Open Stack

On 07/26/2013 12:26 PM, Miller, Mark M (EB SW Cloud - R&D - Corvallis) 
wrote:
>
> Adam,
>
> Which Havana Blueprint provides support for the feature you mention in 
> your article below?
>

https://blueprints.launchpad.net/keystone/+spec/authentication-tied-to-token
It has been implemented, so it doesn't show up in the list of active 
blueprints, but you can see it targetted for H2

https://launchpad.net/keystone/+milestone/havana-2


> To move beyond bearer tokens requires multiple steps. In order to link 
> the token to a user, the user needs to use a secure authentication 
> mechanism, and then link the token to that mechanism. A mechanism for 
> that will be present in the Havana release. Its use will be optional 
> to start; once we disable bearer tokens, we risk breaking the entire 
> OpenStack system. If tokens must be bound to the user that initially 
> requested them, how can a system call second and third system to do 
> work on behalf of the user? If a token can only be used for a specific 
> system, how can a workflow progress across multiple systems?
>
> Thanks,
>
> Mark
>
> *From:*Adam Young [mailto:ayoung at redhat.com]
> *Sent:* Thursday, July 25, 2013 6:53 PM
> *To:* openstack-dev at lists.openstack.org
> *Subject:* Re: [openstack-dev] A vision for Keystone
>
> On 07/19/2013 10:56 AM, Brad Topol wrote:
>
>     Adam,
>
>     Your essay below is outstanding!  Any chance part of it could be
>     included within the keystone project documentation?  I think
>     having it in the project  and at folks fingertips would really
>     help folks that are trying to get up to speed with keystone!
>
> Thanks for the input.  I think it could be included in the future, but 
> we have along way to go to implement this vision, and we are moving 
> toward it one step at a time. When we are closer, I will revise the 
> essay to reflect reality and maybe more relevant details.  At that 
> point, yes, it can be part of the documentation.
>
>
>
>
> Thanks again for writing this up!
>
> --Brad
>
> Brad Topol, Ph.D.
> IBM Distinguished Engineer
> OpenStack
> (919) 543-0646
> Internet: btopol at us.ibm.com <mailto:btopol at us.ibm.com>
> Assistant: Cindy Willman (919) 268-5296
>
>
>
> From: Adam Young <ayoung at redhat.com> <mailto:ayoung at redhat.com>
> To: OpenStack Development Mailing List 
> <openstack-dev at lists.openstack.org> 
> <mailto:openstack-dev at lists.openstack.org>
> Date: 07/18/2013 02:21 PM
> Subject: [openstack-dev] A vision for Keystone
>
> ------------------------------------------------------------------------
>
>
>
>
> I wrote up an essay that, I hope, explains where Keystone is headed as
> far as token management.
>
> http://adam.younglogic.com/2013/07/a-vision-for-keystone/
>
> It is fairly long (2000 words) but I attempted to make it readable, and
> to provide the context for what we are doing.
>
> There are several blueprints for this work, many of which have already
> been implemented. There is at least one that I still need to write up.
>
> This is not new stuff.  It is just an attempt to cleanly lay out the 
> story.
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org 
> <mailto:OpenStack-dev at lists.openstack.org>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org  <mailto:OpenStack-dev at lists.openstack.org>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130726/69f3e1fa/attachment.html>