Comment 9 for bug 1626046
Revision history for this message
| Davanum Srinivas (DIMS) (dims-v) wrote | #9 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
Update from Boris:
Trusts with federation don't really work together, and in fact are not
supposed to. The fact that we didn't explicitely say that in keystone is
a huge mistake.
They don't work because we cannot know what happens on the remote side,
in IdP. For example, if user gets moved from employees to ex-employees,
there is no way for us to notices that. The following situation is possible:
Let user A be in group "employees". Being one of employees, the user
creates a trust for user B. Then A gets dismissed, removed from group
employees and added to group ex-employees. Keystone doesn't know about
that. User A can now authenticate as user B and restore all roles they
previously had.
The solution for that could be limiting trust lifetime, as was suggested
at the meeting yesterday. It would work for Murano. But doen't work for
Heat. Heat uses trusts to perform operations long after the token has
expired. For example, autoscaling can get triggered in 30 days after it
gets created. And at that moment Heat requires the trust.