[openstack-dev] [Glance][Keystone] Glance and trusts
Adam Young
ayoung at redhat.com
Tue Jun 9 01:18:05 UTC 2015
On 06/08/2015 02:10 PM, Steve Lewis wrote:
> Monday, June 8, 2015 07:10, Adam Young wrote:
>> 2. Delegation are long lived affairs. If anything is going to take
>> longer than the duration of the token, it should be in the context of a
>> delegation, and the user should re-authenticate to prove identity.
> Requiring re-authenticating to perform many tasks that involves delegation (a distinction that users don't understand, or care to) is a sure way to convince users to use short and weak passwords. Please, no.
Requiring re-authentication is not the same as requireing the user to
retype their password. The Users agent re-authenticates, not the user
him/herself. In the case of the CLI, that is using Env Vars, and in the
case of Horizon, it is using the unscoped token that the user has in
their session. For Service users, it should be X509 or Kerberos, but it
will be the service password. Don't confuse the one with the other, please.
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
More information about the OpenStack-dev
mailing list