14 Thread Jorge Williams

From an API perspective the changes required are the following:

1. The validate call returns a list of tenants instead of a single
tenant.

If the tenant id is in the URI of the API, then the validation middleware can
assert that the tenant id is in the list of IDs.

Not sure if there's any additional changes, but I don't think so.

An alternative approach is to use the belongsTo query parameter in the validate
call. So if you know the tenantId of the resource, you can issue a validate
with ?belongsTo=tenatId and validation if the tenant is not in the list of
tenatIds for the token. The belongsTo query parameter is in the validate token
call in the API today

http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_validateToken_v2.0_tokens__tokenId__Admin_API_Service_Developer_Operations-d1e1356.html

And we use it quite a bit in our implementation, when we validate tokens --
that is in the case where a token may have access to multiple tenants.

Thoughts?

-jOrGe W.

On Nov 14, 2012, at 3:53 PM, heckj wrote:

If we're going to assert it's supported, we're doing an incredible
dis-service to writing a spec to not implement that aspect of the spec, as
that kind of set up just leads to incompatibilities and confusion when
asserting how the spec should be used to provide interoperability.

If we accept this as a spec addition, then we MUST have an implementation
that makes it clear how we expect to interoperate with that aspect of the
specification, even if it's a configuration option that we don't normally
enable. If we don't test and validate it to prove interoperability, then the
spec is a worthless digital piece of paper.

So under that pretext, I welcome suggestions on how to interpret the spec
you're proposing to some concrete implementations that can be verified for
interoperability, and that are compatible with the existing and/or upcoming
implementations for V3 API.

-joe

On Nov 14, 2012, at 1:35 PM, Joe Savak joe.sa...@rackspace.com wrote:
Hi Joe,
If I'm working across multiple tenants, I'd prefer one token that I can
securely handle that proves access rights to the tenants I'm working with.
Handling multiple tokens increases the complexity of clients needing to
provide multi-tenancy access to an authenticated identity. It also adds more
calls to keystone.

Again, I think that having the keystone reference implementation restrict
tokens to 1 tenant is fine. We shouldn't have such arbitrary restrictions in
the API contract though. It needs to be extensible and flexible to allow for
the all sorts of use cases that are likely to occur.

Thanks,
joe

-Original Message-
From: heckj [mailto:he...@mac.com]
Sent: Tuesday, November 13, 2012 3:59 PM
To: Joe Savak
Cc: OpenStack Development Mailing List; openstack@lists.launchpad.net
(openstack@lists.launchpad.net)
Subject: Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing
authorization to projects/tenants in the Keystone V3 API

Hey Joe:

Currently a user scoped token doesn't include a service catalog - mostly
because I think the service catalog generally requires tenant_id's to
interpolate into the values to provide it. That doesn't mean we can't put
in/include service catalog endpoints where that value doesn't need to be
determined.

I'm also questioning the value of providing a token scoped to all tenants
associated with a user - that seems to have the same value as just using a
user token.

In fact, even if we allow some arbitrary set of tenants to be scoped into a
token along with a user, what on earth should be in the service catalog?
Endpoints relevant to every possible tenant?

This just seems to be a potential explosion of data that is poorly scoped
from a security perspective.

-joe

On Nov 13, 2012, at 1:42 PM, Joe Savak joe.sa...@rackspace.com wrote:
Will user-scoped token include the full service catalog?

Also, I thought the consensus was to allow the API contract to be flexible
on how many tenants we can scope the token to. The ref impl can enforce 1
tenant-scoped token. Are we diverging from this?

Thanks,
joe

-Original Message-
From: openstack-bounces+joe.savak=rackspace@lists.launchpad.net
[mailto:openstack-bounces+joe.savak=rackspace@lists.launchpad.net] On
Behalf Of heckj
Sent: Tuesday, November 13, 2012 1:34 PM
To: OpenStack Development Mailing List
Cc: openstack@lists.launchpad.net (openstack@lists.launchpad.net)
Subject: Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens
representing authorization to projects/tenants in the Keystone V3 API

On Nov 13, 2012, at 11:01 AM, Jorge Williams jorge.willi...@rackspace.com
wrote:
On Nov 13, 2012, at 11:35 AM, heckj wrote:
So maintaining a token scoped to just the user, and a mechanism to scope
it to a tenant sound like all goodness. We can absolutely keep the API

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

2012-11-14 Thread Yee, Guang

Is belongsTo mandatory? If not, what will token validation API return?

{access: [list of tokens]}

?


Guang


-Original Message-
From: Jorge Williams [mailto:jorge.willi...@rackspace.com] 
Sent: Wednesday, November 14, 2012 2:47 PM
To: OpenStack Development Mailing List
Cc: openstack@lists.launchpad.net (openstack@lists.launchpad.net)
Subject: Re: [openstack-dev] [Openstack] Fwd: [keystone] Tokens representing
authorization to projects/tenants in the Keystone V3 API

From an API perspective the changes required are the following:

1.  The validate call returns a list of tenants instead of a single
tenant.

If the tenant id is in the URI of the API, then the validation middleware
can assert that the tenant id is in the list of IDs.

Not sure if there's any additional changes, but I don't think so.

An alternative approach is to use the belongsTo query parameter in the
validate call.  So if you know the tenantId of the resource, you can issue a
validate with ?belongsTo=tenatId  and validation if the tenant is not in
the list of tenatIds for the token.  The belongsTo query parameter is in the
validate token call in the API today

http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_val
idateToken_v2.0_tokens__tokenId__Admin_API_Service_Developer_Operations-d1e1
356.html

And we use it quite a bit in our implementation, when we validate tokens --
that is in the case where a token may have access to multiple tenants.

Thoughts?

-jOrGe W.


On Nov 14, 2012, at 3:53 PM, heckj wrote:

 If we're going to assert it's supported, we're doing an incredible
dis-service to writing a spec to not implement that aspect of the spec, as
that kind of set up just leads to incompatibilities and confusion when
asserting how the spec should be used to provide interoperability.
 
 If we accept this as a spec addition, then we MUST have an implementation
that makes it clear how we expect to interoperate with that aspect of the
specification, even if it's a configuration option that we don't normally
enable. If we don't test and validate it to prove interoperability, then the
spec is a worthless digital piece of paper.
 
 So under that pretext, I welcome suggestions on how to interpret the spec
you're proposing to some concrete implementations that can be verified for
interoperability, and that are compatible with the existing and/or upcoming
implementations for V3 API.
 
 -joe
 
 On Nov 14, 2012, at 1:35 PM, Joe Savak joe.sa...@rackspace.com wrote:
 Hi Joe,
  If I'm working across multiple tenants, I'd prefer one token that I
can securely handle that proves access rights to the tenants I'm working
with. Handling multiple tokens increases the complexity of clients needing
to provide multi-tenancy access to an authenticated identity. It also adds
more calls to keystone. 
 
 Again, I think that having the keystone reference implementation restrict
tokens to 1 tenant is fine. We shouldn't have such arbitrary restrictions in
the API contract though. It needs to be extensible and flexible to allow for
the all sorts of use cases that are likely to occur.
 
