[openstack-dev] [keystone][heat] ec2tokens, v3 credentials and request signing
Jay Pipes
jaypipes at gmail.com
Fri Dec 13 21:14:28 UTC 2013
On Tue, 2013-12-10 at 15:13 +0000, Steven Hardy wrote:
> I'm just thinking it would be really great (from a user-of-keystone
> perspective) if we could avoid further fragmentation and just have one type
> of shared secret (a keystone token), which can be configured flexibly
> enough to satisfy the various use-cases?
Amen. No offense to those Keystone contributors who enjoy reading arcane
academic texts and RFCs about x.509, Kerberos, and PKI, but *users and
deployers* of OpenStack (and therefore users of Keystone) don't give a
hoot about any of that stuff, nor should deployers and users *have to
know* about the arcane underbelly of security semantics in order to use
OpenStack.
All deployers want is a simple, easy-to-understand authentication
mechanism that *seamlessly* integrates with other OpenStack projects.
AWS authentication works because it's simple and does its job without
making life unnecessarily difficult for its users.
Best,
-jay
More information about the OpenStack-dev
mailing list