subject:"Re\: \[openstack\-dev\] \[all\]\[policy\]\[keystone\] Better Policy Model and Representing Capabilites"

Re: [openstack-dev] [all][policy][keystone] Better Policy Model and Representing Capabilites

2014-10-20 Thread Jamie Lennox

- Original Message -
From: Nathan Kinder nkin...@redhat.com
To: openstack-dev@lists.openstack.org
Sent: Tuesday, October 14, 2014 2:25:35 AM
Subject: Re: [openstack-dev] [all][policy][keystone] Better Policy Model and
Representing Capabilites

On 10/13/2014 01:17 PM, Morgan Fainberg wrote:
Description of the problem: Without attempting an action on an endpoint
with a current scoped token, it is impossible to know what actions are
available to a user.

Horizon makes some attempts to solve this issue by sourcing all of the
policy files from all of the services to determine what a user can
accomplish with a given role. This is highly inefficient as it requires
processing the various policy.json files for each request in multiple
places and presents a mechanism that is not really scalable to understand
what a user can do with the current authorization. Horizon may not be the
only service that (in the long term) would want to know what actions a
token can take.

This is also extremely useful for being able to actually support more
restricted tokens as well. If I as an end user want to request a token
that only has the roles required to perform a particular action, I'm
going to need to have a way of knowing what those roles are. I think
that is one of the main things missing to allow the role-filtered
tokens option that I wrote up after the last Summit to be a viable
approach:

https://blog-nkinder.rhcloud.com/?p=101

I would like to start a discussion on how we should improve our policy
implementation (OpenStack wide) to help make it easier to know what is
possible with a current authorization context (Keystone token). The key
feature should be that whatever the implementation is, it doesn’t require
another round-trip to a third party service to “enforce” the policy which
avoids another scaling point like UUID Keystone token validation.

Here are a couple of ideas that we’ve discussed over the last few
development cycles (and none of this changes the requirements to manage
scope of authorization, e.g. project, domain, trust, ...):

1. Keystone is the holder of all policy files. Each service gets it’s
policy file from Keystone and it is possible to validate the policy (by
any other service) against a token provided they get the relevant policy
file from the authoritative source (Keystone).

Pros: This is nearly completely compatible with the current policy system.
The biggest change is that policy files are published to Keystone instead
of to a local file on disk. This also could open the door to having
keystone build “stacked” policies (user/project/domain/endpoint/service
specific) where the deployer could layer policy definitions (layering
would allow for stricter enforcement at more specific levels, e.g. users
from project X can’t terminate any VMs).

I think that there are a some additional advantages to centralizing
policy storage (not enforcement).

- The ability to centralize management of policy would be very nice. If
I want to update the policy for all of my compute nodes, I can do it in
one location without the need for external configuration management
solutions.

- We could piggy-back on Keystone's signing capabilities to allow policy
to be signed, providing protection against policy tampering on an
individual endpoint.

Cons: This doesn’t ease up the processing requirement or the need to hold
(potentially) a significant number of policy files for each service that
wants to evaluate what actions a token can do.

Are you thinking of there being a call to keystone that answers what
can I do with token A against endpoint B? This seems similar in
concept to the LDAP get effective rights control. There would
definitely be some processing overhead to this though you could set up
multiple keystone instances and replicate the policy to spread out the
load. It also might be possible to index the enforcement points by role
in an attempt to minimize the processing for this sort of call.

2. Each enforcement point in a service is turned into an attribute/role,
and the token contains all of the information on what a user can do
(effectively shipping the entire policy information with the token).

Pros: It is trivial to know what a token provides access to: the token
would contain something like `{“nova”: [“terminate”, “boot”], “keystone”:
[“create_user”, “update_user”], ...}`. It would be easily possible to
allow glance “get image” nova “boot” capability instead of needing to know
the roles for policy.json for both glance and nova work for booting a new
VM.

Re: [openstack-dev] [all][policy][keystone] Better Policy Model and Representing Capabilites

2014-10-14 Thread David Chadwick



On 14/10/2014 01:25, Nathan Kinder wrote:
 
 
 On 10/13/2014 01:17 PM, Morgan Fainberg wrote:
 Description of the problem: Without attempting an action on an
 endpoint with a current scoped token, it is impossible to know what
 actions are available to a user.
 