 Thanks,
 joe
 
 -Original Message-
 From: heckj [mailto:he...@mac.com] 
 Sent: Tuesday, November 13, 2012 3:59 PM
 To: Joe Savak
 Cc: OpenStack Development Mailing List; openstack@lists.launchpad.net
(openstack@lists.launchpad.net)
 Subject: Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens
representing authorization to projects/tenants in the Keystone V3 API
 
 Hey Joe:
 
 Currently a user scoped token doesn't include a service catalog - mostly
because I think the service catalog generally requires tenant_id's to
interpolate into the values to provide it. That doesn't mean we can't put
in/include service catalog endpoints where that value doesn't need to be
determined.
 
 I'm also questioning the value of providing a token scoped to all tenants
associated with a user - that seems to have the same value as just using a
user token. 
 
 In fact, even if we allow some arbitrary set of tenants to be scoped into
a token along with a user, what on earth should be in the service catalog?
Endpoints relevant to every possible tenant?
 
 This just seems to be a potential explosion of data that is poorly scoped
from a security perspective.
 
 -joe
 
 On Nov 13, 2012, at 1:42 PM, Joe Savak joe.sa...@rackspace.com wrote:
 Will user-scoped token include the full service catalog? 
 
 Also, I thought the consensus was to allow the API contract to be
flexible on how many tenants we can scope the token to. The ref impl can
enforce 1 tenant-scoped token. Are we diverging from this?
 
 Thanks,
 joe
 
 -Original Message-
 From: openstack-bounces+joe.savak=rackspace@lists.launchpad.net
[mailto:openstack-bounces+joe.savak=rackspace@lists.launchpad.net] On
Behalf Of heckj
 Sent: Tuesday, November 13, 2012 1:34 PM
 To: OpenStack Development Mailing List
 Cc: openstack@lists.launchpad.net (openstack@lists.launchpad.net)
 Subject: Re

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

2012-11-13 Thread Adam Young


On 11/10/2012 10:58 AM, David Chadwick wrote:
I agree with the vast majority of what Jorge says below. The idea I 
would like to bounce around is that of the unscoped token.


What does it mean conceptually? What is its purpose? Why do we need 
it? Why should a user be given an unscoped token to exchange at a 
later time for a scoped token?


My view is as follows:
i) a user is authenticated and identified, and from this, keystone can 
see that the user has access to a number of different tenants and 
services. Keystone creates an unscoped token to encapsulate this. Note 
that the unscoped token is scoped to the services/tenants available to 
this user, and consequently it is different for each identified user. 
Thus it does have some scope i.e. it cannot be swapped for access to 
any service by any tenant.
ii) the user must choose which service/tenant he wishes to activate. 
This is in line with the principle of least privileges.
iii) the user informs keystone which service(s) and tenant(s) he 
wishes to access and Keystone swaps the unscoped token for one that is 
scoped to the choice of the user.


The issue then becomes, what is the allowable scope of a scoped token? 
Jorge below believes it should cover multiple 
services/endpoints/tenants. So one must then ask, what is the 
difference between the most widely scoped scoped-token and the 
unscoped token? Surely they will have the same scope won't they? In 
which case there is no need for both concepts.


let's compare with Kerberos:  In my view an unscoped token is 
comparaable with a ticket granting ticket:  it cannot be used with any 
service other than the KDC, and it can only be used to get service 
tickets. A service ticket can only be used with a specific service.  If 
that service gets compromised, any tickets it has are useless for access 
to other resources.



If an unscoped token can be used against a wide array of services, we 
have just provided a path for an elevation of privileges attack. If I 
know that a service consumes tokens which can be used on a wide number 
of other services, I can target my attacks against that service in order 
to get access everywhere.


If we are going to provide this functionality, it should be turned off 
by default.




Comments please

regards

David

On 23/10/2012 06:25, Jorge Williams wrote:

Here's my view:

On making the default token a configuration option:  Like the idea.
  Disabling the option by default.  That's fine too.

On scoping a token to a specific endpoint:  That's fine, though I
believe that that's in the API today.  Currently, the way that we scope
tokens to endpoints is by validating against the service catalog. I'm
not sure if the default middleware checks for this yet, but the Repose
middleware does.  If you try to use a token in an endpoint that's not in
the service catalog the request fails -- well, if the check is turned 
on.


Obviously, I'd like the idea of scoping a single token to multiple
tenants / endpoints.

I don't like the idea of calling tokens sloppy tokens -- it's
confusing.   All you have to say is that a token has a scope -- and the
scope of the token is the set of resources that the token can provide
access to.  You can limit the scope of a token to a tenant, to a
endpoint, to a set of endpoints or tenants etc -- what limits you place
on the scope of an individual token should be up to the operator.

Keep in mind that as we start digging into delegation and fine grained
authorization (after Grizzly, I'm sure), we'll end up with tokens that
have a scope of a subset of resources in a single or multiple tenants.
  So calling them sloppy now is just confusing.  Simply stating that a
token has a scope (as I've defined above) should suffice.  This is part
of the reason why I've never liked the term unscoped token, because an
unscoped token does have a scope. It just so happens that the scope of
that token is the resource that provides a list of available tenants.

-jOrGe W.

On Oct 22, 2012, at 9:57 PM, Adam Young wrote:


Are you guys +1 ing the original Idea, my suggestion to make it
optional, the fact that I think we should call these sloppy tokens?

On 10/22/2012 03:40 PM, Jorge Williams wrote:

+1 here too.

At the end of the day, we'd like the identity API to be flexible
enough to allow the token to be scoped in a manner that the deployer
sees fit.  What the keystone implementation does by default is a
different matter -- and disabling multiple tenant  scope by default
would be fine by me.

-jOrGe W.


On Oct 21, 2012, at 11:10 AM, Joe Savak wrote:


+1. ;)

So the issue is that the v2 API contract allows a token to be scoped
to multiple tenants. For v3, I'd like to have the same flexibility.
I don't see security issues, as if a token were to be sniffed you
can change the password of the account using it and use those creds
to scope tokens to any tenant you wish.

Scope should always be kept as limited as possible. Personally, I
don't feel like limiting the tenant

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

2012-11-13 Thread David Chadwick


Hi Adam

you have pointed out an important difference between an unscoped token 
and a scoped one. The former can only be used with keystone, the latter 
with a cloud service. This also implies that a scoped token can only 
have the scope of a single service, and not multiple services. The user 
must swap the unscoped token for a set of scoped tokens if he wishes to 
access a set of cloud services.


This model is clean and consistent.

Concerning your attack scenario, then the best point of attack is either 
the client (steal his token(s)) or Keystone (get access to any service)


regards

David

On 13/11/2012 14:38, Adam Young wrote:

On 11/10/2012 10:58 AM, David Chadwick wrote:

I agree with the vast majority of what Jorge says below. The idea I
would like to bounce around is that of the unscoped token.

What does it mean conceptually? What is its purpose? Why do we need
it? Why should a user be given an unscoped token to exchange at a
later time for a scoped token?

