On Tue, 2013-12-10 at 15:13 +0000, Steven Hardy wrote: > I'm just thinking it would be really great (from a user-of-keystone > perspective) if we could avoid further fragmentation and just have one type > of shared secret (a keystone token), which can be configured flexibly > enough to satisfy the various use-cases?
Amen. No offense to those Keystone contributors who enjoy reading arcane academic texts and RFCs about x.509, Kerberos, and PKI, but *users and deployers* of OpenStack (and therefore users of Keystone) don't give a hoot about any of that stuff, nor should deployers and users *have to know* about the arcane underbelly of security semantics in order to use OpenStack. All deployers want is a simple, easy-to-understand authentication mechanism that *seamlessly* integrates with other OpenStack projects. AWS authentication works because it's simple and does its job without making life unnecessarily difficult for its users. Best, -jay _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