This is not unusual in the physical world. If you think about all the
authz tokens you carry around in your pocket (as plastic cards), very
few of them (if any) list what you are entitled to do with them. This
gives the issuers and SPs flexibility to dynamically change your
accesses rights without changing your authorisation. What you can do, in
general terms, may be written in policy documents that you can consult
if you wish. So you may wish to introduce a service that is equivalent
to this (i.e. user may optionally consult some policy advice service).

If you introduce a service to allow a user to dynamically determine his
access rights (absolutely), you have to decide what to do about the
dynamics of this service compared to the lifetime of the keystone token,
as the rights may change more quickly than the token's lifetime.

 
 Horizon makes some attempts to solve this issue by sourcing all of
 the policy files from all of the services to determine what a user
 can accomplish with a given role. This is highly inefficient as it
 requires processing the various policy.json files for each request
 in multiple places and presents a mechanism that is not really
 scalable to understand what a user can do with the current
 authorization. Horizon may not be the only service that (in the
 long term) would want to know what actions a token can take.
 
 This is also extremely useful for being able to actually support
 more restricted tokens as well.  If I as an end user want to request
 a token that only has the roles required to perform a particular
 action, I'm going to need to have a way of knowing what those roles
 are.  I think that is one of the main things missing to allow the
 role-filtered tokens option that I wrote up after the last Summit
 to be a viable approach:
 
 https://blog-nkinder.rhcloud.com/?p=101
 
 
 I would like to start a discussion on how we should improve our
 policy implementation (OpenStack wide) to help make it easier to
 know what is possible with a current authorization context
 (Keystone token). The key feature should be that whatever the
 implementation is, it doesn’t require another round-trip to a third
 party service to “enforce” the policy which avoids another scaling
 point like UUID Keystone token validation.

Presumably this does not rule out the user, at his option, calling
another service to ask for advice what can I do with this token,
bearing in mind that the response will be advice and not a definite
answer (since the PDP will always be the one to provide the definitive
answer).



 
 Here are a couple of ideas that we’ve discussed over the last few
 development cycles (and none of this changes the requirements to
 manage scope of authorization, e.g. project, domain, trust, ...):
 
 1. Keystone is the holder of all policy files. Each service gets
 it’s policy file from Keystone and it is possible to validate the
 policy (by any other service) against a token provided they get the
 relevant policy file from the authoritative source (Keystone).

Can I suggest that this is made more abstract, to say, there is a
central policy administration service that stores all policies and
allows them to be updated, deleted, created, inherited etc.

Whether this service is combined with keystone or not in the
implementation is a separate issue. Conceptually it is a new type of
policy administration service for OpenStack.

 
 Pros: This is nearly completely compatible with the current policy
 system. The biggest change is that policy files are published to
 Keystone instead of to a local file on disk. This also could open
 the door to having keystone build “stacked” policies
 (user/project/domain/endpoint/service specific) where the deployer
 could layer policy definitions (layering would allow for stricter
 enforcement at more specific levels, e.g. users from project X
 can’t terminate any VMs).
 
 I think that there are a some additional advantages to centralizing 
 policy storage (not enforcement).
 
 - The ability to centralize management of policy would be very nice.
 If I want to update the policy for all of my compute nodes, I can do
 it in one location without the need for external configuration
 management solutions.
 
 - We could piggy-back on Keystone's signing capabilities to allow
 policy to be signed, providing protection against policy tampering on
 an individual endpoint.
 
 
 Cons: This doesn’t ease up the processing requirement or the need
 to hold (potentially) a significant number of policy files for each
 service that wants to evaluate what actions a token can do.

if you separate out an optional advice service from the
decision/enforcement service, this might provide the flexibility and
performance

Re: [openstack-dev] [all][policy][keystone] Better Policy Model and Representing Capabilites

2014-10-14 Thread Tim Hinrichs

First, some truth in advertising: I work on Congress (policy as a service), so
I’ve mostly given thought to this problem in that context.

