Open Stack

On 10/09/2012 10:16 PM, Adam Young wrote:
> One issue that I've been asked about repeatedly is getting a token for 
> an action in the future.  Two use cases for this have come up:
>
> 1.  HEAT and failover.  It needs to move a virtual machine from one 
> host to another.
> 2.  Content production.    Something generates a large file and needs 
> to store it in swift.
>
> In both cases, the users authorizes it at setup time to perform this 
> action any time in the future, long after the token is expired.
>
> To support this, add two new APIs.  One is POST preauthenticate, and 
> the other is GET preauthenticate/{user_id}
>
> When POSTing to preauthenticate,  the user supplies a user that will 
> be allowed to fetch a token at some point in the future.
>
> When GETting tokens/preauthenticated/{user_id}  only the specified 
> user will be able to fetch a token for the user that performed the 
> preauthenticate action.
>
> We could potentially add an additional PATCH to modify a pre-auth 
> arraingement.  We would certainly want a DELETE.
>
> The preauthentication id should  be just a UUID.  It should be useless 
> to anyone but the user that creates it.  No other user should be able 
> to view it.  The user should be able to enumerate her 
> preauthentications, in order to view, modify, and delete them. 
> /users/preauthentications
https://blueprints.launchpad.net/keystone/+spec/pre-auth