Hi, I'd like to check in on this authentication mechanism. Keystone should have some kind of apiKey in order to prevent developer from storing their credential (username/password) in clear text configuration file.
There are two blueprints that can tackle this feature, yet they are both in needs of approval https://blueprints.launchpad.net/keystone/+spec/access-key-authentication https://blueprints.launchpad.net/keystone/+spec/password-rotation I believe the access-key-authentication have been superseded by the password-rotation. Meaning: * The user create a secondary password. * He can use this new password to authenticate API request with the credential_id + password. * He won't be able to login to Horizon as it will try to authenticate with the user_id + password (Keystone will match those against the "default_credential_id".) * API request like password change should be denied if the user didn't used his "default_credential_id". Did I get this right ? Best regards, Tristan
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
