Adam, Which Havana Blueprint provides support for the feature you mention in your article below?
To move beyond bearer tokens requires multiple steps. In order to link the token to a user, the user needs to use a secure authentication mechanism, and then link the token to that mechanism. A mechanism for that will be present in the Havana release. Its use will be optional to start; once we disable bearer tokens, we risk breaking the entire OpenStack system. If tokens must be bound to the user that initially requested them, how can a system call second and third system to do work on behalf of the user? If a token can only be used for a specific system, how can a workflow progress across multiple systems? Thanks, Mark From: Adam Young [mailto:ayo...@redhat.com] Sent: Thursday, July 25, 2013 6:53 PM To: openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] A vision for Keystone On 07/19/2013 10:56 AM, Brad Topol wrote: Adam, Your essay below is outstanding! Any chance part of it could be included within the keystone project documentation? I think having it in the project and at folks fingertips would really help folks that are trying to get up to speed with keystone! Thanks for the input. I think it could be included in the future, but we have along way to go to implement this vision, and we are moving toward it one step at a time. When we are closer, I will revise the essay to reflect reality and maybe more relevant details. At that point, yes, it can be part of the documentation. Thanks again for writing this up! --Brad Brad Topol, Ph.D. IBM Distinguished Engineer OpenStack (919) 543-0646 Internet: bto...@us.ibm.com<mailto:bto...@us.ibm.com> Assistant: Cindy Willman (919) 268-5296 From: Adam Young <ayo...@redhat.com><mailto:ayo...@redhat.com> To: OpenStack Development Mailing List <openstack-dev@lists.openstack.org><mailto:openstack-dev@lists.openstack.org> Date: 07/18/2013 02:21 PM Subject: [openstack-dev] A vision for Keystone ________________________________ I wrote up an essay that, I hope, explains where Keystone is headed as far as token management. http://adam.younglogic.com/2013/07/a-vision-for-keystone/ It is fairly long (2000 words) but I attempted to make it readable, and to provide the context for what we are doing. There are several blueprints for this work, many of which have already been implemented. There is at least one that I still need to write up. This is not new stuff. It is just an attempt to cleanly lay out the story. _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org<mailto:OpenStack-dev@lists.openstack.org> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org<mailto:OpenStack-dev@lists.openstack.org> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev