Limited use trusts

Bug #1250617 reported by Adam Young
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Wishlist
Matthieu Huin
python-keystoneclient
Fix Released
Wishlist
Matthieu Huin

Bug Description

If a trust has been created with the sole purpose of supporting a one-time process, the trust should not be able to get more than one token . A generic implementation of this would allow a trust to be created with a coutner of potential uses, with the trust inactivated after the last usage

Matthieu Huin (mhu-s)
Changed in keystone:
assignee: nobody → Matthieu Huin (mhu-s)
Matthieu Huin (mhu-s)
Changed in keystone:
status: New → In Progress
Revision history for this message
Dolph Mathews (dolph) wrote :

When should the number of remaining "uses" be decremented? All tokens can be reused an unlimited number of times until they expire, so it would have to be revoked by auth_token in order to be truly limited in use?

Revision history for this message
Jamie Lennox (jamielennox) wrote :

I think it's ok to say that this trust can be used to issue only X token even though the token can be used many times. This makes decrementing fairly trivial.

The interesting part of this would be:
 - how do we prevent that token being used to generate a new token.
 - Should a trust be able to specify an expiry delta for tokens that are generated from it or some other restrictions.

Revision history for this message
Matthieu Huin (mhu-s) wrote :

I took Jamie's approach in my patches:

https://review.openstack.org/#/c/57492/
https://review.openstack.org/#/c/57481/
https://review.openstack.org/#/c/56243/

As for your first question, I believe it is already impossible to generate a new token from a trust token, or am I mistaken ? ( https://github.com/openstack/keystone/blob/master/keystone/token/controllers.py#L155 )

Changed in keystone:
assignee: Matthieu Huin (mhu-s) → Steve Martinelli (stevemar)
Revision history for this message
Steve Martinelli (stevemar) wrote :
Changed in keystone:
assignee: Steve Martinelli (stevemar) → nobody
assignee: nobody → Matthieu Huin (mhu-s)
milestone: none → icehouse-3
Changed in keystone:
assignee: Matthieu Huin (mhu-s) → Dolph Mathews (dolph)
Dolph Mathews (dolph)
Changed in keystone:
assignee: Dolph Mathews (dolph) → Matthieu Huin (mhu-s)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/56243
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=db9e0c6c4ab03c52e9adbf770b05315a3ead29be
Submitter: Jenkins
Branch: master

commit db9e0c6c4ab03c52e9adbf770b05315a3ead29be
Author: Matthieu Huin <email address hidden>
Date: Wed Nov 13 17:24:33 2013 +0100

    Limited use trusts

    Trusts now have a "remaining_uses" field that tracks how many times
    a trust can still issue a token. It is decremented by 1 each time a
    trust related authentication occurs (call to /auth/tokens), until it
    reaches 0 and no token can be issued through this trust anymore. If
    set to null (default value), trusts can be used indefinitely to
    authenticate.

    Closes-Bug: #1250617
    Implements: bp trusts-chained-delegation
    DocImpact
    Co-Authored-By: Florent Flament <email address hidden>

    Change-Id: I2c80b6d548a6715da0366c6f64ee58fbce514adb

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Changed in python-keystoneclient:
importance: Undecided → Wishlist
status: New → In Progress
assignee: nobody → Matthieu Huin (mhu-s)
Thierry Carrez (ttx)
Changed in keystone:
milestone: icehouse-3 → 2014.1
Revision history for this message
Openstack Gerrit (openstack-gerrit) wrote : Fix merged to python-keystoneclient (master)

Reviewed: https://review.openstack.org/57492
Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=5528f1a5be829b65573d4f527052be6195a96839
Submitter: Jenkins
Branch: master

commit 5528f1a5be829b65573d4f527052be6195a96839
Author: Matthieu Huin <email address hidden>
Date: Wed Nov 20 17:55:49 2013 +0100

    Limited use trusts

    Trusts now have a "remaining_uses" field that tracks how many times
    a trust can still issue a token. It is decremented by 1 each time a
    trust related authentication occurs (call to /auth/tokens), until it
    reaches 0 and no token can be issued through this trust anymore. If
    set to null (default value), trusts can be used indefinitely to
    authenticate.
    This is the client side of the implementation.

    Closes-Bug: #1250617
    Implements: bp trusts-chained-delegation

    Change-Id: Ib035a9772b7f035c3a9af102e8e15a860a96a96d

Changed in python-keystoneclient:
status: In Progress → Fix Committed
Dolph Mathews (dolph)
Changed in python-keystoneclient:
milestone: none → 0.9.0
Dolph Mathews (dolph)
Changed in python-keystoneclient:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.