[Openstack] State of OpenStack Auth

Jay Pipes jaypipes at gmail.com
Fri Mar 4 16:36:36 UTC 2011


On Thu, Mar 3, 2011 at 3:59 PM, Michael Mayo <mike at openstack.org> wrote:
> I was thinking more of a "sniff someone's traffic and perform those same
> requests again" sort of attack.  But then again, I'm an iPhone guy and not a
> security expert :)
> In the end, I'm simply advocating that we reduce the number of HTTP requests
> needed to get information or get things done.  Getting rid of the auth
> server call is a first step.  Future steps could be things like including
> child entities in responses (for instance, getting a server list also
> returning complete image and flavor entities).  Then perhaps we could allow
> creates and actions to happen on multiple entities ("create 10 servers"
> instead of calling "create server" 10 times, reboot a set of servers, etc).

But, unless I'm mistaken, there is only a single call to the auth
server on the first request. If we go with a Swift model (which is
similar to the proposed solution from Vish and Andy, but not quite the
same), the auth server returns the storage-management-url after
authenticating the user/key combination. Requests after the initial
request simply use the storage management URL, passing in the token
returned from the auth service. You could issue dozens of requests
after the initial auth request, and you wouldn't be re-requesting
anything from the auth server each time.

I agree it would be nice to be able to specify "spin me up 10 servers"
in the OpenStack compute API, but that is a bit tangential to the
specifics of the auth service here, AFAICT.

-jay




More information about the Openstack mailing list