[openstack-dev] [Keystone] Access-key like authentication with password-rotation

Tristan Cacqueray tristan.cacqueray at enovance.com
Thu Jan 16 10:48:40 UTC 2014


I'd like to check in on this authentication mechanism.
Keystone should have some kind of apiKey in order to prevent developer
from storing their credential (username/password) in clear text
configuration file.

There are two blueprints that can tackle this feature, yet they
are both in needs of approval


I believe the access-key-authentication have been superseded by the
password-rotation. Meaning:
* The user create a secondary password.
* He can use this new password to authenticate API request
  with the credential_id + password.
* He won't be able to login to Horizon as it will try to authenticate
  with the user_id + password (Keystone will match those against the
* API request like password change should be denied if the user didn't
  used his "default_credential_id".

Did I get this right ?

Best regards,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140116/3de6de18/attachment.pgp>

More information about the OpenStack-dev mailing list