[openstack-dev] A vision for Keystone
Adam Young
ayoung at redhat.com
Fri Jul 26 16:53:41 UTC 2013
On 07/26/2013 12:26 PM, Miller, Mark M (EB SW Cloud - R&D - Corvallis)
wrote:
>
> Adam,
>
> Which Havana Blueprint provides support for the feature you mention in
> your article below?
>
https://blueprints.launchpad.net/keystone/+spec/authentication-tied-to-token
It has been implemented, so it doesn't show up in the list of active
blueprints, but you can see it targetted for H2
https://launchpad.net/keystone/+milestone/havana-2
> To move beyond bearer tokens requires multiple steps. In order to link
> the token to a user, the user needs to use a secure authentication
> mechanism, and then link the token to that mechanism. A mechanism for
> that will be present in the Havana release. Its use will be optional
> to start; once we disable bearer tokens, we risk breaking the entire
> OpenStack system. If tokens must be bound to the user that initially
> requested them, how can a system call second and third system to do
> work on behalf of the user? If a token can only be used for a specific
> system, how can a workflow progress across multiple systems?
>
> Thanks,
>
> Mark
>
> *From:*Adam Young [mailto:ayoung at redhat.com]
> *Sent:* Thursday, July 25, 2013 6:53 PM
> *To:* openstack-dev at lists.openstack.org
> *Subject:* Re: [openstack-dev] A vision for Keystone
>
> On 07/19/2013 10:56 AM, Brad Topol wrote:
>
> Adam,
>
> Your essay below is outstanding! Any chance part of it could be
> included within the keystone project documentation? I think
> having it in the project and at folks fingertips would really
> help folks that are trying to get up to speed with keystone!
>
> Thanks for the input. I think it could be included in the future, but
> we have along way to go to implement this vision, and we are moving
> toward it one step at a time. When we are closer, I will revise the
> essay to reflect reality and maybe more relevant details. At that
> point, yes, it can be part of the documentation.
>
>
>
>
> Thanks again for writing this up!
>
> --Brad
>
> Brad Topol, Ph.D.
> IBM Distinguished Engineer
> OpenStack
> (919) 543-0646
> Internet: btopol at us.ibm.com <mailto:btopol at us.ibm.com>
> Assistant: Cindy Willman (919) 268-5296
>
>
>
> From: Adam Young <ayoung at redhat.com> <mailto:ayoung at redhat.com>
> To: OpenStack Development Mailing List
> <openstack-dev at lists.openstack.org>
> <mailto:openstack-dev at lists.openstack.org>
> Date: 07/18/2013 02:21 PM
> Subject: [openstack-dev] A vision for Keystone
>
> ------------------------------------------------------------------------
>
>
>
>
> I wrote up an essay that, I hope, explains where Keystone is headed as
> far as token management.
>
> http://adam.younglogic.com/2013/07/a-vision-for-keystone/
>
> It is fairly long (2000 words) but I attempted to make it readable, and
> to provide the context for what we are doing.
>
> There are several blueprints for this work, many of which have already
> been implemented. There is at least one that I still need to write up.
>
> This is not new stuff. It is just an attempt to cleanly lay out the
> story.
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> <mailto:OpenStack-dev at lists.openstack.org>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org <mailto:OpenStack-dev at lists.openstack.org>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130726/69f3e1fa/attachment.html>
More information about the OpenStack-dev
mailing list