1) I agree with the discussion below about creating a token that encodes all
the permitted actions for the user. The cons seem substantial.

(i) The token will get stale, requiring us to either revoke it when
policy/roles change or to live with incorrect access control enforcement until
the token expires.

(ii) The token could become large, complex, or both. Suppose the policy is
granular enough to put restrictions on the arguments a user is permitted to
provide to an action. The token might end up encoding a significant portion of
the policy itself. Checking if the token permits a given action could be
similar computationally to checking the original policy.json file.

2) I like the idea of an out-of-band service that caches a copy of all the
policy.jsons and allows users to interrogate/edit them. I’ve definitely talked
to operators who would like this kind of thing. This would be a low-risk,
low-friction solution to the problem because nothing about OpenStack today
would need to change. We’d just add an extra service and tell people to use
it—sort of a new UI for the policy.json files. And we could add interesting
functionality, e.g. hypothetical queries such as “if I were to add role X, what
changes would that make in my rights?

Perhaps some more context about why users want to know all of the actions they
are permitted to execute might help.

Tim

On Oct 14, 2014, at 1:56 AM, David Chadwick d.w.chadw...@kent.ac.uk wrote:

On 14/10/2014 01:25, Nathan Kinder wrote:

On 10/13/2014 01:17 PM, Morgan Fainberg wrote:
Description of the problem: Without attempting an action on an
endpoint with a current scoped token, it is impossible to know what
actions are available to a user.

This is not unusual in the physical world. If you think about all the
authz tokens you carry around in your pocket (as plastic cards), very
few of them (if any) list what you are entitled to do with them. This
gives the issuers and SPs flexibility to dynamically change your
accesses rights without changing your authorisation. What you can do, in
general terms, may be written in policy documents that you can consult
if you wish. So you may wish to introduce a service that is equivalent
to this (i.e. user may optionally consult some policy advice service).

If you introduce a service to allow a user to dynamically determine his
access rights (absolutely), you have to decide what to do about the
dynamics of this service compared to the lifetime of the keystone token,
as the rights may change more quickly than the token's lifetime.

Horizon makes some attempts to solve this issue by sourcing all of
the policy files from all of the services to determine what a user
can accomplish with a given role. This is highly inefficient as it
requires processing the various policy.json files for each request
in multiple places and presents a mechanism that is not really
scalable to understand what a user can do with the current
authorization. Horizon may not be the only service that (in the
long term) would want to know what actions a token can take.

This is also extremely useful for being able to actually support
more restricted tokens as well. If I as an end user want to request
a token that only has the roles required to perform a particular
action, I'm going to need to have a way of knowing what those roles
are. I think that is one of the main things missing to allow the
role-filtered tokens option that I wrote up after the last Summit
to be a viable approach:

https://urldefense.proofpoint.com/v1/url?u=https://blog-nkinder.rhcloud.com/?p%3D101k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0Ar=%2FZ35AkRhp2kCW4Q3MPeE%2BxY2bqaf%2FKm29ZfiqAKXxeo%3D%0Am=XcBszEjYqiYgkoy9iUk3baKeyYoE%2Bb20k6zm3jIXGAs%3D%0As=ff78352cef9982b47c9e6cca97aa001f38b13837387332a38b56ce30e1394b87

I would like to start a discussion on how we should improve our
policy implementation (OpenStack wide) to help make it easier to
know what is possible with a current authorization context
(Keystone token). The key feature should be that whatever the
implementation is, it doesn’t require another round-trip to a third
party service to “enforce” the policy which avoids another scaling
point like UUID Keystone token validation.

Presumably this does not rule out the user, at his option, calling
another service to ask for advice what can I do with this token,
bearing in mind that the response will be advice and not a definite
answer (since the PDP will always be the one to provide the definitive
answer).

Here are a couple of ideas that we’ve discussed over the last few
development cycles (and none of this changes the requirements to
manage scope of authorization, e.g. project, domain, trust, ...):

1. Keystone is the holder of all policy files. Each

Re: [openstack-dev] [all][policy][keystone] Better Policy Model and Representing Capabilites

2014-10-14 Thread Nathan Kinder



On 10/14/2014 07:42 AM, Tim Hinrichs wrote:
 First, some truth in advertising: I work on Congress (policy as a service), 
 so I’ve mostly given thought to this problem in that context.
 
