Re: [openstack-dev] [Horizon] User Signup
On 15 February 2014 16:52, Soren Hansen wrote: > Den 15/02/2014 00.19 skrev "Adam Young" : > > >>> Could you please spend 5 minutes on the blueprint >>> https://blueprints.launchpad.net/horizon/+spec/user-registration and add >>> your suggestions in the white board. >> Does it make sense for this to be in Keystone first, and then Horizon just >> consumes it? I would think that "user-registration-request" would be a >> reasonable Keystone extension. Then, you would add a role user-approver" >> for a specific domain to approve a user, which would trigger the create >> event. > > This makes perfect sense to me. +1. It certainly is Keystone's domain, so an API extension sounds like the right way to go. Kieran > > /Soren > > > ___ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] User Signup
Den 15/02/2014 00.19 skrev "Adam Young" : >> Could you please spend 5 minutes on the blueprint https://blueprints.launchpad.net/horizon/+spec/user-registration and add your suggestions in the white board. > Does it make sense for this to be in Keystone first, and then Horizon just consumes it? I would think that "user-registration-request" would be a reasonable Keystone extension. Then, you would add a role user-approver" for a specific domain to approve a user, which would trigger the create event. This makes perfect sense to me. /Soren ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] User Signup
On 02/01/2014 12:24 PM, Saju M wrote: Hi folks, Could you please spend 5 minutes on the blueprint https://blueprints.launchpad.net/horizon/+spec/user-registration and add your suggestions in the white board. Thanks, ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev Does it make sense for this to be in Keystone first, and then Horizon just consumes it? I would think that "user-registration-request" would be a reasonable Keystone extension. Then, you would add a role user-approver" for a specific domain to approve a user, which would trigger the create event. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] User Signup
2014-02-10 17:03 GMT+01:00 Kieran Spear : > On 10 February 2014 08:27, Soren Hansen wrote: >> I agree that putting admin credentials on a public web server is a >> security risk, but I'm not sure why a set of restricted admin >> credentials that only allow you to create users and tenants is a >> bigger problem than the credentials for separate registration service >> that performs the exact same operations? > The third (and most dangerous) operation here is the role grant. I > don't think any Keystone policy could be specific enough to prevent > arbitrary member role assignment in this case. Fair enough. That seems like something we should fix, though. It really seems to me like adding this intermediate service is an overly complicated (although necessary given the current constraints) approach. User registration seems like something that very much falls under Keystone's domain: * Keystone should abstract any and all interaction with the user database. Having another service that adds things directly to MySQL or LDAP seems wrong to me. * Having a component whose only job is to talk to Keystone really screams to me that it ought to be part of Keystone. Perhaps a user registration API extension that lets you pass just username/password/whatever and then it creates the relevant things on the backend in a way that's configured in Keystone. I.e. it validates the request and then creates the user and tenant and grants the appropriate roles. As I see it, if we don't trust Keystone's security, we're *so* screwed anyway. This needs to work. -- Soren Hansen | http://linux2go.dk/ Ubuntu Developer | http://www.ubuntu.com/ OpenStack Developer | http://www.openstack.org/ ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] User Signup
Hi Soren, On 10 February 2014 08:27, Soren Hansen wrote: > I've just taken a look at the feedback in the whiteboard. If it's ok, > I'd like to take this discussion back to the mailing list. I find the > whiteboards somewhat clumsy for discussions. > > Akihiro Motoki points out that all services should work without the > dashboard. Keystone already exposes an API to create new users, so > that requirement is already fulfilled, whether there's an intermediate > service or not, so I don't really understand this objection. > > Kieran Spear argues in favour of a separate registration service that > Horizon talks to over some sort of RPC interface. He argues that > putting Keystone admin credentials on public facing webserver is a > security risk. > > I agree that putting admin credentials on a public web server is a > security risk, but I'm not sure why a set of restricted admin > credentials that only allow you to create users and tenants is a > bigger problem than the credentials for separate registration service > that performs the exact same operations? The third (and most dangerous) operation here is the role grant. I don't think any Keystone policy could be specific enough to prevent arbitrary member role assignment in this case. How do you express the following as a set of policies in Keystone? "Allow a user to create a new user and a new project and grant the member role for only that user on only that project." There may be other ways around this particular case, but in these situations I accept that mistakes are inevitable, and another layer of isolation helps to reduce the impact when things go wrong. Cheers, Kieran > > Soren Hansen | http://linux2go.dk/ > Ubuntu Developer | http://www.ubuntu.com/ > OpenStack Developer | http://www.openstack.org/ > > > 2014-02-01 18:24 GMT+01:00 Saju M : >> Hi folks, >> >> Could you please spend 5 minutes on the blueprint >> https://blueprints.launchpad.net/horizon/+spec/user-registration and add >> your suggestions in the white board. >> >> >> Thanks, >> >> ___ >> OpenStack-dev mailing list >> OpenStack-dev@lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > > ___ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] User Signup
I've just taken a look at the feedback in the whiteboard. If it's ok, I'd like to take this discussion back to the mailing list. I find the whiteboards somewhat clumsy for discussions. Akihiro Motoki points out that all services should work without the dashboard. Keystone already exposes an API to create new users, so that requirement is already fulfilled, whether there's an intermediate service or not, so I don't really understand this objection. Kieran Spear argues in favour of a separate registration service that Horizon talks to over some sort of RPC interface. He argues that putting Keystone admin credentials on public facing webserver is a security risk. I agree that putting admin credentials on a public web server is a security risk, but I'm not sure why a set of restricted admin credentials that only allow you to create users and tenants is a bigger problem than the credentials for separate registration service that performs the exact same operations? Soren Hansen | http://linux2go.dk/ Ubuntu Developer | http://www.ubuntu.com/ OpenStack Developer | http://www.openstack.org/ 2014-02-01 18:24 GMT+01:00 Saju M : > Hi folks, > > Could you please spend 5 minutes on the blueprint > https://blueprints.launchpad.net/horizon/+spec/user-registration and add > your suggestions in the white board. > > > Thanks, > > ___ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [Horizon] User Signup
Hi folks, Could you please spend 5 minutes on the blueprint https://blueprints.launchpad.net/horizon/+spec/user-registration and add your suggestions in the white board. Thanks, ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev