<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 07/26/2013 12:26 PM, Miller, Mark M
(EB SW Cloud - R&D - Corvallis) wrote:<br>
</div>
<blockquote
cite="mid:D6182642CE6D2D4FBFCDF99946E249883B35D33B@G9W0343.americas.hpqcorp.net"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
margin-bottom:19.5pt;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
tt
{mso-style-priority:99;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Adam,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Which
Havana Blueprint provides support for the feature you
mention in your article below?</span></p>
</div>
</blockquote>
<br>
<a class="moz-txt-link-freetext" href="https://blueprints.launchpad.net/keystone/+spec/authentication-tied-to-token">https://blueprints.launchpad.net/keystone/+spec/authentication-tied-to-token</a><br>
It has been implemented, so it doesn't show up in the list of active
blueprints, but you can see it targetted for H2<br>
<br>
<a class="moz-txt-link-freetext" href="https://launchpad.net/keystone/+milestone/havana-2">https://launchpad.net/keystone/+milestone/havana-2</a><br>
<br>
<br>
<blockquote
cite="mid:D6182642CE6D2D4FBFCDF99946E249883B35D33B@G9W0343.americas.hpqcorp.net"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p style="margin-left:.5in;background:white"><span
style="font-size:11.5pt;font-family:"Helvetica","sans-serif";color:#373737">To
move beyond bearer tokens requires multiple steps. In order
to link the token to a user,
<span style="background:yellow;mso-highlight:yellow">the
user needs to use a secure authentication mechanism, and
then link the token to that mechanism. A mechanism for
that will be present in the Havana release</span>. Its use
will be optional to start; once we disable bearer tokens, we
risk breaking the entire OpenStack system. If tokens must be
bound to the user that initially requested them, how can a
system call second and third system to do work on behalf of
the user? If a token can only be used for a specific system,
how can a workflow progress across multiple systems?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Mark<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Adam Young [<a class="moz-txt-link-freetext" href="mailto:ayoung@redhat.com">mailto:ayoung@redhat.com</a>]
<br>
<b>Sent:</b> Thursday, July 25, 2013 6:53 PM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a><br>
<b>Subject:</b> Re: [openstack-dev] A vision for
Keystone<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 07/19/2013 10:56 AM, Brad Topol wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif"">Adam,</span>
<br>
<br>
<span
style="font-size:10.0pt;font-family:"Arial","sans-serif"">Your
essay below is outstanding! Any chance part of it could
be included within the keystone project documentation? I
think having it in the project and at folks fingertips
would really help folks that are trying to get up to speed
with keystone!</span> <o:p></o:p></p>
</blockquote>
<p class="MsoNormal">Thanks for the input. I think it could be
included in the future, but we have along way to go to
implement this vision, and we are moving toward it one step at
a time. When we are closer, I will revise the essay to reflect
reality and maybe more relevant details. At that point, yes,
it can be part of the documentation.<br>
<br>
<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"><br>
<span
style="font-size:10.0pt;font-family:"Arial","sans-serif"">Thanks
again for writing this up!</span>
<br>
<br>
<span
style="font-size:10.0pt;font-family:"Arial","sans-serif"">--Brad</span>
<br>
<span
style="font-size:10.0pt;font-family:"Arial","sans-serif""><br>
Brad Topol, Ph.D.<br>
IBM Distinguished Engineer<br>
OpenStack<br>
(919) 543-0646<br>
Internet: <a moz-do-not-send="true"
href="mailto:btopol@us.ibm.com">btopol@us.ibm.com</a><br>
Assistant: Cindy Willman (919) 268-5296</span> <br>
<br>
<br>
<br>
<span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F">From:
</span><span
style="font-size:7.5pt;font-family:"Arial","sans-serif"">Adam
Young
<a moz-do-not-send="true" href="mailto:ayoung@redhat.com"><ayoung@redhat.com></a></span>
<br>
<span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F">To:
</span><span
style="font-size:7.5pt;font-family:"Arial","sans-serif"">OpenStack
Development Mailing List
<a moz-do-not-send="true"
href="mailto:openstack-dev@lists.openstack.org"><openstack-dev@lists.openstack.org></a></span>
<br>
<span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F">Date:
</span><span
style="font-size:7.5pt;font-family:"Arial","sans-serif"">07/18/2013
02:21 PM</span>
<br>
<span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F">Subject:
</span><span
style="font-size:7.5pt;font-family:"Arial","sans-serif"">[openstack-dev]
A vision for Keystone</span>
<o:p></o:p></p>
<div class="MsoNormal" style="text-align:center" align="center">
<hr style="color:#A0A0A0" align="center" noshade="noshade"
size="2" width="100%">
</div>
<p class="MsoNormal"><br>
<br>
<br>
<tt><span style="font-size:10.0pt">I wrote up an essay that, I
hope, explains where Keystone is headed as
</span></tt><span
style="font-size:10.0pt;font-family:"Courier New""><br>
<tt>far as token management.</tt><br>
<br>
</span><a moz-do-not-send="true"
href="http://adam.younglogic.com/2013/07/a-vision-for-keystone/"><tt><span
style="font-size:10.0pt">http://adam.younglogic.com/2013/07/a-vision-for-keystone/</span></tt></a><span
style="font-size:10.0pt;font-family:"Courier New""><br>
<br>
<tt>It is fairly long (2000 words) but I attempted to make
it readable, and </tt>
<br>
<tt>to provide the context for what we are doing.</tt><br>
<br>
<tt>There are several blueprints for this work, many of
which have already </tt><br>
<tt>been implemented. There is at least one that I still
need to write up.</tt><br>
<br>
<tt>This is not new stuff. It is just an attempt to cleanly
lay out the story.</tt><br>
<br>
<tt>_______________________________________________</tt><br>
<tt>OpenStack-dev mailing list</tt><br>
<tt><a moz-do-not-send="true"
href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a></tt><br>
</span><a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"><tt><span
style="font-size:10.0pt">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</span></tt></a><span
style="font-size:10.0pt;font-family:"Courier New""><br>
<br>
</span><br>
<br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>OpenStack-dev mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><o:p></o:p></pre>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
OpenStack-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>