My view is as follows:
i) a user is authenticated and identified, and from this, keystone can
see that the user has access to a number of different tenants and
services. Keystone creates an unscoped token to encapsulate this. Note
that the unscoped token is scoped to the services/tenants available to
this user, and consequently it is different for each identified user.
Thus it does have some scope i.e. it cannot be swapped for access to
any service by any tenant.
ii) the user must choose which service/tenant he wishes to activate.
This is in line with the principle of least privileges.
iii) the user informs keystone which service(s) and tenant(s) he
wishes to access and Keystone swaps the unscoped token for one that is
scoped to the choice of the user.

The issue then becomes, what is the allowable scope of a scoped token?
Jorge below believes it should cover multiple
services/endpoints/tenants. So one must then ask, what is the
difference between the most widely scoped scoped-token and the
unscoped token? Surely they will have the same scope won't they? In
which case there is no need for both concepts.


let's compare with Kerberos:  In my view an unscoped token is
comparaable with a ticket granting ticket:  it cannot be used with any
service other than the KDC, and it can only be used to get service
tickets. A service ticket can only be used with a specific service.  If
that service gets compromised, any tickets it has are useless for access
to other resources.


If an unscoped token can be used against a wide array of services, we
have just provided a path for an elevation of privileges attack. If I
know that a service consumes tokens which can be used on a wide number
of other services, I can target my attacks against that service in order
to get access everywhere.

If we are going to provide this functionality, it should be turned off
by default.



Comments please

regards

David

On 23/10/2012 06:25, Jorge Williams wrote:

Here's my view:

On making the default token a configuration option:  Like the idea.
  Disabling the option by default.  That's fine too.

On scoping a token to a specific endpoint:  That's fine, though I
believe that that's in the API today.  Currently, the way that we scope
tokens to endpoints is by validating against the service catalog. I'm
not sure if the default middleware checks for this yet, but the Repose
middleware does.  If you try to use a token in an endpoint that's not in
the service catalog the request fails -- well, if the check is turned
on.

Obviously, I'd like the idea of scoping a single token to multiple
tenants / endpoints.

I don't like the idea of calling tokens sloppy tokens -- it's
confusing.   All you have to say is that a token has a scope -- and the
scope of the token is the set of resources that the token can provide
access to.  You can limit the scope of a token to a tenant, to a
endpoint, to a set of endpoints or tenants etc -- what limits you place
on the scope of an individual token should be up to the operator.

Keep in mind that as we start digging into delegation and fine grained
authorization (after Grizzly, I'm sure), we'll end up with tokens that
have a scope of a subset of resources in a single or multiple tenants.
  So calling them sloppy now is just confusing.  Simply stating that a
token has a scope (as I've defined above) should suffice.  This is part
of the reason why I've never liked the term unscoped token, because an
unscoped token does have a scope. It just so happens that the scope of
that token is the resource that provides a list of available tenants.

-jOrGe W.

On Oct 22, 2012, at 9:57 PM, Adam Young wrote:


Are you guys +1 ing the original Idea, my suggestion to make it
optional, the fact that I think we should call these sloppy tokens?

On 10/22/2012 03:40 PM, Jorge Williams wrote:

+1 here too.

At the end of the day, we'd like the identity API to be flexible
enough to allow the token to be scoped in a manner that the deployer
sees fit.  What the

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

2012-11-13 Thread Yee, Guang

An unscoped token is basically implicitly scoped to Keystone service right?
One should be able to use an unscoped token to reset his password, and ask
Keystone for information pertaining to himself, such as what are his roles,
what services/endpoints are available to him, and what are his tenants, etc.
This is helpful for administration UIs such as MC.

There's a blueprint to address the need to scope the token down to the
service or endpoint level. Basically, service and endpoint isolation.

https://blueprints.launchpad.net/keystone/+spec/service-isolation-and-roles-
delegation
http://wiki.openstack.org/Keystone/Service-Isolation-And-Roles-Delegation

It also addresses the intricacies of role delegation, which should be very
beneficial for cloud services.



Guang



-Original Message-
From: openstack-bounces+guang.yee=hp@lists.launchpad.net
[mailto:openstack-bounces+guang.yee=hp@lists.launchpad.net] On Behalf Of
David Chadwick
Sent: Tuesday, November 13, 2012 7:32 AM
To: Adam Young
Cc: OpenStack Development Mailing List; openstack@lists.launchpad.net
Subject: Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing
authorization to projects/tenants in the Keystone V3 API

Hi Adam

you have pointed out an important difference between an unscoped token 
and a scoped one. The former can only be used with keystone, the latter 
with a cloud service. This also implies that a scoped token can only 
have the scope of a single service, and not multiple services. The user 
must swap the unscoped token for a set of scoped tokens if he wishes to 
access a set of cloud services.

This model is clean and consistent.

Concerning your attack scenario, then the best point of attack is either 
the client (steal his token(s)) or Keystone (get access to any service)

regards

David

On 13/11/2012 14:38, Adam Young wrote:
 On 11/10/2012 10:58 AM, David Chadwick wrote:
 I agree with the vast majority of what Jorge says below. The idea I
 would like to bounce around is that of the unscoped token.

 What does it mean conceptually? What is its purpose? Why do we need
 it? Why should a user be given an unscoped token to exchange at a
 later time for a scoped token?

 My view is as follows:
 i) a user is authenticated and identified, and from this, keystone can
 see that the user has access to a number of different tenants and
 services. Keystone creates an unscoped token to encapsulate this. Note
 that the unscoped token is scoped to the services/tenants available to
 this user, and consequently it is different for each identified user.
 Thus it does have some scope i.e. it cannot be swapped for access to
 any service by any tenant.
 ii) the user must choose which service/tenant he wishes to activate.
 This is in line with the principle of least privileges.
 iii) the user informs keystone which service(s) and tenant(s) he
 wishes to access and Keystone swaps the unscoped token for one that is
 scoped to the choice of the user.

 The issue then becomes, what is the allowable scope of a scoped token?
 Jorge below believes it should cover multiple
 services/endpoints/tenants. So one must then ask, what is the
 difference between the most widely scoped scoped-token and the
 unscoped token? Surely they will have the same scope won't they? In
 which case there is no need for both concepts.

 let's compare with Kerberos:  In my view an unscoped token is
 comparaable with a ticket granting ticket:  it cannot be used with any
 service other than the KDC, and it can only be used to get service
 tickets. A service ticket can only be used with a specific service.  If
 that service gets compromised, any tickets it has are useless for access
 to other resources.


 If an unscoped token can be used against a wide array of services, we
 have just provided a path for an elevation of privileges attack. If I
 know that a service consumes tokens which can be used on a wide number
 of other services, I can target my attacks against that service in order
 to get access everywhere.

 If we are going to provide this functionality, it should be turned off
 by default.


 Comments please

 regards

 David

 On 23/10/2012 06:25, Jorge Williams wrote:
 Here's my view:

 On making the default token a configuration option:  Like the idea.
   Disabling the option by default.  That's fine too.

