[keystone] naming case sensitive or not?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[keystone] naming case sensitive or not?

Hua ZZ Zhang

Dears,

I have a question about keystone case sensitive of naming, such as user name, tenant name, role name.
Are they case sensitive or not?  

I test the command below but it failed. so my conclusion is case insensitive.
keystone user-create --name Usera --pass xyz
keystone user-create --name UserA --pass xyz

Best Regards,


    Edward Zhang(张华)
    Advisory Software Engineer
    Software Standards & Open Source Software
    Emerging Technology Institute(ETI)
    IBM China Software Development Lab
    e-mail: [hidden email]
    Notes ID: Hua ZZ Zhang/China/IBM
    Tel: 86-10-82450483


_______________________________________________
OpenStack-dev mailing list
[hidden email]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Reply | Threaded
Open this post in threaded view
|

Re: [keystone] naming case sensitive or not?

Dolph Mathews
That's basically up to the identity driver in use -- for example, with the SQL driver, if your database is case sensitive, then keystone will be as well.

If the driver is case sensitive, you should have gotten a 409 Conflict back on your second example command.


-Dolph


On Thu, Mar 28, 2013 at 5:57 AM, Hua ZZ Zhang <[hidden email]> wrote:

Dears,

I have a question about keystone case sensitive of naming, such as user name, tenant name, role name.
Are they case sensitive or not?  

I test the command below but it failed. so my conclusion is case insensitive.
keystone user-create --name Usera --pass xyz
keystone user-create --name UserA --pass xyz

Best Regards,


    Edward Zhang(张华)
    Advisory Software Engineer
    Software Standards & Open Source Software
    Emerging Technology Institute(ETI)
    IBM China Software Development Lab
    e-mail: [hidden email]
    Notes ID: Hua ZZ Zhang/China/IBM
    Tel: 86-10-82450483


_______________________________________________
OpenStack-dev mailing list
[hidden email]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



_______________________________________________
OpenStack-dev mailing list
[hidden email]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Reply | Threaded
Open this post in threaded view
|

Re: [keystone] naming case sensitive or not?

Samuel Merritt
On 3/28/13 8:06 AM, Dolph Mathews wrote:
> That's basically up to the identity driver in use -- for example, with
> the SQL driver, if your database is case sensitive, then keystone will
> be as well.

That raises an interesting question about authorization with Keystone.

In Swift, we have container ACLs that are of one of three* forms:

(A) tenant_name:user_id
(B) tenant_id:user_id
(C) *:user_id

Form A is the interesting one here. Let's say I have a container on
which I have set a read ACL of "CamelCorp:12345". Then, a request comes
in, and when Swift's keystoneauth middleware** gets called, it sees that
the tenant name retrieved from Keystone is "Camelcorp" (different
case!), and the user id is 12345 (a match).

Should that request be allowed or not?


* okay, there's the .r: stuff for referrer-based ACLs, but that's not
germane to this discussion

** swift.common.middleware.keystoneauth.KeystoneAuth, for those who wish
to read the code

_______________________________________________
OpenStack-dev mailing list
[hidden email]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Reply | Threaded
Open this post in threaded view
|

Re: [keystone] naming case sensitive or not?

Dolph Mathews

On Fri, Mar 29, 2013 at 12:02 AM, Samuel Merritt <[hidden email]> wrote:
On 3/28/13 8:06 AM, Dolph Mathews wrote:
That's basically up to the identity driver in use -- for example, with
the SQL driver, if your database is case sensitive, then keystone will
be as well.

That raises an interesting question about authorization with Keystone.

In Swift, we have container ACLs that are of one of three* forms:

(A) tenant_name:user_id
(B) tenant_id:user_id
(C) *:user_id

Form A is the interesting one here. Let's say I have a container on which I have set a read ACL of "CamelCorp:12345". Then, a request comes in, and when Swift's keystoneauth middleware** gets called, it sees that the tenant name retrieved from Keystone is "Camelcorp" (different case!), and the user id is 12345 (a match).

Should that request be allowed or not?

Absolutely not -- I didn't mean to suggest that case-insensitivity should be supported. What I meant to suggest was that if you're seeing case-insensitivity, something is either misconfigured or broken in keystone's backend/driver.

As you alluded to the ID examples not being "interesting", it's worth pointing out that's because ID's are all lowercase anyway (generally produced by uuid4().hex), so there's not any risk there.

I also wrote some tests to ensure case sensitivity within identity drivers as I think it's worth being paranoid about: https://review.openstack.org/#/c/25713/
 


* okay, there's the .r: stuff for referrer-based ACLs, but that's not germane to this discussion

** swift.common.middleware.keystoneauth.KeystoneAuth, for those who wish to read the code


_______________________________________________
OpenStack-dev mailing list
[hidden email]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


_______________________________________________
OpenStack-dev mailing list
[hidden email]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev