Re: [openstack-dev] [Glance][Keystone] Glance and trusts

Adam Young Mon, 08 Jun 2015 07:17:16 -0700

On 06/06/2015 06:00 AM, David Chadwick wrote:

In order to do this fully, you will need to work out what all the
possible supply chains are in OpenStack, so that when any customer
starts any chain of events, there is sufficient information in the
message passed to the supplier that allows that supplier to order from
its supplier. This has to be ensured all the way down the chain, so that
important information that one supplier needs was not omitted by a
previous supplier higher up the chain. I suspect that the name of the
initial requestor (at least) will need to be passed all the way down the
chain.

Yes, I think so. This is in keeping with how I understand we need tounify delegation across Keystone constructs.

1. Tokens live too long. They should be short and ephemeral, and if auser needs a new one to complete an action, getting one should betrivial. They should be bound to the endpoint that is the target of theoperation. 5 minutes makes sense as a length of life, as that isessentially "now" when you factor in clock skew. Revocations on tokensto not make sense.

2. Delegation are long lived affairs. If anything is going to takelonger than the duration of the token, it should be in the context of adelegation, and the user should re-authenticate to prove identity.Delegations need to be focused on workflow, not "all operations theruser can do" which means that the Glance case discussed here is a goodstart of documenting "what do you need to get this job done?"

We need to keep it light (not fill up a database) for normal operations,but maintain the chain of responsibility on a given operation. Trustsare the closest thing we have to this model.

In the supply chain example, if one company exchanges a good withanother company, they don't care about the end user, because there is norealy connection between the good and the user yet; if there is aproblem, the original manufacterur can produce another car identical tothe first and replace it without the user being any the wiser.

Contrast this with picking kids up from daycare: as a parent, I have tosign a form saying that my mother-in-law will be picking up the kids ona specific day. My Mother-in-law is not authorized to sign a form thatwill allow her friend to pick the kids up. My kids are very, veryspecific to me, and should be carefully handed off from approvedsupervisor to approved supervisor.

Fetching an image from Glance may well be a causal or a protectedoperation, depending on the image.

Casual if it is a global image: anyone in the world can do it, so no bigdeal.

Protected if, for example, the image is pre-populated with an enrollmentsecret. Only the owners should be able to get at it


regards

David

On 06/06/2015 03:25, Bhandaru, Malini K wrote:

Continuing with David’s example and the need to control access to a
Swift object that Adam points out,

How about using the Glance token from glance-API service to
glance-registry but carry along extra data in the call, namely user-id,
domain, and public/private information, so the object can be access
controlled.

Alternately and encapsulating token

<Glance-token <user-token>> -- keeping it simple, only two levels.  This
protects from on the cusp expired user-tokens.

Could check user quota before attempting the storage.

Should user not have paid dues, Glance knows which objects to garbage
collect!

Regards

Malini

*From:*Adam Young [mailto:ayo...@redhat.com]
*Sent:* Friday, June 05, 2015 4:11 PM
*To:* openstack-dev@lists.openstack.org
*Subject:* Re: [openstack-dev] [Glance][Keystone] Glance and trusts

On 06/05/2015 10:39 AM, Dolph Mathews wrote:

     On Thu, Jun 4, 2015 at 1:54 AM, David Chadwick
     <d.w.chadw...@kent.ac.uk <mailto:d.w.chadw...@kent.ac.uk>> wrote:

     I did suggest another solution to Adam whilst we were in Vancouver, and
     this mirrors what happens in the real world today when I order something
     from a supplier and a whole supply chain is involved in creating the end
     product that I ordered. This is not too dissimilar to a user requesting
     a new VM. Essentially each element in the supply chain trusts the two
     adjacent elements. It has contracts with both its customers and its
     suppliers to define the obligations of each party. When something is
     ordered from it, it trusts the purchaser, and on the strength of this,
     it will order from its suppliers. Each element may or may not know who
     the original customer is, but if it needs to know, it trusts the
     purchaser to tell it. Furthermore the customer does not need to delegate
     any of his/her permissions to his/her supplier. If we used such a system
     of trust between Openstack services, then we would not need delegation
     of authority and "trusts" as they are implemented today. It could
     significantly simplify the interactions between OpenStack services.

