[openstack-dev] [Keystone] Token Preauthentication
Adam Young
ayoung at redhat.com
Wed Oct 10 20:24:01 UTC 2012
On 10/09/2012 10:16 PM, Adam Young wrote:
> One issue that I've been asked about repeatedly is getting a token for
> an action in the future. Two use cases for this have come up:
>
> 1. HEAT and failover. It needs to move a virtual machine from one
> host to another.
> 2. Content production. Something generates a large file and needs
> to store it in swift.
>
> In both cases, the users authorizes it at setup time to perform this
> action any time in the future, long after the token is expired.
>
> To support this, add two new APIs. One is POST preauthenticate, and
> the other is GET preauthenticate/{user_id}
>
> When POSTing to preauthenticate, the user supplies a user that will
> be allowed to fetch a token at some point in the future.
>
> When GETting tokens/preauthenticated/{user_id} only the specified
> user will be able to fetch a token for the user that performed the
> preauthenticate action.
>
> We could potentially add an additional PATCH to modify a pre-auth
> arraingement. We would certainly want a DELETE.
>
> The preauthentication id should be just a UUID. It should be useless
> to anyone but the user that creates it. No other user should be able
> to view it. The user should be able to enumerate her
> preauthentications, in order to view, modify, and delete them.
> /users/preauthentications
https://blueprints.launchpad.net/keystone/+spec/pre-auth
More information about the OpenStack-dev
mailing list