openstack keystone tokens and CDMI server

96 views
Skip to first unread message

Ilja Livenson

unread,
Sep 2, 2013, 9:33:28 AM9/2/13
to snia-...@googlegroups.com
Hi,

I'm working on integrating openstack keystone authentication (crypto-based) into a CDMI server.

Technically speaking, the credential information from keystone is propagated via a custom header, parsed by the server. Could anyone help me to understand what is the most correct way for making it CDMI-compliant? It's basically a parallel method digest/basic rest authn.

thanks,
Ilya

byte_2702

unread,
Sep 4, 2013, 11:21:10 AM9/4/13
to snia-...@googlegroups.com
Hello Ilya,

I don't know OpenStack that much and I don't work or SNIA. Regarding to the official ISO/IEC CDMI 1.0.2 specification, CDMI supports HTTP basic authentication, Cipher Suites and digital certificates (X.509v3) via HTTP and/or HTTP over TLS. They suggest HTTP over TLS. The HTTP basic authentication is described in RFC 2616 and RFC 2617 (http://www.rfc-editor.org/search/rfc_search.php), Cipher suites in RFC 2246 and digital certiicates in RFC 3280. If the authentification is successful, the server shall respond with HTTP status code 200, otherwise with HTTP status code 401.

More detailed information in the ISO/IEC CDMI 1.0.2 specification on pages 218-223 (the document has 228 pages and has the number ISO/IEC 17826:2012(E)).

I hope that helps, Jana

Mark Carlson

unread,
Sep 4, 2013, 11:26:05 AM9/4/13
to snia-...@googlegroups.com
You might want to look at:

https://github.com/osaddon/cdmi

Although I doubt it has been updated for the latest Keystone - but they may accept your put-backs.

At this point, this would be an additional authentication scheme to the standard ones in CDMI, so would not have anything to do with compliance. As Jana says, the only schemes that are compliant are listed as she says.

-- mark
--
You received this message because you are subscribed to the Google Groups "SNIA Cloud" group.
To unsubscribe from this group and stop receiving emails from it, send an email to snia-cloud+...@googlegroups.com.
To post to this group, send email to snia-...@googlegroups.com.
Visit this group at http://groups.google.com/group/snia-cloud.
For more options, visit https://groups.google.com/groups/opt_out.

Ilja Livenson

unread,
Sep 4, 2013, 11:56:37 AM9/4/13
to snia-...@googlegroups.com
Hi, Jana, Mark

thanks for replies!

@Jana: Right, I've read that much, however when integration task is at hands, exact compliancy becomes a bit of an obstacle.

@Mark: does the phrase 'at this point' hint at the ongoing work to make OpenStack integration smoother? :)

thanks,
Ilya

Mark Carlson

unread,
Sep 4, 2013, 12:01:50 PM9/4/13
to snia-...@googlegroups.com
For CDMI 1.1 - we are separating out the security section from CDMI proper and pointing to a future Storage Security Standard in the works from SNIA.

-- mark

byte_2702

unread,
Sep 4, 2013, 3:17:17 PM9/4/13
to snia-...@googlegroups.com, paul....@desy.de
Hi Mark,

Have you seen my other post?
I'm having problems with the current CDMI RI.
It gives me two wrong results regarding your test file. I use the original CDMI RI, with no changes.
The same problem occurs on different computers.
So my question was if the CDMI RI is wrong or if I only have that problem.
Or does someone else could execute the current CDMI RI without any problems?

We try to connect CDMI with a mass-storage management system.

Many thanks, Jana

Mark Carlson

unread,
Sep 4, 2013, 4:05:07 PM9/4/13
to snia-...@googlegroups.com
Hi Jana,

I did receive your other email on the broken tests. We may have introduced a regression in the latest version.

I will look into it in my copious free time ;-)

-- mark

byte_2702

unread,
Sep 4, 2013, 4:11:25 PM9/4/13
to snia-...@googlegroups.com
Many thanks to you!!! :-)))

David Slik

unread,
Sep 17, 2013, 2:31:40 PM9/17/13
to snia-...@googlegroups.com, Ilja Livenson
CDMI is designed on top of HTTP, so any HTTP header-based authentication mechanism can be used together with CDMI. Like with HTTP Basic and Digest, once you get the user's principal, you evaluate it against the domain associated with the object being accessed, and use the result to evaluate the ACL.

Thanks,

David Slik

Technical Director, Object Storage, NetApp, Inc.
Co-chair, SNIA Cloud Storage Technical Working Group


Reply all
Reply to author
Forward
0 new messages