 1) I agree with the discussion below about creating a token that encodes all 
 the permitted actions for the user.  The cons seem substantial.  

+1

 
 (i) The token will get stale, requiring us to either revoke it when 
 policy/roles change or to live with incorrect access control enforcement 
 until the token expires.

This is a very good point.

 
 (ii) The token could become large, complex, or both.  Suppose the policy is 
 granular enough to put restrictions on the arguments a user is permitted to 
 provide to an action.  The token might end up encoding a significant portion 
 of the policy itself.  Checking if the token permits a given action could be 
 similar computationally to checking the original policy.json file.  
 
 
 2) I like the idea of an out-of-band service that caches a copy of all the 
 policy.jsons and allows users to interrogate/edit them.  I’ve definitely 
 talked to operators who would like this kind of thing.  This would be a 
 low-risk, low-friction solution to the problem because nothing about 
 OpenStack today would need to change.  We’d just add an extra service and 
 tell people to use it—sort of a new UI for the policy.json files.  And we 
 could add interesting functionality, e.g. hypothetical queries such as “if I 
 were to add role X, what changes would that make in my rights?
 
 Perhaps some more context about why users want to know all of the actions 
 they are permitted to execute might help.

I think that there are two questions that a user may have here:

1) What actions can I perform using a particular token?

2) What role(s) do I need to perform a particular action?

For me, the second question is more interesting.  A user likely already
has an idea of a task that they want to perform.  With question number
1, what do I do as a user if the response says that I'm not allowed to
perform the task I'm trying to accomplish?  The answer really doesn't
give me a way to move forward and perform my task.

With question 2, I'm able to find out what exact roles are needed to
perform a specific action.  With this information, I could request a
Keystone token with a subset of my roles that is authorized to perform
the task while leaving out roles that might have a higher level of
authorization.  For instance, why should I need to send a token with the
'admin' role to Nova just to launch an instance if '_member_' is all
that's required?

Another real use case is determining what roles are needed when creating
a trust in Keystone.  If I want to use a trust to allow a service like
Heat or Neutron's LBaaS to perform an action on my behalf, I want to
minimize the authorization that I'm delegating to those services.
Keystone trusts already have the ability to explicitly define the roles
that will be present in the issues trust tokens, but I have no way of
knowing what roles are required to perform a particular action without
consulting the policy.

-NGK

 
 Tim
 
 
  
 On Oct 14, 2014, at 1:56 AM, David Chadwick d.w.chadw...@kent.ac.uk wrote:
 


 On 14/10/2014 01:25, Nathan Kinder wrote:


 On 10/13/2014 01:17 PM, Morgan Fainberg wrote:
 Description of the problem: Without attempting an action on an
 endpoint with a current scoped token, it is impossible to know what
 actions are available to a user.


 This is not unusual in the physical world. If you think about all the
 authz tokens you carry around in your pocket (as plastic cards), very
 few of them (if any) list what you are entitled to do with them. This
 gives the issuers and SPs flexibility to dynamically change your
 accesses rights without changing your authorisation. What you can do, in
 general terms, may be written in policy documents that you can consult
 if you wish. So you may wish to introduce a service that is equivalent
 to this (i.e. user may optionally consult some policy advice service).

 If you introduce a service to allow a user to dynamically determine his
 access rights (absolutely), you have to decide what to do about the
 dynamics of this service compared to the lifetime of the keystone token,
 as the rights may change more quickly than the token's lifetime.


 Horizon makes some attempts to solve this issue by sourcing all of
 the policy files from all of the services to determine what a user
 can accomplish with a given role. This is highly inefficient as it
 requires processing the various policy.json files for each request
 in multiple places and presents a mechanism that is not really
 scalable to understand what a user can do with the current
 authorization. Horizon may not be the only service that (in the
 long term) would want to know what actions a token can take.

 This is also extremely useful for being able to actually support
 more restricted tokens as well.  If I as an end user want to request
 a

Re: [openstack-dev] [all][policy][keystone] Better Policy Model and Representing Capabilites

2014-10-14 Thread Morgan Fainberg

On Tuesday, October 14, 2014, Nathan Kinder nkin...@redhat.com wrote:



 On 10/14/2014 07:42 AM, Tim Hinrichs wrote:
  First, some truth in advertising: I work on Congress (policy as a
 service), so I’ve mostly given thought to this problem in that context.
 
  1) I agree with the discussion below about creating a token that encodes
 all the permitted actions for the user.  The cons seem substantial.

 +1


  (i) The token will get stale, requiring us to either revoke it when
 policy/roles change or to live with incorrect access control enforcement
 until the token expires.

 This is a very good point.


Totally valid point. Worth avoiding making this problem worse than today.
We have this to a minor extent because roles are static within an issued
token (policy file could be changed to mitigate).



  (ii) The token could become large, complex, or both.  Suppose the policy
 is granular enough to put restrictions on the arguments a user is permitted
 to provide to an action.  The token might end up encoding a significant
 portion of the policy itself.  Checking if the token permits a given action
 could be similar computationally to checking the original policy.json file.
 
 
  2) I like the idea of an out-of-band service that caches a copy of all
 the policy.jsons and allows users to interrogate/edit them.  I’ve
 definitely talked to operators who would like this kind of thing.  This
 would be a low-risk, low-friction solution to the problem because nothing
 about OpenStack today would need to change.  We’d just add an extra service
 and tell people to use it—sort of a new UI for the policy.json files.  And
 we could add interesting functionality, e.g. hypothetical queries such as
 “if I were to add role X, what changes would that make in my rights?
 
  Perhaps some more context about why users want to know all of the
 actions they are permitted to execute might help.

 I think that there are two questions that a user may have here:

 1) What actions can I perform using a particular token?



This is an important question to answer for tools like Horizon, we don't
want to show capabilities or lock out capabilities so we don't need to
try to know if it will succeed. This is purely UX.



 2) What role(s) do I need to perform a particular action?

 For me, the second question is more interesting.  A user likely already
 has an idea of a task that they want to perform.  With question number
 1, what do I do as a user if the response says that I'm not allowed to
 perform the task I'm trying to accomplish?  The answer really doesn't
 give me a way to move forward and perform my task.

 With question 2, I'm able to find out what exact roles are needed to
 perform a specific action.  With this information, I could request a
 Keystone token with a subset of my roles that is authorized to perform
 the task while leaving out roles that might have a higher level of
 authorization.  For instance, why should I need to send a token with the
 'admin' role to Nova just to launch an instance if '_member_' is all
 that's required?

 Another real use case is determining what roles are needed when creating
 a trust in Keystone.  If I want to use a trust to allow a service like
 Heat or Neutron's LBaaS to perform an action on my behalf, I want to
 minimize the authorization that I'm delegating to those services.
 Keystone trusts already have the ability to explicitly define the roles
 that will be present in the issues trust tokens, but I have no way of
 knowing what roles are required to perform a particular action without
 consulting the policy


This sums up the large(er) part of or starting this conversation.


-NGK

 
  Tim
 
 
 
  On Oct 14, 2014, at 1:56 AM, David Chadwick d.w.chadw...@kent.ac.uk
 javascript:; wrote:
 
 
 
  On 14/10/2014 01:25, Nathan Kinder wrote:
 
 
  On 10/13/2014 01:17 PM, Morgan Fainberg wrote:
  Description of the problem: Without attempting an action on an
  endpoint with a current scoped token, it is impossible to know what
  actions are available to a user.
 
 
  This is not unusual in the physical world. If you think about all the
  authz tokens you carry around in your pocket (as plastic cards), very
  few of them (if any) list what you are entitled to do with them. This
  gives the issuers and SPs flexibility to dynamically change your
  accesses rights without changing your authorisation. What you can do, in
  general terms, may be written in policy documents that you can consult
  if you wish. So you may wish to introduce a service that is equivalent
  to this (i.e. user may optionally consult some policy advice service).
 
