Hmm, ok. I am painfully about convinced that a centralized auth solution is the right choice for us.
While I'm wishing for a pony: First of all and most of all, I want the whole thing to be open source, and managed via the OpenStack infra review process, just like the rest of the stuff managed by Monty's team. I want it to have a web UI with a URL like https://id.openstack.org/~fallenpegasus so I can see someone's name, email addresses, gravitar photograph, when did they join the foundation, are they (board, TC, PTL, Core (of which teams)) and since when, project participation history, IRC handles, XMPP ids, PGP key fingerprints, social media URLs, Launchpad id, GitHub id, and Ohloh account. I want it to have, via some API, all the employer history tracking that is currently contained and duplicated in various data files in the gitdm project and stackalytics project. I want it to do LDAP, vCard, and PoCo, and make all that data I wished for the past few paragraphs available over those APIs. I want it to do OpenID and OpenID Connect (for the web apps), and a good backend to SASL (for the non-web apps). And I want it to support standard OATH TOTP 2-factor auth. AND And I want world peace. :) ..m Mark Atwood <[email protected]> Director of Open Source Engagement for HP Cloud Services M +1-206-473-7118 > -----Original Message----- > From: Jeremy Stanley [mailto:[email protected]] > Sent: Wednesday, September 25, 2013 7:20 PM > To: [email protected] > Subject: Re: [OpenStack-Infra] On being an OpenID consumer instead of an > OpenID > producer. > > On 2013-09-24 16:39:44 -0700 (-0700), Ryan Lane wrote: > [...] > > If every application is provider agnostic each one of them will have > > their own OpenID consumer interface. This means it's necessary to make > > all of them look the same, which requires modifying a lot of > > applications. Adding different auth mechanisms (like persona) means > > adding it to every single application, too. > [...] > > This reminds me of yet another point in favor of centralization. We want to > be able to > correlate information between a user's account in various distributed > systems where > there is currently no cross-system index mapping them to one another. If all > of them use > a common OpenID provider then we can key on that, but if they're > provider-agnostic > then at least some subset of users will authenticate to systems with more > than one > (potentially to different systems with different providers). > > Also not mentioned yet in these threads, but one the reasons it was > suggested to run > our own provider is that we have some services which are not "Web apps" (so > not well- > suited to OpenID), and we'd like to be able to tie other auth protocols into > the same > backend eventually to support those systems as well. > -- > Jeremy Stanley > > _______________________________________________ > OpenStack-Infra mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OpenStack-Infra mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
