Hello folks,
There has been discussion about adding user group support to the per-secret
access control list (ACL) feature in Barbican. Hence secrets could be marked as
accessible by a group on the ACL rather than an individual user as implemented
now.
Our understanding is that Keystone does n
;
mailto:openstack-dev@lists.openstack.org>>,
Henry Nash mailto:hen...@linux.vnet.ibm.com>>, Henry
Nash/UK/IBM@IBMGB
Date: 05/06/2015 15:38
Subject:Re: [openstack-dev] [keystone][barbican] Regarding exposing
X-Group- in token validation
_
tack-dev@lists.openstack.org>
> Date: Friday, June 5, 2015 at 12:49 PM
>
> To: "OpenStack Development Mailing List (not for usage questions)" <
> openstack-dev@lists.openstack.org>
> Subject: Re: [openstack-dev] [keystone][barbican] Regarding exposing
> X-Group-xxx
s,
>> John
>>
>>
>> From: Henry Nash
>> Reply-To: "OpenStack Development Mailing List (not for usage questions)"
>>
>> Date: Friday, June 5, 2015 at 12:49 PM
>>
>> To: "OpenStack Development Mailing List (not for usage questions)&q
On Wed, Jun 3, 2015 at 5:58 PM, John Wood wrote:
> Hello folks,
>
> There has been discussion about adding user group support to the
> per-secret access control list (ACL) feature in Barbican. Hence secrets
> could be marked as accessible by a group on the ACL rather than an
> individual user a
In general I am of the opinion with the move to Fernet there is no good reason
we should avoid adding the group information into the token.
--Morgan
Sent via mobile
> On Jun 3, 2015, at 18:44, Dolph Mathews wrote:
>
>
>> On Wed, Jun 3, 2015 at 5:58 PM, John Wood wrote:
>> Hello folks,
>>
] Regarding exposing
X-Group- in token validation
In general I am of the opinion with the move to Fernet there is no good reason
we should avoid adding the group information into the token.
--Morgan
Sent via mobile
On Jun 3, 2015, at 18:44, Dolph Mathews
mailto:dolph.math...@gmail.com>>
,
Steve Martinelli
OpenStack Keystone Core
From: "Fox, Kevin M"
To: "OpenStack Development Mailing List (not for usage questions)"
Date: 06/03/2015 11:14 PM
Subject: Re: [openstack-dev] [keystone][barbican] Regarding
exposing X-Group- in toke
; To:"OpenStack Development Mailing List (not for usage questions)"
>
> Date: 06/03/2015 11:14 PM
> Subject: Re: [openstack-dev] [keystone][barbican] Regarding
> exposingX-Group- in token validation
> ---
d workflow).
>>
>> Thanks,
>>
>> Steve Martinelli
>> OpenStack Keystone Core
>>
>>
>>
>> From: "Fox, Kevin M"
>> To: "OpenStack Development Mailing List (not for usage questions)"
>>
>>
questions)
Subject: Re: [openstack-dev] [keystone][barbican] Regarding exposing
X-Group- in token validation
Dozens to hundreds of roles or endpoints could cause an issue now :)
But yeah, groups are much more likely to number in the dozens than roles or
endpoints. But I think the Fernet token size
in token validation
>> --
>>
>>
>>
>> Will dozens to a hundred groups or so on one user cause issues? :)
>>
>> Thanks,
>> Kevin
>>
>> --
>> *From:* Morgan Fainberg
>> *
On 06/04/15 14:03, Fox, Kevin M wrote:
Some kind of intermediate mapping might be better. With ldap, I dont
have control over the groups users are assigned since thats an
enterprise/AD thing. There can be a lot of them. Groups to Role
relations I guess do that mapping. Though maybe passing grou
now :)
>>>
>>> But yeah, groups are much more likely to number in the dozens than roles
>>> or endpoints. But I think the Fernet token size is so small that it could
>>> probably handle this (since it does so now
>
>>>
>>> From:"Fox, Kevin M"
>>> To:"OpenStack Development Mailing List (not for usage
>>> questions)"
>>> Date:06/03/2015 11:14 PM
>>> Subject:Re: [openstack-dev] [keystone][barbican] Re
Thanks,
Kevin
From: Dolph Mathews [dolph.math...@gmail.com]
Sent: Thursday, June 04, 2015 1:41 PM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [keystone][barbican] Regarding exposing
X-Group- in token validation
Problem! In writing a spec fo
ists.openstack.org>>
Subject: Re: [openstack-dev] [keystone][barbican] Regarding exposing
X-Group- in token validation
In Juno I tried adding a user in Domain A to group in Domain B. That currently
is not supported. Would be very handy though.
We're getting a ways from the original p
tack Development Mailing List (not for usage questions)" <
> openstack-dev@lists.openstack.org>
> Date: Thursday, June 4, 2015 at 6:01 PM
> To: "OpenStack Development Mailing List (not for usage questions)" <
> openstack-dev@lists.openstack.org>
>
> Subject: R
Sent: Friday, June 05, 2015 7:37:54 AM
To: OpenStack Development Mailing List (not for usage questions); Henry Nash;
Henry Nash
Subject: Re: [openstack-dev] [keystone][barbican] Regarding exposing
X-Group- in token validation
On Thu, Jun 4, 2015 at 10:17 PM, John Wood
mailto:john.w
questions)"
> mailto:openstack-dev@lists.openstack.org>>
> Date: Thursday, June 4, 2015 at 6:01 PM
> To: "OpenStack Development Mailing List (not for usage questions)"
> mailto:openstack-dev@lists.openstack.org>>
>
> Subject: Re: [openstack-dev] [keystone][bar
nry
>
>
> From: Dolph Mathews To: "OpenStack Development
> Mailing List (not for usage questions)" ,
> Henry Nash , Henry Nash/UK/IBM@IBMGB Date:
> 05/06/2015
> 15:38 Subject: Re: [openstack-dev] [keystone][barbican] Regarding
> exposing X-Group- in token validat
t;mailto:openstack-dev@lists.openstack.org>>, Henry Nash
> mailto:hen...@linux.vnet.ibm.com>>, Henry
> Nash/UK/IBM@IBMGB
> Date: 05/06/2015 15:38
> Subject: Re: [openstack-dev] [keystone][barbican] Regarding exposing
> X-Group- in token validation
>
>
&
22 matches
Mail list logo