 On scoping a token to a specific endpoint:  That's fine, though I
 believe that that's in the API today.  Currently, the way that we scope
 tokens to endpoints is by validating against the service catalog. I'm
 not sure if the default middleware checks for this yet, but the Repose
 middleware does.  If you try to use a token in an endpoint that's not in
 the service catalog the request fails -- well, if the check is turned
 on.

 Obviously, I'd like the idea of scoping a single token to multiple
 tenants / endpoints.

 I don't like the idea of calling tokens sloppy tokens -- it's
 confusing.   All you have to say is that a token has a scope

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

2012-11-13 Thread David Chadwick


Hi Guang


On 13/11/2012 16:14, Yee, Guang wrote:

An unscoped token is basically implicitly scoped to Keystone service right?
One should be able to use an unscoped token to reset his password, and ask
Keystone for information pertaining to himself, such as what are his roles,
what services/endpoints are available to him, and what are his tenants, etc.
This is helpful for administration UIs such as MC.


agreed



There's a blueprint to address the need to scope the token down to the
service or endpoint level. Basically, service and endpoint isolation.


I have read your blueprint and I have some comments/questions on it. How 
do you want these to be addressed? By email, or by edits to you blueprint?


regards

David



https://blueprints.launchpad.net/keystone/+spec/service-isolation-and-roles-
delegation
http://wiki.openstack.org/Keystone/Service-Isolation-And-Roles-Delegation

It also addresses the intricacies of role delegation, which should be very
beneficial for cloud services.



Guang



-Original Message-
From: openstack-bounces+guang.yee=hp@lists.launchpad.net
[mailto:openstack-bounces+guang.yee=hp@lists.launchpad.net] On Behalf Of
David Chadwick
Sent: Tuesday, November 13, 2012 7:32 AM
To: Adam Young
Cc: OpenStack Development Mailing List; openstack@lists.launchpad.net
Subject: Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing
authorization to projects/tenants in the Keystone V3 API

Hi Adam

you have pointed out an important difference between an unscoped token
and a scoped one. The former can only be used with keystone, the latter
with a cloud service. This also implies that a scoped token can only
have the scope of a single service, and not multiple services. The user
must swap the unscoped token for a set of scoped tokens if he wishes to
access a set of cloud services.

This model is clean and consistent.

Concerning your attack scenario, then the best point of attack is either
the client (steal his token(s)) or Keystone (get access to any service)

regards

David

On 13/11/2012 14:38, Adam Young wrote:

On 11/10/2012 10:58 AM, David Chadwick wrote:

I agree with the vast majority of what Jorge says below. The idea I
would like to bounce around is that of the unscoped token.

What does it mean conceptually? What is its purpose? Why do we need
it? Why should a user be given an unscoped token to exchange at a
later time for a scoped token?

My view is as follows:
i) a user is authenticated and identified, and from this, keystone can
see that the user has access to a number of different tenants and
services. Keystone creates an unscoped token to encapsulate this. Note
that the unscoped token is scoped to the services/tenants available to
this user, and consequently it is different for each identified user.
Thus it does have some scope i.e. it cannot be swapped for access to
any service by any tenant.
ii) the user must choose which service/tenant he wishes to activate.
This is in line with the principle of least privileges.
iii) the user informs keystone which service(s) and tenant(s) he
wishes to access and Keystone swaps the unscoped token for one that is
scoped to the choice of the user.

The issue then becomes, what is the allowable scope of a scoped token?
Jorge below believes it should cover multiple
services/endpoints/tenants. So one must then ask, what is the
difference between the most widely scoped scoped-token and the
unscoped token? Surely they will have the same scope won't they? In
which case there is no need for both concepts.


let's compare with Kerberos:  In my view an unscoped token is
comparaable with a ticket granting ticket:  it cannot be used with any
service other than the KDC, and it can only be used to get service
tickets. A service ticket can only be used with a specific service.  If
that service gets compromised, any tickets it has are useless for access
to other resources.


If an unscoped token can be used against a wide array of services, we
have just provided a path for an elevation of privileges attack. If I
know that a service consumes tokens which can be used on a wide number
of other services, I can target my attacks against that service in order
to get access everywhere.

If we are going to provide this functionality, it should be turned off
by default.



Comments please

regards

David

On 23/10/2012 06:25, Jorge Williams wrote:

Here's my view:

On making the default token a configuration option:  Like the idea.
   Disabling the option by default.  That's fine too.

On scoping a token to a specific endpoint:  That's fine, though I
believe that that's in the API today.  Currently, the way that we scope
tokens to endpoints is by validating against the service catalog. I'm
not sure if the default middleware checks for this yet, but the Repose
middleware does.  If you try to use a token in an endpoint that's not in
the service catalog the request fails -- well, if the check is turned
on.

Obviously, I'd like the idea

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

2012-11-13 Thread heckj

So maintaining a token scoped to just the user, and a mechanism to scope it to 
a tenant sound like all goodness. We can absolutely keep the API such that it 
can provide either. 

Right now, our auth_token middleware implicitly requires a tenant in that 
scoping to work. If someone wanted to support a token scoped to just a user for 
the services, they'd need a different middleware there. Keystone as a service 
*doesn't* use the auth_token middleware, so with the V3 API we can make it 
provide services appropriately based on a token scoped only to the user.

All that in place, allow a token to be indeterminate scoped to multiple tenants 
is fraught with security flaws, and if we continue to provide unscoped tokens, 
that should obviate the need for token scoped to multiple tenants. 

- joe


On Nov 13, 2012, at 9:17 AM, David Chadwick d.w.chadw...@kent.ac.uk wrote:
 Hi Guang
 
 On 13/11/2012 16:14, Yee, Guang wrote:
 An unscoped token is basically implicitly scoped to Keystone service right?
 One should be able to use an unscoped token to reset his password, and ask
 Keystone for information pertaining to himself, such as what are his roles,
 what services/endpoints are available to him, and what are his tenants, etc.
 This is helpful for administration UIs such as MC.
 
 agreed
 
 There's a blueprint to address the need to scope the token down to the
 service or endpoint level. Basically, service and endpoint isolation.
 
 I have read your blueprint and I have some comments/questions on it. How do 
 you want these to be addressed? By email, or by edits to you blueprint?
 
 regards
 
 David
 
 
 https://blueprints.launchpad.net/keystone/+spec/service-isolation-and-roles-
 delegation
 http://wiki.openstack.org/Keystone/Service-Isolation-And-Roles-Delegation
 
 It also addresses the intricacies of role delegation, which should be very
 beneficial for cloud services.
 
 
 
 Guang
 
 
 
 -Original Message-
 From: openstack-bounces+guang.yee=hp@lists.launchpad.net
 [mailto:openstack-bounces+guang.yee=hp@lists.launchpad.net] On Behalf Of
 David Chadwick
 Sent: Tuesday, November 13, 2012 7:32 AM
 To: Adam Young
 Cc: OpenStack Development Mailing List; openstack@lists.launchpad.net
 Subject: Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing
 authorization to projects/tenants in the Keystone V3 API
 
 Hi Adam
 
 you have pointed out an important difference between an unscoped token
 and a scoped one. The former can only be used with keystone, the latter
 with a cloud service. This also implies that a scoped token can only
 have the scope of a single service, and not multiple services. The user
 must swap the unscoped token for a set of scoped tokens if he wishes to
 access a set of cloud services.
 
 This model is clean and consistent.
 
 Concerning your attack scenario, then the best point of attack is either
 the client (steal his token(s)) or Keystone (get access to any service)
 
 regards
 
 David
 
 On 13/11/2012 14:38, Adam Young wrote:
 On 11/10/2012 10:58 AM, David Chadwick wrote:
 I agree with the vast majority of what Jorge says below. The idea I
 would like to bounce around is that of the unscoped token.
 
 What does it mean conceptually? What is its purpose? Why do we need
 it? Why should a user be given an unscoped token to exchange at a
 later time for a scoped token?
 
 My view is as follows:
 i) a user is authenticated and identified, and from this, keystone can
 see that the user has access to a number of different tenants and
 services. Keystone creates an unscoped token to encapsulate this. Note
 that the unscoped token is scoped to the services/tenants available to
 this user, and consequently it is different for each identified user.
 Thus it does have some scope i.e. it cannot be swapped for access to
 any service by any tenant.
 ii) the user must choose which service/tenant he wishes to activate.
 This is in line with the principle of least privileges.
 iii) the user informs keystone which service(s) and tenant(s) he
 wishes to access and Keystone swaps the unscoped token for one that is
 scoped to the choice of the user.
 
 The issue then becomes, what is the allowable scope of a scoped token?
 Jorge below believes it should cover multiple
 services/endpoints/tenants. So one must then ask, what is the
 difference between the most widely scoped scoped-token and the
 unscoped token? Surely they will have the same scope won't they? In
 which case there is no need for both concepts.
 
 let's compare with Kerberos:  In my view an unscoped token is
 comparaable with a ticket granting ticket:  it cannot be used with any
 service other than the KDC, and it can only be used to get service
 tickets. A service ticket can only be used with a specific service.  If
 that service gets compromised, any tickets it has are useless for access
 to other resources.
 
 
 If an unscoped token can be used against a wide array of services, we
 have just provided a path

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

2012-11-13 Thread David Chadwick


seems like we need a clear design for next generation tokens that
everyone can agree on. But also an extensible design to cater for 
outliers. In our federation design doc we show the Token Issuing Service 
and Token Validation Service as plugin modules to Keystone that can be 
replaces so that outliers can replace the standard service with one of 
their own choosing


regards

David


On 13/11/2012 17:35, heckj wrote:

So maintaining a token scoped to just the user, and a mechanism to
scope it to a tenant sound like all goodness. We can absolutely keep
the API such that it can provide either.

Right now, our auth_token middleware implicitly requires a tenant in
that scoping to work. If someone wanted to support a token scoped to
just a user for the services, they'd need a different middleware
there. Keystone as a service *doesn't* use the auth_token middleware,
so with the V3 API we can make it provide services appropriately
based on a token scoped only to the user.

All that in place, allow a token to be indeterminate scoped to
multiple tenants is fraught with security flaws, and if we continue
to provide unscoped tokens, that should obviate the need for token
scoped to multiple tenants.

- joe


On Nov 13, 2012, at 9:17 AM, David Chadwick d.w.chadw...@kent.ac.uk
wrote:

Hi Guang

On 13/11/2012 16:14, Yee, Guang wrote:

An unscoped token is basically implicitly scoped to Keystone
service right? One should be able to use an unscoped token to
reset his password, and ask Keystone for information pertaining
to himself, such as what are his roles, what services/endpoints
are available to him, and what are his tenants, etc. This is
helpful for administration UIs such as MC.


agreed


There's a blueprint to address the need to scope the token down
to the service or endpoint level. Basically, service and endpoint
isolation.


I have read your blueprint and I have some comments/questions on
it. How do you want these to be addressed? By email, or by edits to
you blueprint?

regards

David



https://blueprints.launchpad.net/keystone/+spec/service-isolation-and-roles-



delegation

http://wiki.openstack.org/Keystone/Service-Isolation-And-Roles-Delegation




It also addresses the intricacies of role delegation, which should be very

beneficial for cloud services.



Guang



-Original Message- From:
openstack-bounces+guang.yee=hp@lists.launchpad.net
[mailto:openstack-bounces+guang.yee=hp@lists.launchpad.net]
On Behalf Of David Chadwick Sent: Tuesday, November 13, 2012 7:32
AM To: Adam Young Cc: OpenStack Development Mailing List;
openstack@lists.launchpad.net Subject: Re: [Openstack]
[openstack-dev] Fwd: [keystone] Tokens representing authorization
to projects/tenants in the Keystone V3 API

Hi Adam

you have pointed out an important difference between an unscoped
token and a scoped one. The former can only be used with
keystone, the latter with a cloud service. This also implies that
a scoped token can only have the scope of a single service, and
not multiple services. The user must swap the unscoped token for
a set of scoped tokens if he wishes to access a set of cloud
services.

This model is clean and consistent.

Concerning your attack scenario, then the best point of attack is
either the client (steal his token(s)) or Keystone (get access to
any service)

regards

David

On 13/11/2012 14:38, Adam Young wrote:

On 11/10/2012 10:58 AM, David Chadwick wrote:

I agree with the vast majority of what Jorge says below. The
idea I would like to bounce around is that of the unscoped
token.

What does it mean conceptually? What is its purpose? Why do
we need it? Why should a user be given an unscoped token to
exchange at a later time for a scoped token?

My view is as follows: i) a user is authenticated and
identified, and from this, keystone can see that the user has
access to a number of different tenants and services.
Keystone creates an unscoped token to encapsulate this. Note
that the unscoped token is scoped to the services/tenants
available to this user, and consequently it is different for
each identified user. Thus it does have some scope i.e. it
cannot be swapped for access to any service by any tenant.
ii) the user must choose which service/tenant he wishes to
activate. This is in line with the principle of least
privileges. iii) the user informs keystone which service(s)
and tenant(s) he wishes to access and Keystone swaps the
unscoped token for one that is scoped to the choice of the
user.

The issue then becomes, what is the allowable scope of a
scoped token? Jorge below believes it should cover multiple
services/endpoints/tenants. So one must then ask, what is
the difference between the most widely scoped scoped-token
and the unscoped token? Surely they will have the same scope
won't they? In which case there is no need for both
concepts.


let's compare with Kerberos:  In my view an unscoped token is
comparaable with a ticket granting ticket:  it cannot be used
with any service other

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

2012-11-13 Thread Jorge Williams


On Nov 13, 2012, at 11:35 AM, heckj wrote:

 So maintaining a token scoped to just the user, and a mechanism to scope it 
 to a tenant sound like all goodness. We can absolutely keep the API such that 
 it can provide either. 
 
