On 06/08/2015 02:10 PM, Steve Lewis wrote:
Monday, June 8, 2015 07:10, Adam Young wrote:
2. Delegation are long lived affairs. If anything is going to take
longer than the duration of the token, it should be in the context of a
delegation, and the user should re-authenticate to prove identity.
Requiring re-authenticating to perform many tasks that involves delegation (a
distinction that users don't understand, or care to) is a sure way to convince
users to use short and weak passwords. Please, no.
Requiring re-authentication is not the same as requireing the user to
retype their password. The Users agent re-authenticates, not the user
him/herself. In the case of the CLI, that is using Env Vars, and in the
case of Horizon, it is using the unscoped token that the user has in
their session. For Service users, it should be X509 or Kerberos, but it
will be the service password. Don't confuse the one with the other, please.
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
