openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #01889
Re: Proposing an Identity Service in OpenStack (a.k.a. Auth)
On Mon, Apr 18, 2011 at 12:15 PM, Eric Day <eday@xxxxxxxxxxxx> wrote:
> We'll also want to decide if we need a default mechanism for
> OpenStack deployments, and if so, what should it be. We had a
> discussion previously and I think it was somewhere between token
> and HTTP basic w/ SSL. The reason for this is we need to make sure
> different deployments are compatible.
I'm still gonna argue for key signing to be a first-class auth scheme.
It enables things that can't be done with token or basic auth, like
signed URLs and unencrypted requests. Both of these are desirable for
Swift, at the least.
It kind of sucks that key signing (as least as implemented by the
EC2/S3 API) requires a key to be available to both sides in plaintext.
Public key crypto is one way to fix that, but I don't really know how
practical that is.
-- Mike Barton
Follow ups
References