 Right now, our auth_token middleware implicitly requires a tenant in that 
 scoping to work. If someone wanted to support a token scoped to just a user 
 for the services, they'd need a different middleware there. Keystone as a 
 service *doesn't* use the auth_token middleware, so with the V3 API we can 
 make it provide services appropriately based on a token scoped only to the 
 user.
 
 All that in place, allow a token to be indeterminate scoped to multiple 
 tenants is fraught with security flaws, and if we continue to provide 
 unscoped tokens, that should obviate the need for token scoped to multiple 
 tenants. 

I'm not sure I'm following you there.  I don't see how unscoped tokens obviate 
the need to scope to multiple tenants, these may be driven by  different 
concerns. 

Again, I think we need to have some flexibility in how we scope tokens. The API 
should be flexible enough to support different models -- I think that scoping a 
token to multiple tenants is useful in cases such as delegation -- where a 
single identity may be issued revokable access to a set of resources in 
multiple projects.

 
 - joe
 
 
 On Nov 13, 2012, at 9:17 AM, David Chadwick d.w.chadw...@kent.ac.uk wrote:
 Hi Guang
 
 On 13/11/2012 16:14, Yee, Guang wrote:
 An unscoped token is basically implicitly scoped to Keystone service right?
 One should be able to use an unscoped token to reset his password, and ask
 Keystone for information pertaining to himself, such as what are his roles,
 what services/endpoints are available to him, and what are his tenants, etc.
 This is helpful for administration UIs such as MC.
 
 agreed
 
 There's a blueprint to address the need to scope the token down to the
 service or endpoint level. Basically, service and endpoint isolation.
 
 I have read your blueprint and I have some comments/questions on it. How do 
 you want these to be addressed? By email, or by edits to you blueprint?
 
 regards
 
 David
 
 
 https://blueprints.launchpad.net/keystone/+spec/service-isolation-and-roles-
 delegation
 http://wiki.openstack.org/Keystone/Service-Isolation-And-Roles-Delegation
 
 It also addresses the intricacies of role delegation, which should be very
 beneficial for cloud services.
 
 
 
 Guang
 
 
 
 -Original Message-
 From: openstack-bounces+guang.yee=hp@lists.launchpad.net
 [mailto:openstack-bounces+guang.yee=hp@lists.launchpad.net] On Behalf Of
 David Chadwick
 Sent: Tuesday, November 13, 2012 7:32 AM
 To: Adam Young
 Cc: OpenStack Development Mailing List; openstack@lists.launchpad.net
 Subject: Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing
 authorization to projects/tenants in the Keystone V3 API
 
 Hi Adam
 
 you have pointed out an important difference between an unscoped token
 and a scoped one. The former can only be used with keystone, the latter
 with a cloud service. This also implies that a scoped token can only
 have the scope of a single service, and not multiple services. The user
 must swap the unscoped token for a set of scoped tokens if he wishes to
 access a set of cloud services.
 
 This model is clean and consistent.
 
 Concerning your attack scenario, then the best point of attack is either
 the client (steal his token(s)) or Keystone (get access to any service)
 
 regards
 
 David
 
 On 13/11/2012 14:38, Adam Young wrote:
 On 11/10/2012 10:58 AM, David Chadwick wrote:
 I agree with the vast majority of what Jorge says below. The idea I
 would like to bounce around is that of the unscoped token.
 
 What does it mean conceptually? What is its purpose? Why do we need
 it? Why should a user be given an unscoped token to exchange at a
 later time for a scoped token?
 
 My view is as follows:
 i) a user is authenticated and identified, and from this, keystone can
 see that the user has access to a number of different tenants and
 services. Keystone creates an unscoped token to encapsulate this. Note
 that the unscoped token is scoped to the services/tenants available to
 this user, and consequently it is different for each identified user.
 Thus it does have some scope i.e. it cannot be swapped for access to
 any service by any tenant.
 ii) the user must choose which service/tenant he wishes to activate.
 This is in line with the principle of least privileges.
 iii) the user informs keystone which service(s) and tenant(s) he
 wishes to access and Keystone swaps the unscoped token for one that is
 scoped to the choice of the user.
 
 The issue then becomes, what is the allowable scope of a scoped token?
 Jorge below believes it should cover multiple
 services/endpoints/tenants. So one must then ask, what is the
 difference between the most widely scoped scoped-token and the
 unscoped token? Surely they will have

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

2012-11-13 Thread Vishvananda Ishaya

It seems like unscoped is a total misnomer. Unscoped just means scoped to 
keystone. The existence of 'unscoped' tokens seems completely orthogonal to 
whether a token can be scoped to multiple services/endpoints.

Vish

On Nov 13, 2012, at 11:01 AM, Jorge Williams jorge.willi...@rackspace.com 
wrote:

 
 On Nov 13, 2012, at 11:35 AM, heckj wrote:
 
 So maintaining a token scoped to just the user, and a mechanism to scope it 
 to a tenant sound like all goodness. We can absolutely keep the API such 
 that it can provide either. 
 
 Right now, our auth_token middleware implicitly requires a tenant in that 
 scoping to work. If someone wanted to support a token scoped to just a user 
 for the services, they'd need a different middleware there. Keystone as a 
 service *doesn't* use the auth_token middleware, so with the V3 API we can 
 make it provide services appropriately based on a token scoped only to the 
 user.
 
 All that in place, allow a token to be indeterminate scoped to multiple 
 tenants is fraught with security flaws, and if we continue to provide 
 unscoped tokens, that should obviate the need for token scoped to multiple 
 tenants. 
 
 I'm not sure I'm following you there.  I don't see how unscoped tokens 
 obviate the need to scope to multiple tenants, these may be driven by  
 different concerns. 
 
 Again, I think we need to have some flexibility in how we scope tokens. The 
 API should be flexible enough to support different models -- I think that 
 scoping a token to multiple tenants is useful in cases such as delegation -- 
 where a single identity may be issued revokable access to a set of resources 
 in multiple projects.
 
 
 - joe
 
 
 On Nov 13, 2012, at 9:17 AM, David Chadwick d.w.chadw...@kent.ac.uk wrote:
 Hi Guang
 
 On 13/11/2012 16:14, Yee, Guang wrote:
 An unscoped token is basically implicitly scoped to Keystone service right?
 One should be able to use an unscoped token to reset his password, and ask
 Keystone for information pertaining to himself, such as what are his roles,
 what services/endpoints are available to him, and what are his tenants, 
 etc.
 This is helpful for administration UIs such as MC.
 
 agreed
 
 There's a blueprint to address the need to scope the token down to the
 service or endpoint level. Basically, service and endpoint isolation.
 
 I have read your blueprint and I have some comments/questions on it. How do 
 you want these to be addressed? By email, or by edits to you blueprint?
 
 regards
 
 David
 
 
 https://blueprints.launchpad.net/keystone/+spec/service-isolation-and-roles-
 delegation
 http://wiki.openstack.org/Keystone/Service-Isolation-And-Roles-Delegation
 
 It also addresses the intricacies of role delegation, which should be very
 beneficial for cloud services.
 
