[OpenStack-Infra] Desired requirements for centralized contributor identity service (was RE: On being an OpenID consumer instead of an OpenID producer.)

Atwood, Mark mark.atwood at hp.com
Thu Sep 26 21:40:21 UTC 2013


Hmm, ok.  I am painfully about convinced that a centralized auth solution is 
the right choice for us.

While I'm wishing for a pony:

First of all and most of all, I want the whole thing to be open source, and 
managed via the OpenStack infra review process, just like the rest of the 
stuff managed by Monty's team.

I want it to have a web UI with a URL like 
https://id.openstack.org/~fallenpegasus so I can see someone's
 name,
 email addresses,
 gravitar photograph,
 when did they join the foundation,
 are they (board, TC, PTL, Core (of which teams)) and since when,
 project participation history,
 IRC handles,
 XMPP ids,
 PGP key fingerprints,
 social media URLs,
 Launchpad id,
 GitHub id,
 and Ohloh account.

I want it to have, via some API, all the employer history tracking that is 
currently contained and duplicated in various data files in the gitdm project 
and stackalytics project.

I want it to do LDAP, vCard, and PoCo, and make all that data I wished for the 
past few paragraphs available over those APIs.

I want it to do OpenID and OpenID Connect (for the web apps),  and a good 
backend to SASL (for the non-web apps).

And I want it to support standard OATH TOTP 2-factor auth.

AND

And I want world peace.

:)

..m

Mark Atwood <mark.atwood at hp.com>
Director of Open Source Engagement for HP Cloud Services
M +1-206-473-7118


> -----Original Message-----
> From: Jeremy Stanley [mailto:fungi at yuggoth.org]
> Sent: Wednesday, September 25, 2013 7:20 PM
> To: openstack-infra at lists.openstack.org
> Subject: Re: [OpenStack-Infra] On being an OpenID consumer instead of an 
> OpenID
> producer.
>
> On 2013-09-24 16:39:44 -0700 (-0700), Ryan Lane wrote:
> [...]
> > If every application is provider agnostic each one of them will have
> > their own OpenID consumer interface. This means it's necessary to make
> > all of them look the same, which requires modifying a lot of
> > applications. Adding different auth mechanisms (like persona) means
> > adding it to every single application, too.
> [...]
>
> This reminds me of yet another point in favor of centralization. We want to 
> be able to
> correlate information between a user's account in various distributed 
> systems where
> there is currently no cross-system index mapping them to one another. If all 
> of them use
> a common OpenID provider then we can key on that, but if they're 
> provider-agnostic
> then at least some subset of users will authenticate to systems with more 
> than one
> (potentially to different systems with different providers).
>
> Also not mentioned yet in these threads, but one the reasons it was 
> suggested to run
> our own provider is that we have some services which are not "Web apps" (so 
> not well-
> suited to OpenID), and we'd like to be able to tie other auth protocols into 
> the same
> backend eventually to support those systems as well.
> --
> Jeremy Stanley
>
> _______________________________________________
> OpenStack-Infra mailing list
> OpenStack-Infra at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6292 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-infra/attachments/20130926/c4a051f8/attachment.bin>


More information about the OpenStack-Infra mailing list