[Openstack] Proposing an Identity Service in OpenStack (a.k.a. Auth)
Michael Barton
mike-launchpad at weirdlooking.com
Mon Apr 18 21:30:09 UTC 2011
On Mon, Apr 18, 2011 at 12:15 PM, Eric Day <eday at oddments.org> wrote:
> We'll also want to decide if we need a default mechanism for
> OpenStack deployments, and if so, what should it be. We had a
> discussion previously and I think it was somewhere between token
> and HTTP basic w/ SSL. The reason for this is we need to make sure
> different deployments are compatible.
I'm still gonna argue for key signing to be a first-class auth scheme.
It enables things that can't be done with token or basic auth, like
signed URLs and unencrypted requests. Both of these are desirable for
Swift, at the least.
It kind of sucks that key signing (as least as implemented by the
EC2/S3 API) requires a key to be available to both sides in plaintext.
Public key crypto is one way to fix that, but I don't really know how
practical that is.
-- Mike Barton
More information about the Openstack
mailing list