Keystone explicitly lists the token identifiers for the revoked tokens if the token revocation lists. This lends itself to simple revocation checking: is the ID on the list? No? Token is still good. However, the number of drawbacks in this approach overwhelm the simplicity of it, and indicate a need for a better solution.
How can I delegate the ability to delegate?
Keystone’s Roles are the primary indicator of authority in an Open Stack system; the roles a user has determine what operations they can perform. The primary function of Keystone is to map a user to a role in a project. In a system with millions of users, one person, or even a small subset of people, cannot be responsible for assigning all roles to all people. I want to be able to delegate the authority to assign people to roles.
The following article walks through the process of assigning roles to users, and adjusting policy to perform more specific checks in an Open Stack service. To work through this example, all you will need is a working Keystone server.
Third of three articles: Examples. More Examples.
My previous example showed how to create a user using the V3 API. But what if you don’t even have an admin user in your database? How are you going to perform admin operations in a bootstrap scenario? Here’s how to do operations with no user in the database, and to get the database up to the point where you can perform operations directly.
We want your patches for OpenStack, Keystone. Just don’t be surprised when it gets a minus one rating.
Continue reading
I’ve been in tech a while now, and been through a couple of Web site launches, though not for a long time. Technology has glitches, and they get fixed, and then you find the next round. You find out problems when you have users. So, go to the ACA web site, beat the snot out of that thing and report it.
But I will say this: it should be an open source code base. There are a lot of people that want to see this thing succeed, and being able to look at the code is the best way to make that happen. Linus Torvalds, of Linux fame, once said “With enough eyes, all bugs are shallow.” We’ve lived for a long time with the effects of having technology handed to us and being commanded to consume it. “Would you buy a car with the hood welded shut?” And yet, time and time again, that is what we are asked to do.
Why do I make my life harder by using only Linux? Because there is nothing more important to Freedom than information, and nothing more important to free information than having control over the machine that controls your information. Yes, I have to deal with Android, which is sort of Linux, and sort of a black box. I used WebOS (Palm) as long as I could. I do not use Apple products and I do not Use Microsoft products because, when it comes down to it, I want access to my tools.
I wood carve because I like the ability to take a raw material and make something out of it. For thousands of years, we only had simple things that came from the earth. The magic of the smith was available to any that would learn it. Or of the wainwright, or the carpenter. We could fashion our environment with only the tools from our environment. Now we live in a world where these tools are three and for layers abstracted from us. The primary tool that does all this abstraction is the computer. A simple tool that does little more than fetches two numbers from memory, performs basic arithmetic on those numbers, and stores them back in memory. And from this simplest of rules we have machines that can keep us safe , or that can manipulate a tool to fashion a block of wood into whatever shape we can dream of…or anyone can.
Apples was a has-been company until it gave up on trying to write its own preemptive multitasking operating system and decided to build on top of an Open Source one. Its biggest competitor, Microsoft, once capable of putting the final nail in the coffin, bailed it out. Now that same competitor finds itself being edged out of the very market it dominated. At the low end and at the high end, machines built on a foundation of Open Source have ushered in an era of greater stability in computing. Do we forget how we railed against the blue-screen-of-death?
And the Web, that greatest of communication mediums that we have found to date, what made it successful? Open Standards and Open Source. On the server side, sites were powered by Apache, and a slew of nascent new programming languages. Not all was open source. The browser was not, and we saw huge browser incompatibilities. The Netscape/Microsoft battle left Netscape in ruins, but the code that they posted, the Mozilla browser, finally gave us a completely Open Source stack, from Operating System, to user interface, to server, for so many services.
So, yeah, the website that is a key piece of the ACA has problems. Most major web sites do when they are launched. Most minor ones do to. And by most, I mean all. The opponents of the ACA point to it as an example of Government incompetence. Nah. I see it as the latest example of a poor approach to information management. You want security? Use publicly analyzed algorithms and keep your keys secret. You want a solid web site…open the code, and build the security measures on top of best practices. doesn’t matter if you are huge or tiny, if you are doing something brand new, or just exposing your pictures to your friends over the internet.
Of course, as I type this, I realize it is much too long as a rant for Facebook status, and it is something I want to keep. It is mine; I will post it on my blog, running Word Press, on a Linux system running Debian (a competitor to where I work in all the right ways) and finish editing it in emacs. Only then will post it on Facebook.