(not for usage questions)
openstack-dev@lists.openstack.org
Date: Friday, June 5, 2015 at 12:49 PM
To: OpenStack Development Mailing List (not for usage questions)
openstack-dev@lists.openstack.org
Subject: Re: [openstack-dev] [keystone][barbican] Regarding exposing
X-Group- in token validation
@lists.openstack.org
Subject: Re: [openstack-dev] [keystone][barbican] Regarding exposing
X-Group- in token validation
The one proviso is that in single LDAP situations, the cloud provider can chose
(for backward compatibility reasons) to allow the underlying LDAP user/group
ID….so we might want to advise
at 12:49 PM
To: OpenStack Development Mailing List (not for usage questions)
openstack-dev@lists.openstack.org
Subject: Re: [openstack-dev] [keystone][barbican] Regarding exposing
X-Group- in token validation
The one proviso is that in single LDAP situations, the cloud provider
can
@lists.openstack.org
Date: Thursday, June 4, 2015 at 6:01 PM
To: OpenStack Development Mailing List (not for usage questions)
openstack-dev@lists.openstack.org
Subject: Re: [openstack-dev] [keystone][barbican] Regarding exposing
X-Group- in token validation
In Juno I tried adding a user
, Henry Nash
hen...@linux.vnet.ibm.com mailto:hen...@linux.vnet.ibm.com, Henry
Nash/UK/IBM@IBMGB
Date: 05/06/2015 15:38
Subject: Re: [openstack-dev] [keystone][barbican] Regarding exposing
X-Group- in token validation
On Thu, Jun 4, 2015 at 10:17 PM, John Wood john.w
@lists.openstack.org* openstack-dev@lists.openstack.org
* Subject: *Re: [openstack-dev] [keystone][barbican] Regarding exposing
X-Group- in token validation
In Juno I tried adding a user in Domain A to group in Domain B. That
currently is not supported. Would be very handy though.
We're getting a ways
(not for usage questions)
openstack-dev@lists.openstack.org mailto:openstack-dev@lists.openstack.org
Subject: Re: [openstack-dev] [keystone][barbican] Regarding exposing
X-Group- in token validation
In Juno I tried adding a user in Domain A to group in Domain B. That
currently is not supported
Sent: Friday, June 05, 2015 7:37:54 AM
To: OpenStack Development Mailing List (not for usage questions); Henry Nash;
Henry Nash
Subject: Re: [openstack-dev] [keystone][barbican] Regarding exposing
X-Group- in token validation
On Thu, Jun 4, 2015 at 10:17 PM, John Wood
john.w
@lists.openstack.orgmailto:openstack-dev@lists.openstack.org
Subject: Re: [openstack-dev] [keystone][barbican] Regarding exposing
X-Group- in token validation
In Juno I tried adding a user in Domain A to group in Domain B. That currently
is not supported. Would be very handy though.
We're getting
)
* Subject:* Re: [openstack-dev] [keystone][barbican] Regarding exposing
X-Group- in token validation
In general I am of the opinion with the move to Fernet there is no good
reason we should avoid adding the group information into the token.
--Morgan
Sent via mobile
On Jun 3, 2015
From: Dolph Mathews [dolph.math...@gmail.com]
Sent: Thursday, June 04, 2015 1:41 PM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [keystone][barbican] Regarding exposing
X-Group- in token validation
Problem! In writing a spec for this ( https
List (not for usage
questions) openstack-dev@lists.openstack.org
Date:06/03/2015 11:14 PM
Subject:Re: [openstack-dev] [keystone][barbican] Regarding
exposingX-Group- in token validation
--
Will dozens to a hundred groups or so
Mailing List (not for usage questions)
openstack-dev@lists.openstack.org
Date:06/03/2015 11:14 PM
Subject:Re: [openstack-dev] [keystone][barbican] Regarding
exposingX-Group- in token validation
Will dozens to a hundred groups or so on one user cause
questions)
Subject: Re: [openstack-dev] [keystone][barbican] Regarding exposing
X-Group- in token validation
Dozens to hundreds of roles or endpoints could cause an issue now :)
But yeah, groups are much more likely to number in the dozens than roles or
endpoints. But I think the Fernet token size
Development Mailing List (not for usage questions)
* Subject:* Re: [openstack-dev] [keystone][barbican] Regarding exposing
X-Group- in token validation
In general I am of the opinion with the move to Fernet there is no good
reason we should avoid adding the group information into the token
On 06/04/15 14:03, Fox, Kevin M wrote:
Some kind of intermediate mapping might be better. With ldap, I dont
have control over the groups users are assigned since thats an
enterprise/AD thing. There can be a lot of them. Groups to Role
relations I guess do that mapping. Though maybe passing
Hello folks,
There has been discussion about adding user group support to the per-secret
access control list (ACL) feature in Barbican. Hence secrets could be marked as
accessible by a group on the ACL rather than an individual user as implemented
now.
Our understanding is that Keystone does
] Regarding exposing
X-Group- in token validation
In general I am of the opinion with the move to Fernet there is no good reason
we should avoid adding the group information into the token.
--Morgan
Sent via mobile
On Jun 3, 2015, at 18:44, Dolph Mathews
dolph.math
On Wed, Jun 3, 2015 at 5:58 PM, John Wood john.w...@rackspace.com wrote:
Hello folks,
There has been discussion about adding user group support to the
per-secret access control list (ACL) feature in Barbican. Hence secrets
could be marked as accessible by a group on the ACL rather than an
questions)
openstack-dev@lists.openstack.org
Date:06/03/2015 11:14 PM
Subject:Re: [openstack-dev] [keystone][barbican] Regarding
exposingX-Group- in token validation
--
Will dozens to a hundred groups or so on one user cause issues
In general I am of the opinion with the move to Fernet there is no good reason
we should avoid adding the group information into the token.
--Morgan
Sent via mobile
On Jun 3, 2015, at 18:44, Dolph Mathews dolph.math...@gmail.com wrote:
On Wed, Jun 3, 2015 at 5:58 PM, John Wood
X-Group- in token validation
Will dozens to a hundred groups or so on one user cause issues? :)
Thanks,
Kevin
From: Morgan Fainberg
Sent: Wednesday, June 03, 2015 7:23:22 PM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [keystone
22 matches
Mail list logo