openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #03908
Authentication and Authorisation in Keystone
http://forums.openstack.org/viewtopic.php?f=23&t=268&p=955#p955
Hi
I am trying to understand the role that authorisation plays in Keystone, as I don't see any mention of it in the identitydevguide.pdf.
In other identity systems such as SAML or OAuth, authentication is used to obtain a token that is used for authorisation; either a SAML assertion or an OAuth token. Separating authentication and authorisation is normal practice for a variety of reasons that are well discussed elsewhere. For example:
http://www.duke.edu/~rob/kerberos/authvauth.html
In the devguide we have, for example, this section:
"Most calls on the Admin API require authentication. The only calls available without authentication are the calls to discover the service (getting version info, WADL contract, dev guide, help, etc...) and the call to authenticate and get a token.
Authentication is performed by passing in a valid token in the X-Auth-Token header on the request from the client. Keystone will verify the token has (or belongs to a user that has) the Admin role."
I would have expected that to say:
"Most calls on the Admin API require *authorisation*. The only calls available without *authorisation* are the calls to discover the service (getting version info, WADL contract, dev guide, help, etc...) and the call to authenticate and get an *authorisation* token.
*Authorisation* is performed by passing in a valid token in the X-Auth-Token header on the request from the client. Keystone will verify the token has (or belongs to a user that has) the Admin role."
It is often the case that authentication and authorisation are mixed up by people new to the field, and that may be what is happening here.
Does anyone have any thoughts on this please?
Many thanks
Nathan
--
Nathan Sowatskey (nsowatsk@xxxxxxxxx) - Technical Leader, STG - +34-638-083-675
Follow ups