[openstack-dev] [Keystone] Access-key like authentication with password-rotation

Allamaraju, Subbu subbu at subbu.org
Mon Jan 20 07:00:03 UTC 2014

At work we're currently looking at related use cases, and access keys are useful without keystone actually managing passwords. The only issue with https://blueprints.launchpad.net/keystone/+spec/access-key-authentication is that it requires client side code changes, which is a non-starter in many cases. HP cloud has a similar API (http://docs.hpcloud.com/api/identity) in their public cloud - but it too requires client code changes.


On Jan 16, 2014, at 2:48 AM, Tristan Cacqueray <tristan.cacqueray at enovance.com> wrote:

> Hi,
> I'd like to check in on this authentication mechanism.
> Keystone should have some kind of apiKey in order to prevent developer
> from storing their credential (username/password) in clear text
> configuration file.
> There are two blueprints that can tackle this feature, yet they
> are both in needs of approval
> https://blueprints.launchpad.net/keystone/+spec/access-key-authentication
> https://blueprints.launchpad.net/keystone/+spec/password-rotation
> I believe the access-key-authentication have been superseded by the
> password-rotation. Meaning:
> * The user create a secondary password.
> * He can use this new password to authenticate API request
>  with the credential_id + password.
> * He won't be able to login to Horizon as it will try to authenticate
>  with the user_id + password (Keystone will match those against the
>  "default_credential_id".)
> * API request like password change should be denied if the user didn't
>  used his "default_credential_id".
> Did I get this right ?
> Best regards,
> Tristan
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list