Trusts and Role Based Access Control for Open Stack

Bearer tokens are vulnerable to replay attacks. OK, so what are our options? Something where the user proves, via cryptography that they have the right to actually use the token. It doesn’t matter if it is X509, Kerberos, or something we cook up ourselves, it is going to resolve to proving you have the right to use that token.

If tokens must be validated by the owner, we effectively break the ability of Open Stack to hand around bearer tokens to get work done. We are going to have to get a lot of stuff right in order to keep from breaking things. Fortunately, we now have the tools to work around this, and to better secure an OpenStack system: Trusts and Role Based Access Control.
Continue reading

Preauthorization in Keystone

“I’ll gladly pay you Tuesday for a Hamburger Today” –Wimpy, from the Popeye Cartoon.

Sometimes you need to authorize a service to perform an action on your behalf. Often, that action takes place long after any authentication token you can provide would have expired.  Currently, the only mechanism in Keystone that people can use is to share credentials. We can do better.

Continue reading

Signed Authentication and Authorization

Openstack Keystone currently operates on-line validation for Tokens.  Once a token is issued out,  each of the systems presented with the token has to check the validity of the token with the Keystone server.  This makes Keystone the highest traffic service in an Openstack deployment.  Using Cryptographic Message Syntax (CMS) we can generated a token that can be verified using public key cryptography instead of making a network call.  Here’s a proof-of-concept example using the command line tools.

Continue reading