On 2015-04-23 22:58:50 +0300 (+0300), Sergey Slypushenko wrote: > We decided to change authorization with OpenID creds to auth with > pubkeys for CLI client. It is a single reason why refstack needs > pubkeys management. So, here we don't discuss a way how to manage > pubkeys with OpenStackID. I mentioned pubkeys only as a > alternative for CLI auth. It would be great if some other > appropriate alternative exists.
Eventually, we might be able to consider something like bridging OAuth to Kerberos[1][2] for supporting various client applications, or exposing some data from OpenStackID via LDAP which can be used by services like OpenSSH[3] for key lookup. In the meantime though, I think it's perfectly fine to punt on the non-Web-oriented authentication problem and handle things like SSH authorized keys directly within the consuming application. As mentioned earlier, we're stuck doing that with Gerrit for the foreseeable future. [1] https://tools.ietf.org/html/draft-hardjono-oauth-kerberos-01 [2] http://css.csail.mit.edu/6.858/2014/projects/kanter-bcyphers-bfaviero-jpeebles.pdf [3] https://pypi.python.org/pypi/ssh-ldap-pubkey/0.2.2 -- Jeremy Stanley _______________________________________________ OpenStack-Infra mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
