Open Stack

On 27 June 2013 04:55, Adam Young <ayoung at redhat.com> wrote:
> Right now Keystone provides so called bearer tokens: This means that whoever
> has a token can do whatever the token entitles him to do. If I
> manage to get somebody's token I can do whatever this person is able to do.
> To fix it, the other services that use tokens to:
>
> 1. Authenticate the identity
> 2. Match the name in the token to the  identity that authenticated the
> connection.

I am confused: HTTP is a message orientated protocol, connection based
authentication is a terrible antipattern. Do you really mean
'connection' here?

> If the names match then you can be sure that the user that connected to the
> service and presented a token is the same user that acquired the token from
> keystone in the first place.

That would prevent the use case of 'create a token and hand it off'
which AIUI Heat depends on/will depend on.

> To make this happen we need to add authentication to the connections between
> clients and services.

Again, if you mean actual TCP Connection here then this design is deeply flawed.

Whats the actual problem we're trying to solve (vs this proposed solution).

-Rob

-- 
Robert Collins <rbtcollins at hp.com>
Distinguished Technologist
HP Cloud Services