[openstack-dev] [Keystone] Token Preauthentication
Matt Joyce
matt.joyce at cloudscaling.com
Wed Oct 10 02:44:02 UTC 2012
The only reason i've heard of for creating long term use tokens was for
kerb environments in which one was operating remotely and could not
authenticate to a KDC and so needed a long lived ticket to authenticate to
services while outside of a KDC's trusted space.
For the use cases you are describing I wonder if what you really need is
not a token but a new style of account entirely. And by new I mean just a
clarification of things like the api-paste.ini accounts. A service
account... or maybe a service ticket / token?
Just food for thought.
On Tue, Oct 9, 2012 at 7:16 PM, Adam Young <ayoung at redhat.com> wrote:
> One issue that I've been asked about repeatedly is getting a token for an
> action in the future. Two use cases for this have come up:
>
> 1. HEAT and failover. It needs to move a virtual machine from one host
> to another.
> 2. Content production. Something generates a large file and needs to
> store it in swift.
>
> In both cases, the users authorizes it at setup time to perform this
> action any time in the future, long after the token is expired.
>
> To support this, add two new APIs. One is POST preauthenticate, and the
> other is GET preauthenticate/{user_id}
>
> When POSTing to preauthenticate, the user supplies a user that will be
> allowed to fetch a token at some point in the future.
>
> When GETting tokens/preauthenticated/{user_**id} only the specified user
> will be able to fetch a token for the user that performed the
> preauthenticate action.
>
> We could potentially add an additional PATCH to modify a pre-auth
> arraingement. We would certainly want a DELETE.
>
> The preauthentication id should be just a UUID. It should be useless to
> anyone but the user that creates it. No other user should be able to view
> it. The user should be able to enumerate her preauthentications, in order
> to view, modify, and delete them. /users/preauthentications
>
> Comments?
>
> ______________________________**_________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.**org <OpenStack-dev at lists.openstack.org>
> http://lists.openstack.org/**cgi-bin/mailman/listinfo/**openstack-dev<http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20121009/dcbca858/attachment.html>
More information about the OpenStack-dev
mailing list