  If you introduce a service to allow a user to dynamically determine his
  access rights (absolutely), you have to decide what to do about the
  dynamics of this service compared to the lifetime of the keystone token,
  as the rights may change more quickly than the token's lifetime.
 
 
  Horizon makes some attempts to solve this issue by sourcing all of
  the

Re: [openstack-dev] [all][policy][keystone] Better Policy Model and Representing Capabilites

2014-10-14 Thread Tim Hinrichs

That was really helpful background. Thanks!

I’d be happy to look into using Congress to implement what we’ve discussed:
caching policy.json files, updating them periodically, and answering queries
about the roles required to be granted access to a certain kind of action. I
think we have the right algorithms sitting around.

Let me know if that would help or if you’d prefer a different approach.

Tim

On Oct 14, 2014, at 10:31 AM, Morgan Fainberg
morgan.fainb...@gmail.commailto:morgan.fainb...@gmail.com wrote:

2) What role(s) do I need to perform a particular action?

For me, the second question is more interesting. A user likely already
has an idea of a task that they want to perform. With question number
1, what do I do as a user if the response says that I'm not allowed to
perform the task I'm trying to accomplish? The answer really doesn't
give me a way to move forward and perform my task.

With question 2, I'm able to find out what exact roles are needed to
perform a specific action. With this information, I could request a
Keystone token with a subset of my roles that is authorized to perform
the task while leaving out roles that might have a higher level of
authorization. For instance, why should I need to send a token with the
'admin' role to Nova just to launch an instance if '_member_' is all
that's required?

Another real use case is determining what roles are needed when creating
a trust in Keystone. If I want to use a trust to allow a service like
Heat or Neutron's LBaaS to perform an action on my behalf, I want to
minimize the authorization that I'm delegating to those services.
Keystone trusts already have the ability to explicitly define the roles
that will be present in the issues trust tokens, but I have no way of
knowing what roles are required to perform a particular action without
consulting the policy

This sums up the large(er) part of or starting this conversation.

-NGK

Tim

On Oct 14, 2014, at 1:56 AM, David Chadwick
d.w.chadw...@kent.ac.ukjavascript:; wrote:

On 14/10/2014 01:25, Nathan Kinder wrote:

On 10/13/2014 01:17 PM, Morgan Fainberg wrote:
Description of the problem: Without attempting an action on an
endpoint with a current scoped token, it is impossible to know what
actions are available to a user.

Horizon makes some attempts to solve this issue by sourcing all of
the policy files from all of the services to determine what a user
can accomplish with a given role. This is highly inefficient as it
requires processing the various policy.json files for each request
in multiple places and presents a mechanism that is not really
scalable to understand what a user can do with the current
authorization. Horizon may not be the only service that (in the
long term) would want to know what actions a token can take.

This is also extremely useful for being able to actually support
more restricted tokens as well. If I as an end user want to request
a token that only has the roles required to perform a particular
action, I'm going to need to have a way of knowing what those roles
are. I think that is one of the main things missing to allow the
role-filtered tokens option that I wrote up after the last Summit
to be a viable approach:

I would like to start a discussion on how we should improve our
policy implementation (OpenStack wide) to help make it easier to
know what is possible with a current authorization context
(Keystone token). The key feature should be that whatever the
implementation is, it doesn’t require another round-trip to a third
party service to “enforce” the policy which avoids another scaling
point like UUID Keystone token validation.

Presumably this does not rule out the user, at his option, calling
another service to ask for advice what can I do with this token,
bearing

Re: [openstack-dev] [all][policy][keystone] Better Policy Model and Representing Capabilites

2014-10-14 Thread Adam Young


There are two distinct permissions to be managed:

1.  What can the user do.
2.  What actions can this token be used to do.

2. is a subset of 1.


Just because I, Adam Young, have the ability to destroy the golden image 
I have up on glance does not mean that I want to delegate that ability 
every time I use a token.


But that is exactly the mechanism we have today.

As a user, I should not be locked in to only delegating roles. A role 
may say you can read or modify an image but I want to only delegate 
the Read part when creating a new VM:  I want Nova to be able to read 
the image I specify.



