[OpenStack-Infra] Refstack workflow discussion. Using OpenstackID as auth provider for application with Web UI and CLI client
Jeremy Stanley
fungi at yuggoth.org
Thu Apr 23 20:52:03 UTC 2015
On 2015-04-23 22:58:50 +0300 (+0300), Sergey Slypushenko wrote:
> We decided to change authorization with OpenID creds to auth with
> pubkeys for CLI client. It is a single reason why refstack needs
> pubkeys management. So, here we don't discuss a way how to manage
> pubkeys with OpenStackID. I mentioned pubkeys only as a
> alternative for CLI auth. It would be great if some other
> appropriate alternative exists.
Eventually, we might be able to consider something like bridging
OAuth to Kerberos[1][2] for supporting various client applications,
or exposing some data from OpenStackID via LDAP which can be used by
services like OpenSSH[3] for key lookup. In the meantime though, I
think it's perfectly fine to punt on the non-Web-oriented
authentication problem and handle things like SSH authorized keys
directly within the consuming application. As mentioned earlier,
we're stuck doing that with Gerrit for the foreseeable future.
[1] https://tools.ietf.org/html/draft-hardjono-oauth-kerberos-01
[2] http://css.csail.mit.edu/6.858/2014/projects/kanter-bcyphers-bfaviero-jpeebles.pdf
[3] https://pypi.python.org/pypi/ssh-ldap-pubkey/0.2.2
--
Jeremy Stanley
More information about the OpenStack-Infra
mailing list