 
 
 Guang
 
 
 
 -Original Message-
 From: openstack-bounces+guang.yee=hp@lists.launchpad.net
 [mailto:openstack-bounces+guang.yee=hp@lists.launchpad.net] On Behalf 
 Of
 David Chadwick
 Sent: Tuesday, November 13, 2012 7:32 AM
 To: Adam Young
 Cc: OpenStack Development Mailing List; openstack@lists.launchpad.net
 Subject: Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens 
 representing
 authorization to projects/tenants in the Keystone V3 API
 
 Hi Adam
 
 you have pointed out an important difference between an unscoped token
 and a scoped one. The former can only be used with keystone, the latter
 with a cloud service. This also implies that a scoped token can only
 have the scope of a single service, and not multiple services. The user
 must swap the unscoped token for a set of scoped tokens if he wishes to
 access a set of cloud services.
 
 This model is clean and consistent.
 
 Concerning your attack scenario, then the best point of attack is either
 the client (steal his token(s)) or Keystone (get access to any service)
 
 regards
 
 David
 
 On 13/11/2012 14:38, Adam Young wrote:
 On 11/10/2012 10:58 AM, David Chadwick wrote:
 I agree with the vast majority of what Jorge says below. The idea I
 would like to bounce around is that of the unscoped token.
 
 What does it mean conceptually? What is its purpose? Why do we need
 it? Why should a user be given an unscoped token to exchange at a
 later time for a scoped token?
 
 My view is as follows:
 i) a user is authenticated and identified, and from this, keystone can
 see that the user has access to a number of different tenants and
 services. Keystone creates an unscoped token to encapsulate this. Note
 that the unscoped token is scoped to the services/tenants available to
 this user, and consequently it is different for each identified user.
 Thus it does have some scope i.e. it cannot be swapped for access to
 any service by any tenant.
 ii) the user must choose which service/tenant he wishes to activate.
 This is in line with the principle of least privileges.
 iii) the user informs keystone which service(s) and tenant(s) he
 wishes to access and Keystone swaps the unscoped token for one

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

2012-11-13 Thread heckj


On Nov 13, 2012, at 11:01 AM, Jorge Williams jorge.willi...@rackspace.com 
wrote:
 On Nov 13, 2012, at 11:35 AM, heckj wrote:
 So maintaining a token scoped to just the user, and a mechanism to scope it 
 to a tenant sound like all goodness. We can absolutely keep the API such 
 that it can provide either. 
 
 Right now, our auth_token middleware implicitly requires a tenant in that 
 scoping to work. If someone wanted to support a token scoped to just a user 
 for the services, they'd need a different middleware there. Keystone as a 
 service *doesn't* use the auth_token middleware, so with the V3 API we can 
 make it provide services appropriately based on a token scoped only to the 
 user.
 
 All that in place, allow a token to be indeterminate scoped to multiple 
 tenants is fraught with security flaws, and if we continue to provide 
 unscoped tokens, that should obviate the need for token scoped to multiple 
 tenants. 
 
 I'm not sure I'm following you there.  I don't see how unscoped tokens 
 obviate the need to scope to multiple tenants, these may be driven by  
 different concerns. 
 
 Again, I think we need to have some flexibility in how we scope tokens. The 
 API should be flexible enough to support different models -- I think that 
 scoping a token to multiple tenants is useful in cases such as delegation -- 
 where a single identity may be issued revokable access to a set of resources 
 in multiple projects.

The consensus from the folks weighing in on this from a security perspective 
seems to be that it's kosher to restrict tokens further (the least privilege 
thing). Broadening the scope to multiple tenants or sets of tenants doesn't 
appear to follow those best practices. If you wanted to accept a less-scoped 
token than the scoped to single tenant, you can accept and use a user-scoped 
token, at least by my read.

-joe



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

2012-11-13 Thread Joe Savak

Will user-scoped token include the full service catalog? 

Also, I thought the consensus was to allow the API contract to be flexible on 
how many tenants we can scope the token to. The ref impl can enforce 1 
tenant-scoped token. Are we diverging from this?

Thanks,
joe

-Original Message-
From: openstack-bounces+joe.savak=rackspace@lists.launchpad.net 
[mailto:openstack-bounces+joe.savak=rackspace@lists.launchpad.net] On 
Behalf Of heckj
Sent: Tuesday, November 13, 2012 1:34 PM
To: OpenStack Development Mailing List
Cc: openstack@lists.launchpad.net (openstack@lists.launchpad.net)
Subject: Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing 
authorization to projects/tenants in the Keystone V3 API


On Nov 13, 2012, at 11:01 AM, Jorge Williams jorge.willi...@rackspace.com 
wrote:
 On Nov 13, 2012, at 11:35 AM, heckj wrote:
 So maintaining a token scoped to just the user, and a mechanism to scope it 
 to a tenant sound like all goodness. We can absolutely keep the API such 
 that it can provide either. 
 
 Right now, our auth_token middleware implicitly requires a tenant in that 
 scoping to work. If someone wanted to support a token scoped to just a user 
 for the services, they'd need a different middleware there. Keystone as a 
 service *doesn't* use the auth_token middleware, so with the V3 API we can 
 make it provide services appropriately based on a token scoped only to the 
 user.
 
 All that in place, allow a token to be indeterminate scoped to multiple 
 tenants is fraught with security flaws, and if we continue to provide 
 unscoped tokens, that should obviate the need for token scoped to multiple 
 tenants. 
 
 I'm not sure I'm following you there.  I don't see how unscoped tokens 
 obviate the need to scope to multiple tenants, these may be driven by  
 different concerns. 
 
 Again, I think we need to have some flexibility in how we scope tokens. The 
 API should be flexible enough to support different models -- I think that 
 scoping a token to multiple tenants is useful in cases such as delegation -- 
 where a single identity may be issued revokable access to a set of resources 
 in multiple projects.

The consensus from the folks weighing in on this from a security perspective 
seems to be that it's kosher to restrict tokens further (the least privilege 
thing). Broadening the scope to multiple tenants or sets of tenants doesn't 
appear to follow those best practices. If you wanted to accept a less-scoped 
token than the scoped to single tenant, you can accept and use a user-scoped 
token, at least by my read.

-joe



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

2012-11-13 Thread heckj

Hey Joe:

Currently a user scoped token doesn't include a service catalog - mostly 
because I think the service catalog generally requires tenant_id's to 
interpolate into the values to provide it. That doesn't mean we can't put 
in/include service catalog endpoints where that value doesn't need to be 
determined.

I'm also questioning the value of providing a token scoped to all tenants 
associated with a user - that seems to have the same value as just using a user 
token. 

In fact, even if we allow some arbitrary set of tenants to be scoped into a 
token along with a user, what on earth should be in the service catalog? 
Endpoints relevant to every possible tenant?

This just seems to be a potential explosion of data that is poorly scoped from 
a security perspective.

-joe

On Nov 13, 2012, at 1:42 PM, Joe Savak joe.sa...@rackspace.com wrote:
 Will user-scoped token include the full service catalog? 
 