Hence, I started a spec around capabilities  which are I think, a 
different check than for RBAC.


https://review.openstack.org/#/c/123726/





___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [all][policy][keystone] Better Policy Model and Representing Capabilites

2014-10-13 Thread Rodrigo Duarte

This is a hot topic for some brainstorms here, since I started to hack a
bit with OpenStack =)

Regarding the given options, the second one looks better IMO, and we could
avoid some of the token bloating issues by having a parameter where the
service specifies what is set of actions that are important (the parameter
could be service name). Although we have some services with a huge set of
possible operations, like Nova.

But there is also some points that seem important to keep in mind, giving
that we have some cases for each action, not just the action itsel. For
example: update_project. A project_admin can update its own project but not
another project. And I don't see other options to check this than having
two different rules: update_own_project, update_any_project, and the rules
would be checked against the project_id in the token scope.

On Mon, Oct 13, 2014 at 5:17 PM, Morgan Fainberg morgan.fainb...@gmail.com
wrote:

Description of the problem: Without attempting an action on an endpoint
with a current scoped token, it is impossible to know what actions are
available to a user.

Here are a couple of ideas that we’ve discussed over the last few
development cycles (and none of this changes the requirements to manage
scope of authorization, e.g. project, domain, trust, ...):

1. Keystone is the holder of all policy files. Each service gets it’s
policy file from Keystone and it is possible to validate the policy (by any
other service) against a token provided they get the relevant policy file
from the authoritative source (Keystone).

Pros: This is nearly completely compatible with the current policy system.
The biggest change is that policy files are published to Keystone instead
of to a local file on disk. This also could open the door to having
keystone build “stacked” policies (user/project/domain/endpoint/service
specific) where the deployer could layer policy definitions (layering would
allow for stricter enforcement at more specific levels, e.g. users from
project X can’t terminate any VMs).

Cons: This doesn’t ease up the processing requirement or the need to hold
(potentially) a significant number of policy files for each service that
wants to evaluate what actions a token can do.

Pros: It is trivial to know what a token provides access to: the token
would contain something like `{“nova”: [“terminate”, “boot”], “keystone”:
[“create_user”, “update_user”], ...}`. It would be easily possible to allow
glance “get image” nova “boot” capability instead of needing to know the
roles for policy.json for both glance and nova work for booting a new VM.

Cons: This would likely require a central registry of all the actions that
could be taken (something akin to an IANA port list). Without a grouping to
apply these authorizations to a user (e.g. keystone_admin would convey
“create_project, delete_project, update_project, create_user, delete_user,
update_user, ...”) this becomes unwieldy. The “roles” or “attribute” that
convey capabilities are also relatively static instead of highly dynamic as
they are today. This could also contribute to token-bloat.

I’m sure there are more ways to approach this problem, so please don’t
hesitate to add to the conversation and expand on the options. The above
options are by no mean exhaustive nor fully explored. This change may not
even be something to be expected within the current development cycle
(Kilo) or even the next, but this is a conversation that needs to be
started as it will help make OpenStack better.

Thanks,
Morgan

—
Morgan Fainberg

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

--
Rodrigo Duarte Sousa
Software Engineer

Re: [openstack-dev] [all][policy][keystone] Better Policy Model and Representing Capabilites

2014-10-13 Thread Nathan Kinder



On 10/13/2014 01:17 PM, Morgan Fainberg wrote:
 Description of the problem: Without attempting an action on an endpoint with 
 a current scoped token, it is impossible to know what actions are available 
 to a user.
 
 
 Horizon makes some attempts to solve this issue by sourcing all of the policy 
 files from all of the services to determine what a user can accomplish with a 
 given role. This is highly inefficient as it requires processing the various 
 policy.json files for each request in multiple places and presents a 
 mechanism that is not really scalable to understand what a user can do with 
 the current authorization. Horizon may not be the only service that (in the 
 long term) would want to know what actions a token can take.

