[openstack-dev] [Glance][Keystone] Glance and trusts

Adam Young ayoung at redhat.com
Tue Jun 9 01:18:05 UTC 2015

On 06/08/2015 02:10 PM, Steve Lewis wrote:
> Monday, June 8, 2015 07:10, Adam Young wrote:
>> 2.  Delegation are long lived affairs.  If anything is going to take
>> longer than the duration of the token, it should be in the context of a
>> delegation, and the user should re-authenticate to prove identity.
> Requiring re-authenticating to perform many tasks that involves delegation (a distinction that users don't understand, or care to) is a sure way to convince users to use short and weak passwords. Please, no.
Requiring re-authentication is not the same as requireing the user to 
retype their password.  The Users agent re-authenticates, not the user 
him/herself.  In the case of the CLI, that is using Env Vars, and in the 
case of Horizon, it is using the unscoped token that the user has in 
their session.  For Service users, it should be X509 or Kerberos, but it 
will be the service password.  Don't confuse the one with the other, please.

> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list