[EDP] Using trust delegation for Swift authentication
For access to Swift objects, Sahara should be changed to generate a Keystone trust between the user with access to those objects and the Sahara admin user. The trust would be established based on the user’s membership in the project that contains the Swift objects. Using this trust the Sahara user could generate authentication tokens to access the Swift objects. When access is no longer needed the trust can be revoked thus invalidating the tokens.
With this methodology Sahara could move away from distributing the credentials for access and instead distribute tokens. In addition Sahara would not need to store tokens for long periods of time as they could be regenerated when needed.
(detailed spec in review)
Blueprint information
- Status:
- Complete
- Approver:
- Sergey Lukjanov
- Priority:
- High
- Drafter:
- Michael McCune
- Direction:
- Approved
- Assignee:
- Michael McCune
- Definition:
- Approved
- Series goal:
- Accepted for juno
- Implementation:
- Implemented
- Milestone target:
- 2014.2
- Started by
- Michael McCune
- Completed by
- Sergey Lukjanov
Related branches
Related bugs
Sprints
Whiteboard
Gerrit topic: https:/
Addressed by: https:/
[EDP] Using trust delegation for Swift authentication
Addressed by: https:/
Updating EDP Swift trust authentication spec
Addressed by: https:/
Adding sanitization for trusts in JobExecution model
Addressed by: https:/
Adding job execution status constants
Addressed by: https:/
Adding configuration and check for proxy domain
Addressed by: https:/
Adding proxy user creation per job execution
Addressed by: https:/
Adding trust delegation and removal for proxy users
Addressed by: https:/
Updating JobBinaries to use proxy for Swift access
Addressed by: https:/
Refactoring DataSources to use proxy user
Addressed by: https:/
Add Keystone V3 TRUST support
Addressed by: https:/
Adding a periodic task to remove zombie proxy users
Addressed by: https:/
Adding documentation for proxy domain usage
Work Items
Work items:
[mimccune] Domain detection and configuration option: DONE
[mimccune] Proxy user creation/
[mimccune] Trust acquisition/
[mimccune] JobBinary update: DONE
[mimccune] DataSource update: DONE
[mimccune] EDP Workflow update: DONE
[oikawa] Hadoop Swift file system component: DONE
[mimccune] Periodic proxy user removal task: DONE
Documentation: DONE
Tests: DONE
[croberts] Horizon UI changes: INPROGRESS