 Also, I thought the consensus was to allow the API contract to be flexible on 
 how many tenants we can scope the token to. The ref impl can enforce 1 
 tenant-scoped token. Are we diverging from this?
 
 Thanks,
 joe
 
 -Original Message-
 From: openstack-bounces+joe.savak=rackspace@lists.launchpad.net 
 [mailto:openstack-bounces+joe.savak=rackspace@lists.launchpad.net] On 
 Behalf Of heckj
 Sent: Tuesday, November 13, 2012 1:34 PM
 To: OpenStack Development Mailing List
 Cc: openstack@lists.launchpad.net (openstack@lists.launchpad.net)
 Subject: Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing 
 authorization to projects/tenants in the Keystone V3 API
 
 
 On Nov 13, 2012, at 11:01 AM, Jorge Williams jorge.willi...@rackspace.com 
 wrote:
 On Nov 13, 2012, at 11:35 AM, heckj wrote:
 So maintaining a token scoped to just the user, and a mechanism to scope it 
 to a tenant sound like all goodness. We can absolutely keep the API such 
 that it can provide either. 
 
 Right now, our auth_token middleware implicitly requires a tenant in that 
 scoping to work. If someone wanted to support a token scoped to just a user 
 for the services, they'd need a different middleware there. Keystone as a 
 service *doesn't* use the auth_token middleware, so with the V3 API we can 
 make it provide services appropriately based on a token scoped only to the 
 user.
 
 All that in place, allow a token to be indeterminate scoped to multiple 
 tenants is fraught with security flaws, and if we continue to provide 
 unscoped tokens, that should obviate the need for token scoped to multiple 
 tenants. 
 
 I'm not sure I'm following you there.  I don't see how unscoped tokens 
 obviate the need to scope to multiple tenants, these may be driven by  
 different concerns. 
 
 Again, I think we need to have some flexibility in how we scope tokens. The 
 API should be flexible enough to support different models -- I think that 
 scoping a token to multiple tenants is useful in cases such as delegation -- 
 where a single identity may be issued revokable access to a set of resources 
 in multiple projects.
 
 The consensus from the folks weighing in on this from a security perspective 
 seems to be that it's kosher to restrict tokens further (the least privilege 
 thing). Broadening the scope to multiple tenants or sets of tenants doesn't 
 appear to follow those best practices. If you wanted to accept a less-scoped 
 token than the scoped to single tenant, you can accept and use a user-scoped 
 token, at least by my read.
 
 -joe
 
 
 
 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

2012-11-10 Thread David Chadwick

I agree with the vast majority of what Jorge says below. The idea I 
would like to bounce around is that of the unscoped token.


What does it mean conceptually? What is its purpose? Why do we need it? 
Why should a user be given an unscoped token to exchange at a later time 
for a scoped token?


My view is as follows:
i) a user is authenticated and identified, and from this, keystone can 
see that the user has access to a number of different tenants and 
services. Keystone creates an unscoped token to encapsulate this. Note 
that the unscoped token is scoped to the services/tenants available to 
this user, and consequently it is different for each identified user. 
Thus it does have some scope i.e. it cannot be swapped for access to any 
service by any tenant.
ii) the user must choose which service/tenant he wishes to activate. 
This is in line with the principle of least privileges.
iii) the user informs keystone which service(s) and tenant(s) he wishes 
to access and Keystone swaps the unscoped token for one that is scoped 
to the choice of the user.


The issue then becomes, what is the allowable scope of a scoped token? 
Jorge below believes it should cover multiple 
services/endpoints/tenants. So one must then ask, what is the difference 
between the most widely scoped scoped-token and the unscoped token? 
Surely they will have the same scope won't they? In which case there is 
no need for both concepts.


Comments please

regards

David

On 23/10/2012 06:25, Jorge Williams wrote:

Here's my view:

On making the default token a configuration option:  Like the idea.
  Disabling the option by default.  That's fine too.

On scoping a token to a specific endpoint:  That's fine, though I
believe that that's in the API today.  Currently, the way that we scope
tokens to endpoints is by validating against the service catalog. I'm
not sure if the default middleware checks for this yet, but the Repose
middleware does.  If you try to use a token in an endpoint that's not in
the service catalog the request fails -- well, if the check is turned on.

Obviously, I'd like the idea of scoping a single token to multiple
tenants / endpoints.

I don't like the idea of calling tokens sloppy tokens -- it's
confusing.   All you have to say is that a token has a scope -- and the
scope of the token is the set of resources that the token can provide
access to.  You can limit the scope of a token to a tenant, to a
endpoint, to a set of endpoints or tenants etc -- what limits you place
on the scope of an individual token should be up to the operator.

Keep in mind that as we start digging into delegation and fine grained
authorization (after Grizzly, I'm sure), we'll end up with tokens that
have a scope of a subset of resources in a single or multiple tenants.
  So calling them sloppy now is just confusing.  Simply stating that a
token has a scope (as I've defined above) should suffice.  This is part
of the reason why I've never liked the term unscoped token, because an
unscoped token does have a scope. It just so happens that the scope of
that token is the resource that provides a list of available tenants.

-jOrGe W.

On Oct 22, 2012, at 9:57 PM, Adam Young wrote:


Are you guys +1 ing the original Idea, my suggestion to make it
optional, the fact that I think we should call these sloppy tokens?

On 10/22/2012 03:40 PM, Jorge Williams wrote:

+1 here too.

At the end of the day, we'd like the identity API to be flexible
enough to allow the token to be scoped in a manner that the deployer
sees fit.  What the keystone implementation does by default is a
different matter -- and disabling multiple tenant  scope by default
would be fine by me.

-jOrGe W.


On Oct 21, 2012, at 11:10 AM, Joe Savak wrote:


+1. ;)

So the issue is that the v2 API contract allows a token to be scoped
to multiple tenants. For v3, I'd like to have the same flexibility.
I don't see security issues, as if a token were to be sniffed you
can change the password of the account using it and use those creds
to scope tokens to any tenant you wish.

Scope should always be kept as limited as possible. Personally, I
don't feel like limiting the tenant list makes much difference.  THe
more I think about it, the real benefit comes from limiting the
endpoints.






On Oct 20, 2012, at 21:07, Adam Young ayo...@redhat.com
mailto:ayo...@redhat.com wrote:


On 10/20/2012 01:50 PM, heckj wrote:

I sent this to the openstack-dev list, and thought I'd double post
this onto the openstack list at Launchpad for additional feedback.

-joe

Begin forwarded message:

*From: *heckj he...@mac.com mailto:he...@mac.com
*Subject: **[openstack-dev] [keystone] Tokens representing
authorization to projects/tenants in the Keystone V3 API*
*Date: *October 19, 2012 1:51:16 PM PDT
*To: *OpenStack Development Mailing List
openstack-...@lists.openstack.org
mailto:openstack-...@lists.openstack.org
*Reply-To: *OpenStack Development Mailing List
openstack-...@lists.openstack.org

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

Re: [Openstack] [openstack-dev] Fwd: [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

20 matches

Site Navigation

Mail list logo

Footer information