openstack team mailing list archive

Thread
Date

Re: Fwd: [openstack-dev] [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API

To: Joe Savak <joe.savak@xxxxxxxxxxxxx>
From: Nathanael Burton <nathanael.i.burton@xxxxxxxxx>
Date: Sun, 21 Oct 2012 13:06:21 -0400
Cc: OpenStack Development Mailing List <openstack-dev@xxxxxxxxxxxxxxxxxxx>, "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <A93F255C-E78D-4FDF-9255-B0EAA9A29C9E@RACKSPACE.COM>

On Oct 21, 2012 12:11 PM, "Joe Savak" <joe.savak@xxxxxxxxxxxxx> wrote:
>
> +1. ;)
>
> So the issue is that the v2 API contract allows a token to be scoped to
multiple tenants. For v3, I'd like to have the same flexibility. I don't
see security issues, as if a token were to be sniffed you can change the
password of the account using it and use those creds to scope tokens to any
tenant you wish.
>

Isn't that a security issue in and of itself? Shouldn't we force re-auth to
change the password?

Nate

References

Fwd: [openstack-dev] [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API
From: heckj, 2012-10-20
Re: Fwd: [openstack-dev] [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API
From: Adam Young, 2012-10-21
Re: Fwd: [openstack-dev] [keystone] Tokens representing authorization to projects/tenants in the Keystone V3 API
From: Joe Savak, 2012-10-21