On 07/26/2013 12:26 PM, Miller, Mark M (EB SW Cloud - R&D - Corvallis)
wrote:
Adam,
Which Havana Blueprint provides support for the feature you mention in
your article below?
https://blueprints.launchpad.net/keystone/+spec/authentication-tied-to-token
It has been implemented, so it doesn't show up in the list of active
blueprints, but you can see it targetted for H2
https://launchpad.net/keystone/+milestone/havana-2
To move beyond bearer tokens requires multiple steps. In order to link
the token to a user, the user needs to use a secure authentication
mechanism, and then link the token to that mechanism. A mechanism for
that will be present in the Havana release. Its use will be optional
to start; once we disable bearer tokens, we risk breaking the entire
OpenStack system. If tokens must be bound to the user that initially
requested them, how can a system call second and third system to do
work on behalf of the user? If a token can only be used for a specific
system, how can a workflow progress across multiple systems?
Thanks,
Mark
*From:*Adam Young [mailto:[email protected]]
*Sent:* Thursday, July 25, 2013 6:53 PM
*To:* [email protected]
*Subject:* Re: [openstack-dev] A vision for Keystone
On 07/19/2013 10:56 AM, Brad Topol wrote:
Adam,
Your essay below is outstanding! Any chance part of it could be
included within the keystone project documentation? I think
having it in the project and at folks fingertips would really
help folks that are trying to get up to speed with keystone!
Thanks for the input. I think it could be included in the future, but
we have along way to go to implement this vision, and we are moving
toward it one step at a time. When we are closer, I will revise the
essay to reflect reality and maybe more relevant details. At that
point, yes, it can be part of the documentation.
Thanks again for writing this up!
--Brad
Brad Topol, Ph.D.
IBM Distinguished Engineer
OpenStack
(919) 543-0646
Internet: [email protected] <mailto:[email protected]>
Assistant: Cindy Willman (919) 268-5296
From: Adam Young <[email protected]> <mailto:[email protected]>
To: OpenStack Development Mailing List
<[email protected]>
<mailto:[email protected]>
Date: 07/18/2013 02:21 PM
Subject: [openstack-dev] A vision for Keystone
------------------------------------------------------------------------
I wrote up an essay that, I hope, explains where Keystone is headed as
far as token management.
http://adam.younglogic.com/2013/07/a-vision-for-keystone/
It is fairly long (2000 words) but I attempted to make it readable, and
to provide the context for what we are doing.
There are several blueprints for this work, many of which have already
been implemented. There is at least one that I still need to write up.
This is not new stuff. It is just an attempt to cleanly lay out the
story.
_______________________________________________
OpenStack-dev mailing list
[email protected]
<mailto:[email protected]>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________
OpenStack-dev mailing list
[email protected] <mailto:[email protected]>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
