openstack team mailing list archive

[Eric Day <eday@xxxxxxxxxxxx>]

Hi Mike,

On Thu, Mar 03, 2011 at 12:33:11PM -0800, Michael Mayo wrote:
>    Here are my thoughts, as a client developer:
>    1. Hit auth server first for token, then hit compute and storage endpoints
>    2. Signed requests
>    This is a little more painful from a development standpoint, but it's not
>    really that big of a deal.  The only downside to this approach is that
>    it's not curl or browser friendly.  However, the upside of preventing
>    replay attacks is pretty valuable.

Signatures don't prevent replay attacks, they are instead the only
thing you can do when the request can be seen by a third part (for
some time period assuming we use time-based signatures). If we force
SSL use (and this goes for all methods), we have much less to worry
about for any kind of attack.

>    3. HTTP Basic
>    HTTP Basic is great because it's super easy to use and it's curl and
>    browser friendly.  However, replay attacks are possible so you open
>    yourself up to a security issue there.
>    My Vote (Assuming I Actually Have One)

Well, basic (and token for that matter) are not limited to replay
attacks. With a token or basic auth you can do anything you
want. Again, SSL is the solution for both here.

>    I think signed requests are the best option since it's more secure than
>    HTTP Basic.  We could make an oscurl command line tool that would sign a
>    request and behave exactly like curl.  That shouldn't be too hard.  But if
>    that can't happen, HTTP Basic is the next best choice.  Requiring API
>    users to get a new auth token every n hours via an auth endpoint kind of
>    sucks, especially from a mobile client perspective.

I agree the token round-trip may not be the best for mobile apps,
but they can at least be cached. We're also getting something else
with a token server though: service discovery (via service URL headers
returned with token). This can be important for auto-configuring apps
since you can simply enter a auth URL and the app will find out which
services to expose and what the URLs for each service are.

-Eric

>    On Mar 3, 2011, at 9:04 AM, Jorge Williams wrote:
> 
>      I agree with Greg here.  Signatures complicate life for our clients,
>      they are not browser friendly, and I'm not really convinced that we need
>      them. If we are going to have a default (and I think that we should) it
>      should be dead simple to integrate with.   I would vote for basic auth
>      with https.  
> 
>      -jOrGe W.
> 
>      On Mar 3, 2011, at 9:40 AM, Greg wrote:
> 
>        On Mar 2, 2011, at 8:30 PM, Jesse Andrews wrote:
> 
>          I would prefer a signature based approach as the default (as
>          signatures limits replay attacks; tokens allow an eavesdropper to
>          make arbitrary requests if they obtain a token).
> 
>        On the other hand, signatures make simple things difficult, such as
>        quick curl requests, dev testing, etc. The usual tradeoff of security
>        and convenience.
> 
>        _______________________________________________
> 
>        Mailing list: https://launchpad.net/~openstack
> 
>        Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> 
>        Unsubscribe : https://launchpad.net/~openstack
> 
>        More help   : https://help.launchpad.net/ListHelp
> 
>      _______________________________________________
>      Mailing list: https://launchpad.net/~openstack
>      Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>      Unsubscribe : https://launchpad.net/~openstack
>      More help   : https://help.launchpad.net/ListHelp
> 
>    Mike Mayo
>    901-299-9306
>    @greenisus

> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp