Open Stack

http://forums.openstack.org/viewtopic.php?f=23&t=268&p=955#p955

Hi

I am trying to understand the role that authorisation plays in Keystone, as I don't see any mention of it in the identitydevguide.pdf.

In other identity systems such as SAML or OAuth, authentication is used to obtain a token that is used for authorisation; either a SAML assertion or an OAuth token. Separating authentication and authorisation is normal practice for a variety of reasons that are well discussed elsewhere. For example:

http://www.duke.edu/~rob/kerberos/authvauth.html

In the devguide we have, for example, this section:

"Most calls on the Admin API require authentication. The only calls available without authentication are the calls to discover the service (getting version info, WADL contract, dev guide, help, etc...) and the call to authenticate and get a token.

Authentication is performed by passing in a valid token in the X-Auth-Token header on the request from the client. Keystone will verify the token has (or belongs to a user that has) the Admin role."

I would have expected that to say:

"Most calls on the Admin API require *authorisation*. The only calls available without *authorisation* are the calls to discover the service (getting version info, WADL contract, dev guide, help, etc...) and the call to authenticate and get an *authorisation* token.

*Authorisation* is performed by passing in a valid token in the X-Auth-Token header on the request from the client. Keystone will verify the token has (or belongs to a user that has) the Admin role."

It is often the case that authentication and authorisation are mixed up by people new to the field, and that may be what is happening here.

Does anyone have any thoughts on this please?

Many thanks

Nathan
-- 
Nathan Sowatskey (nsowatsk at cisco.com) - Technical Leader, STG - +34-638-083-675