[openstack-dev] A vision for Keystone

Miller, Mark M (EB SW Cloud - R&D - Corvallis) mark.m.miller at hp.com
Fri Jul 26 16:26:31 UTC 2013


Adam,

Which Havana Blueprint provides support for the feature you mention in your article below?

To move beyond bearer tokens requires multiple steps. In order to link the token to a user, the user needs to use a secure authentication mechanism, and then link the token to that mechanism. A mechanism for that will be present in the Havana release. Its use will be optional to start; once we disable bearer tokens, we risk breaking the entire OpenStack system. If tokens must be bound to the user that initially requested them, how can a system call second and third system to do work on behalf of the user? If a token can only be used for a specific system, how can a workflow progress across multiple systems?
Thanks,

Mark

From: Adam Young [mailto:ayoung at redhat.com]
Sent: Thursday, July 25, 2013 6:53 PM
To: openstack-dev at lists.openstack.org
Subject: Re: [openstack-dev] A vision for Keystone

On 07/19/2013 10:56 AM, Brad Topol wrote:
Adam,

Your essay below is outstanding!  Any chance part of it could be included within the keystone project documentation?  I think having it in the project  and at folks fingertips would really help folks that are trying to get up to speed with keystone!
Thanks for the input.  I think it could be included in the future, but we have along way to go to implement this vision, and we are moving toward it one step at a time. When we are closer, I will revise the essay to reflect reality and maybe more relevant details.  At that point, yes, it can be part of the documentation.




Thanks again for writing this up!

--Brad

Brad Topol, Ph.D.
IBM Distinguished Engineer
OpenStack
(919) 543-0646
Internet:  btopol at us.ibm.com<mailto:btopol at us.ibm.com>
Assistant: Cindy Willman (919) 268-5296



From:        Adam Young <ayoung at redhat.com><mailto:ayoung at redhat.com>
To:        OpenStack Development Mailing List <openstack-dev at lists.openstack.org><mailto:openstack-dev at lists.openstack.org>
Date:        07/18/2013 02:21 PM
Subject:        [openstack-dev] A vision for Keystone
________________________________



I wrote up an essay that, I hope, explains where Keystone is headed as
far as token management.

http://adam.younglogic.com/2013/07/a-vision-for-keystone/

It is fairly long (2000 words) but I attempted to make it readable, and
to provide the context for what we are doing.

There are several blueprints for this work, many of which have already
been implemented. There is at least one that I still need to write up.

This is not new stuff.  It is just an attempt to cleanly lay out the story.

_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org<mailto:OpenStack-dev at lists.openstack.org>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev






_______________________________________________

OpenStack-dev mailing list

OpenStack-dev at lists.openstack.org<mailto:OpenStack-dev at lists.openstack.org>

http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130726/4873df56/attachment.html>


More information about the OpenStack-dev mailing list