Open Stack

Based on this discussion, I think keystone needs to clearly document that it provides authentication services only. The *only* authorization keystone performs is for keystone admins performing keystone admin calls (creating a new role in keystone, for example). Keystone consumers are currently left to perform their own authorization after keystone has authenticated a client.

-Dolph

On 09/06/2011 02:56 PM, Brian Lamar wrote:

Authentication is the act of acquiring a valid "token" from Keystone. That token can be used to prove that you have recently been authenticated. I see one point where you call this token an "authorization token". This might be one of the issues because I would most certainly refer to that token as an "authentication token". The token itself implies no sort of authorization, only that the user was authenticated (thus it should be called an authentication token).

I absolutely agree that the second paragraph should start with "Authorization", however I think the two "auth" terms are used 100% correctly in the first paragraph, as authorization is not being discussed.


-----Original Message-----
From: "Nathan Sowatskey" <nsowatsk at cisco.com><mailto:nsowatsk at cisco.com>
Sent: Tuesday, September 6, 2011 7:07am
To: openstack at lists.launchpad.net<mailto:openstack at lists.launchpad.net>
Subject: [Openstack] Authentication and Authorisation in Keystone

http://forums.openstack.org/viewtopic.php?f=23&t=268&p=955#p955

Hi

I am trying to understand the role that authorisation plays in Keystone, as I don't see any mention of it in the identitydevguide.pdf.

In other identity systems such as SAML or OAuth, authentication is used to obtain a token that is used for authorisation; either a SAML assertion or an OAuth token. Separating authentication and authorisation is normal practice for a variety of reasons that are well discussed elsewhere. For example:

http://www.duke.edu/~rob/kerberos/authvauth.html

In the devguide we have, for example, this section:

"Most calls on the Admin API require authentication. The only calls available without authentication are the calls to discover the service (getting version info, WADL contract, dev guide, help, etc...) and the call to authenticate and get a token.

Authentication is performed by passing in a valid token in the X-Auth-Token header on the request from the client. Keystone will verify the token has (or belongs to a user that has) the Admin role."

I would have expected that to say:

"Most calls on the Admin API require *authorisation*. The only calls available without *authorisation* are the calls to discover the service (getting version info, WADL contract, dev guide, help, etc...) and the call to authenticate and get an *authorisation* token.

*Authorisation* is performed by passing in a valid token in the X-Auth-Token header on the request from the client. Keystone will verify the token has (or belongs to a user that has) the Admin role."

It is often the case that authentication and authorisation are mixed up by people new to the field, and that may be what is happening here.

Does anyone have any thoughts on this please?

Many thanks

Nathan

This email may include confidential information. If you received it in error, please delete it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20110906/c1ab3ce9/attachment.html>