[Openstack] Authn Authz Proposal

Eric Day eday at oddments.org
Thu Mar 3 23:24:19 UTC 2011

On Thu, Mar 03, 2011 at 12:03:28PM -0800, Vishvananda Ishaya wrote:
> Rationale: Openstack components need a common solution for Authentication (authn) and Authorization (authz). Mailing list discussions tend to devolve into hypotheticals, so we decided to put together a proposal and prototype, so we all see the proposed system in action.

Yeah, as I stated in the Etherpad, I think there is still a lot of
value in mailing list discussions. I think we reached a healthy level
of discussion to start putting it into code, which you guys were a
little ahead on. :) I'm not saying the ML is the most efficient place
for discussions (far from it), but until we get efficient virtual
whiteboards and watercoolers it's the best we have.

> http://plansthis.com/auth

First, why not on http://etherpad.openstack.org/? :)

Overall I think this is a great start. The main things I think need
to be addressed are:

The owner account (who you are acting on behalf of) doesn't need to
be in the token and shouldn't be required for requests. The request
should be self contained and specify who the owner of the resource
is. Of course if can be optional if the auth middleware sets a default
owner context for the request, but we shouldn't rely on that alone
for the owner in requests.

I know this may not be in the scope of the first branch, but removing
the user and project entities and replacing it with a single "account"
entity with relations to other accounts is pretty high on my list
for being able to reuse it in other services.

Eventually splitting this out to openstack-common (post cactus as we
discussed) so it can easily be consumed by other services.


More information about the Openstack mailing list