This is also extremely useful for being able to actually support more
restricted tokens as well.  If I as an end user want to request a token
that only has the roles required to perform a particular action, I'm
going to need to have a way of knowing what those roles are.  I think
that is one of the main things missing to allow the role-filtered
tokens option that I wrote up after the last Summit to be a viable
approach:

  https://blog-nkinder.rhcloud.com/?p=101

 
 I would like to start a discussion on how we should improve our policy 
 implementation (OpenStack wide) to help make it easier to know what is 
 possible with a current authorization context (Keystone token). The key 
 feature should be that whatever the implementation is, it doesn’t require 
 another round-trip to a third party service to “enforce” the policy which 
 avoids another scaling point like UUID Keystone token validation.
 
 Here are a couple of ideas that we’ve discussed over the last few development 
 cycles (and none of this changes the requirements to manage scope of 
 authorization, e.g. project, domain, trust, ...):
 
 1. Keystone is the holder of all policy files. Each service gets it’s policy 
 file from Keystone and it is possible to validate the policy (by any other 
 service) against a token provided they get the relevant policy file from the 
 authoritative source (Keystone).
 
 Pros: This is nearly completely compatible with the current policy system. 
 The biggest change is that policy files are published to Keystone instead of 
 to a local file on disk. This also could open the door to having keystone 
 build “stacked” policies (user/project/domain/endpoint/service specific) 
 where the deployer could layer policy definitions (layering would allow for 
 stricter enforcement at more specific levels, e.g. users from project X can’t 
 terminate any VMs).

I think that there are a some additional advantages to centralizing
policy storage (not enforcement).

- The ability to centralize management of policy would be very nice.  If
I want to update the policy for all of my compute nodes, I can do it in
one location without the need for external configuration management
solutions.

- We could piggy-back on Keystone's signing capabilities to allow policy
to be signed, providing protection against policy tampering on an
individual endpoint.

 
 Cons: This doesn’t ease up the processing requirement or the need to hold 
 (potentially) a significant number of policy files for each service that 
 wants to evaluate what actions a token can do.

Are you thinking of there being a call to keystone that answers what
can I do with token A against endpoint B?  This seems similar in
concept to the LDAP get effective rights control.  There would
definitely be some processing overhead to this though you could set up
multiple keystone instances and replicate the policy to spread out the
load.  It also might be possible to index the enforcement points by role
in an attempt to minimize the processing for this sort of call.

 
 
 2. Each enforcement point in a service is turned into an attribute/role, and 
 the token contains all of the information on what a user can do (effectively 
 shipping the entire policy information with the token).
 
 Pros: It is trivial to know what a token provides access to: the token would 
 contain something like `{“nova”: [“terminate”, “boot”], “keystone”: 
 [“create_user”, “update_user”], ...}`. It would be easily possible to allow 
 glance “get image” nova “boot” capability instead of needing to know the 
 roles for policy.json for both glance and nova work for booting a new VM.
 
 Cons: This would likely require a central registry of all the actions that 
 could be taken (something akin to an IANA port list). Without a grouping to 
 apply these authorizations to a user (e.g. keystone_admin would convey 
 “create_project, delete_project, update_project, create_user, delete_user, 
 update_user, ...”) this becomes unwieldy. The “roles” or “attribute” that 
 convey capabilities are also relatively static instead of highly dynamic as 
 they are today. This could also contribute to token-bloat.

I think we really want to avoid additional token bloat.

Thanks,
-NGK

 
 
 
 I’m sure

Re: [openstack-dev] [all][policy][keystone] Better Policy Model and Representing Capabilites

Re: [openstack-dev] [all][policy][keystone] Better Policy Model and Representing Capabilites

Re: [openstack-dev] [all][policy][keystone] Better Policy Model and Representing Capabilites

Re: [openstack-dev] [all][policy][keystone] Better Policy Model and Representing Capabilites

Re: [openstack-dev] [all][policy][keystone] Better Policy Model and Representing Capabilites

Re: [openstack-dev] [all][policy][keystone] Better Policy Model and Representing Capabilites

Re: [openstack-dev] [all][policy][keystone] Better Policy Model and Representing Capabilites

Re: [openstack-dev] [all][policy][keystone] Better Policy Model and Representing Capabilites

Re: [openstack-dev] [all][policy][keystone] Better Policy Model and Representing Capabilites

9 matches

Site Navigation

Mail list logo

Footer information