     +1! I feel like this is the model that we started with in OpenStack,
     and have grown additional complexity over time without much benefit.


We could roll Glance into Nova, too, and get the same benefit.  There is
a reason we have separate services.  GLance shoud not Trust Nova for all
operations, just some.

David's example elides the fact that there  are checks built in to the
supply chain system to prevent cheating.


     regards
     David


     On 03/06/2015 21:03, Adam Young wrote:
     > On 06/02/2015 12:57 PM, Mikhail Fedosin wrote:
     >> Hello! I think it's a good time to discuss implementation of
     trusts in
     >> Glance v2 and v3 api.
     >>
     >> Currently we have two different situations during image creation
     where
     >> our token may expire, which leads to unsuccessful operation.
     >>
     >> First is connection between glance-api and glance-registry. In this
     >> case we have a solution (https://review.openstack.org/#/c/29967/) -
     >> use_user_token parameter in glance-api.conf, but it is True by
     default
     >> . If it's changed to False then glance-api will use its own
     >> credentials to authorize in glance-registry and it prevents many
     >> possible issues with user token expiration. So, I'm interested if
     >> there are some performance degradations if we change
     use_user_token to
     >> False and what are the reasons against making it the default value.
     >>
     >> Second one is linked with Swift. Current implementation uploads
     chunks
     >> one by one and requires authorization each time. It may lead to
     >> problems: for example we have to upload 100 chunks, after 99th one,
     >> token expired and glance can't upload the last one, catches an
     >> exception and tries to remove stale chunks from storage. Of course it
     >> will fail, because token is not valid anymore, and that's why there
     >> will be 99 garbage objects in the storage.
     >> With Single-tenant mode glance uses its own credentials to upload
     >> files, so it's possible to create new connection on each chunk upload
     >> or catch Unauthorized exception and recreate connections only in that
     >> cases. But with Multi-tenant mode there is no way to do it, because
     >> user credentials are required. So it seems that trusts is the
     only one
     >> solution here.
     > The problem with using trusts is that it would need to be created
     > per-user, and that is going to be expensive.  It would be possible, as
     > Heat does something of this nature:
     >
     > 1. User calls glance,
     > 2. Glance creates a trust with some limitation, either time or
     number of
     > uses
     > 3.  Trusts are used for all operations with swift.
     > 4. Glance should clean up the trust when it is complete.
     >
     > I don't love the solution, but I think it is the best we have.
     Ideally
     > the user would opt in to the trust, but in this case, it is kindof
     > implicit by them calling the API.
     >
     >
     > We should limit the trust creation to only have those roles (or a
     > subset) on the token used to create the trust.
     >
     >
     >
     >
     >> I would be happy to hear your opinions on that matter. If you know
     >> other situations where trusts are useful or some other approaches
     >> please share.
     >>
     >> Best regards,
     >> Mike Fedosin
     >>
     >>
     >>
     >>
     __________________________________________________________________________
     >> OpenStack Development Mailing List (not for usage questions)
     >> Unsubscribe:
     openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
     <http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe>
     >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
     >
     >
     >
     >
     __________________________________________________________________________
     > OpenStack Development Mailing List (not for usage questions)
     > Unsubscribe:
     openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
     <http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe>
     > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
     >

     __________________________________________________________________________
     OpenStack Development Mailing List (not for usage questions)
     Unsubscribe:
     openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
     <http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe>
     http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




__________________________________________________________________________

OpenStack Development Mailing List (not for usage questions)

Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe 
<mailto:openstack-dev-requ...@lists.openstack.org?subject:unsubscribe>

http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Glance][Keystone] Glance and trusts

Reply via email to