[openstack-dev] [all][keystone][product] api keys/application specific passwords

Colleen Murphy colleen at gazlene.net
Tue May 16 05:06:29 UTC 2017

On Sun, May 14, 2017 at 6:59 PM, Monty Taylor <mordred at inaugust.com> wrote:

> On 05/11/2017 02:32 PM, Lance Bragstad wrote:
>> Hey all,
>> One of the Baremetal/VM sessions at the summit focused on what we need
>> to do to make OpenStack more consumable for application developers [0].
>> As a group we recognized the need for application specific passwords or
>> API keys and nearly everyone (above 85% is my best guess) in the session
>> thought it was an important thing to pursue. The API
>> key/application-specific password specification is up for review [1].
>> The problem is that with all the recent churn in the keystone project,
>> we don't really have the capacity to commit to this for the cycle. As a
>> project, we're still working through what we've committed to for Pike
>> before the OSIC fallout. It was suggested that we reach out to the PWG
>> to see if this is something we can get some help on from a keystone
>> development perspective. Let's use this thread to see if there is anyway
>> we can better enable the community through API keys/application-specific
>> passwords by seeing if anyone can contribute resources to this effort.
> In the session, I signed up to help get the spec across the finish line.
> I'm also going to do my best to write up something resembling a user story
> so that we're all on the same page about what this is, what it isn't and
> what comes next.
> I probably will not have the time to actually implement the code - but if
> the PWG can help us get resources allocated to this I'll be happy to help
> them.
If anyone's counting, here are the current open specs (that I've found)
that attempt to address, in slightly different ways, the slightly different
use cases for API keys (not including the open specs to overhaul policy):

 - https://review.openstack.org/#/c/186979 - Subset tokens
 - https://review.openstack.org/#/c/389870 - Adding user credentials and
delegating role assignments to credential types
 - https://review.openstack.org/#/c/396634 - Standalone trusts
 - https://review.openstack.org/#/c/440593 - API keys
 - https://review.openstack.org/#/c/450415 - Application keys

Additionally, I think OAuth - either extending the existing OAuth1.0 plugin
or implementing OAuth2.0 - should probably be on the table.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170516/5846b624/attachment.html>

More information about the OpenStack-dev mailing list