It seems that most of the confusion is around the conflicting terminology of the EC2 and Rackspace apis. I doubt either of those can really change, but there isn't a reason that both auth methods can be supported. As an example this is already done in the S3 compatibility layer for Swift. <div>
<br></div><div>--</div><div>Chuck<br><br><div class="gmail_quote">On Wed, Feb 23, 2011 at 7:56 PM, Justin Santa Barbara <span dir="ltr"><<a href="mailto:justin@fathomdb.com">justin@fathomdb.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">I previously fixed OpenStack authentication so it would use the same credentials as EC2. This bugfix was just reverted, because it caused OpenStack API users to have to enter in different credentials (sorry!), but primarily because it hadn't been discussed on the mailing list. So here goes!<div>
<br></div><div>Here's a blueprint: <a href="https://blueprints.launchpad.net/nova/+spec/authentication-consistency" target="_blank">https://blueprints.launchpad.net/nova/+spec/authentication-consistency</a></div><div>
<br></div><div>Here's an overview of the problem:</div>
<div><br></div><div>EC2 uses an (api_key, api_secret) pair. Post-revert, OpenStack uses the api_key(!) as the password, but a different value entirely as the username: (username, api_key). The bugfix made it so that both APIs used the EC2 credentials (api_key, api_secret) . This did mean that anyone that had saved the 'bad' OpenStack credentials was unable to continue to use those credentials. I also overlooked exporting the updated credentials in novarc (though a merge request was pending).</div>
<div><br></div><div>I actually thought originally that this was a straight-up bug, rather than a design 'decision', so I should definitely have flagged it better. Again, sorry to those I impacted.</div><div><br>
</div>
<div><div>As things stand now, post-revert, this is probably a security flaw, because the EC2 API does not treat the api_key as a secret. The EC2 API can (relatively) safely be run over non-SSL, because it uses signatures instead of passing the shared secret directly.</div>
<div><br></div></div><div>This is also not very user-friendly. Post-revert, an end-user must know whether any particular cloud tool uses the EC2 API or the OpenStack API, so that they can enter in the correct pair of credentials. That doesn't seem like a good idea; I think there should be one set of credentials.<br>
<br></div><div>There is some discussion about the idea of having the api_key be user-friendly. I don't think it buys us anything, because the api_secret is still going to be un-friendly, but I have no objection as long as it is does in a way that does not break existing users of the EC2 API.</div>
<div><br></div><div>I propose that:</div><div> (1) the OpenStack API and EC2 credentials should be the same as each other (whatever they are) for the sake of our collective sanity and</div><div> (2) we have to change the current configuration anyway for security reasons.</div>
<div> (3) We should not change the EC2 credentials, because we've shipped the EC2 API and our users have an expectation that we won't break them without good reason, so</div><div> (4) we must change the credentials for users of the (non-shipped) OpenStack API.</div>
<div><br></div><div>Estimated user impact: I believe there are two people that will be affected, and it will take them ~1 minute each, so total impact ~2 minutes.</div><div><br></div><div>The longer we delay fixing this, the more people we break and the bigger the impact. It seems that we have no choice but to do a non-backwards-compatible authentication change, but I believe this is OK at the moment because the OpenStack API is not yet stable/released - i.e. we can still make fixes without worrying about backwards compatibility shims. We're not in "The Old New Thing" land yet :-)</div>
<div><br></div><div><br></div><div><br></div><div>As an aside, I am very unhappy about the way this revert was pushed through by Rackspace team-members, seemingly without much consideration of alternatives. Perhaps we should consider changing from needing two core-approves, to needing one Rackspace core-approve and one non-Rackspace core-approve.</div>
<div><br></div><font color="#888888"><div><br></div><div>Justin</div><div><br><br><br>
</div>
</font><br>_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br></blockquote></div><br></div>