[openstack-dev] [nova][keystone] Message Queue Security

Simo Sorce simo at redhat.com
Thu Apr 25 19:19:42 UTC 2013


On Thu, 2013-04-25 at 19:55 +0100, David Chadwick wrote:
> Conventional wisdom is that you should not roll your own security but 
> use tried and trusted mechanisms. So what is wrong with using Kerberos?

Nothing wrong, but not something we can get running in the Havana time
frame I am afraid. I would love to see if people would be amenable to
using Kerberos and I can make a proposal on how to integrate it for the
future, but it would require a few things we are missing, including good
bindings.
Also would introduce some C code in the project as we would definitely
want to use some DAl modules in the KDC to be able to create our own
delegation rules. I've done all this for the FreeIPA project, and it is
all doable and quite neat, but it will take time and I am not sure
everybody is comfortable with the dependency.

So I decided to try with a much simpler scheme first that would require
a lot less time to prototype and test. If it is successful we can keep
it as a basic system and start discussing whether we want to go all 99
yards toward something like full fledged kerberos.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York




More information about the OpenStack-dev mailing list