[openstack-dev] [Keystone] Token Preauthentication

Matt Joyce matt.joyce at cloudscaling.com
Wed Oct 10 02:44:02 UTC 2012


The only reason i've heard of for creating long term use tokens was for
kerb environments in which one was operating remotely and could not
authenticate to a KDC and so needed a long lived ticket to authenticate to
services while outside of a KDC's trusted space.

For the use cases you are describing I wonder if what you really need is
not a token but a new style of account entirely.  And by new I mean just a
clarification of things like the api-paste.ini accounts.  A service
account... or maybe a service ticket / token?

Just food for thought.

On Tue, Oct 9, 2012 at 7:16 PM, Adam Young <ayoung at redhat.com> wrote:

> One issue that I've been asked about repeatedly is getting a token for an
> action in the future.  Two use cases for this have come up:
>
> 1.  HEAT and failover.  It needs to move a virtual machine from one host
> to another.
> 2.  Content production.    Something generates a large file and needs to
> store it in swift.
>
> In both cases, the users authorizes it at setup time to perform this
> action any time in the future, long after the token is expired.
>
> To support this, add two new APIs.  One is POST preauthenticate, and the
> other is GET preauthenticate/{user_id}
>
> When POSTing to preauthenticate,  the user supplies a user that will be
> allowed to fetch a token at some point in the future.
>
> When GETting tokens/preauthenticated/{user_**id}  only the specified user
> will be able to fetch a token for the user that performed the
> preauthenticate action.
>
> We could potentially add an additional PATCH to modify a pre-auth
> arraingement.  We would certainly want a DELETE.
>
> The preauthentication id should  be just a UUID.  It should be useless to
> anyone but the user that creates it.  No other user should be able to view
> it.  The user should be able to enumerate her preauthentications, in order
> to view, modify, and delete them. /users/preauthentications
>
> Comments?
>
> ______________________________**_________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.**org <OpenStack-dev at lists.openstack.org>
> http://lists.openstack.org/**cgi-bin/mailman/listinfo/**openstack-dev<http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20121009/dcbca858/attachment.html>


More information about the OpenStack-dev mailing list