Sahara

[EDP] Using trust delegation for Swift authentication

Registered by Michael McCune

For access to Swift objects, Sahara should be changed to generate a Keystone trust between the user with access to those objects and the Sahara admin user. The trust would be established based on the user’s membership in the project that contains the Swift objects. Using this trust the Sahara user could generate authentication tokens to access the Swift objects. When access is no longer needed the trust can be revoked thus invalidating the tokens.

With this methodology Sahara could move away from distributing the credentials for access and instead distribute tokens. In addition Sahara would not need to store tokens for long periods of time as they could be regenerated when needed.

(detailed spec in review)

Blueprint information

Status:
Complete
Approver:
Sergey Lukjanov
Priority:
High
Drafter:
Michael McCune
Direction:
Approved
Assignee:
Michael McCune
Definition:
Approved
Series goal:
Accepted for juno
Implementation:
Implemented
Milestone target:
milestone icon 2014.2
Started by
Michael McCune
Completed by
Sergey Lukjanov

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/edp-swift-trust-authentication,n,z

Addressed by: https://review.openstack.org/104647
    [EDP] Using trust delegation for Swift authentication

Addressed by: https://review.openstack.org/113591
    Updating EDP Swift trust authentication spec

Addressed by: https://review.openstack.org/109442
    Adding sanitization for trusts in JobExecution model

Addressed by: https://review.openstack.org/110841
    Adding job execution status constants

Addressed by: https://review.openstack.org/115654
    Adding configuration and check for proxy domain

Addressed by: https://review.openstack.org/116426
    Adding proxy user creation per job execution

Addressed by: https://review.openstack.org/116616
    Adding trust delegation and removal for proxy users

Addressed by: https://review.openstack.org/117052
    Updating JobBinaries to use proxy for Swift access

Addressed by: https://review.openstack.org/118465
    Refactoring DataSources to use proxy user

Addressed by: https://review.openstack.org/118972
    Add Keystone V3 TRUST support

Addressed by: https://review.openstack.org/119388
    Adding a periodic task to remove zombie proxy users

Addressed by: https://review.openstack.org/119767
    Adding documentation for proxy domain usage

(?)

Work Items

Work items:
[mimccune] Domain detection and configuration option: DONE
[mimccune] Proxy user creation/destruction: DONE
[mimccune] Trust acquisition/revocation: DONE
[mimccune] JobBinary update: DONE
[mimccune] DataSource update: DONE
[mimccune] EDP Workflow update: DONE
[oikawa] Hadoop Swift file system component: DONE
[mimccune] Periodic proxy user removal task: DONE
Documentation: DONE
Tests: DONE
[croberts] Horizon UI changes: INPROGRESS

Nearby

This blueprint contains Public information 
Everyone can see this information.