On 24/08/14 23:17, Adam Young wrote:
On 08/23/2014 02:01 AM, Clint Byrum wrote:
I don't know how Zaqar does its magic, but I'd love to see simple signed
URLs rather than users/passwords. This would work for Heat as well. That
way we only have to pass in a single predictably formatted string.

Excerpts from Zane Bitter's message of 2014-08-22 14:35:38 -0700:
Here's an interesting fact about Zaqar (the project formerly known as
Marconi) that I hadn't thought about before this week: it's probably the
first OpenStack project where a major part of the API primarily faces

Nah, this is the direction we are headed.  Service users (out of LDAP!)
are going to be the norm with a recent feature add to Keytone:


Ah, excellent, thanks Adam. (BTW markup fail: "The naming of this file is essential: keystone..conf [sic] is the expected form.")

So this will solve the Authentication half of the problem. What is the recommended solution for Authorisation?

In particular, even if a service like Zaqar or Heat implements their own authorisation (e.g. the user creating a Zaqar queue supplies lists of the accounts that are allowed to read or write to it, respectively), how does the user ensure that the service accounts they create will not have access to other OpenStack APIs? IIRC the default policy.json files supplied by the various projects allow non-admin operations from any account with a role in the project.


OpenStack-dev mailing list

Reply via email to