Re: [openstack-dev] [Keystone][Marconi][Heat] Creating accounts in Keystone

2014-09-02 Thread Adam Young
On 08/25/2014 10:49 AM, Zane Bitter wrote: On 24/08/14 23:17, Adam Young wrote: On 08/23/2014 02:01 AM, Clint Byrum wrote: I don't know how Zaqar does its magic, but I'd love to see simple signed URLs rather than users/passwords. This would work for Heat as well. That way we only have to

Re: [openstack-dev] [Keystone][Marconi][Heat] Creating accounts in Keystone

2014-08-27 Thread Kurt Griffiths
On 8/25/14, 9:50 AM, Ryan Brown rybr...@redhat.com wrote: I'm actually quite partial to roles because, in my experience, service accounts rarely have their credentials rotated more than once per eon. Having the ability to let instances grab tokens would certainly help Heat, especially if we start

Re: [openstack-dev] [Keystone][Marconi][Heat] Creating accounts in Keystone

2014-08-27 Thread Ryan Brown
On 08/27/2014 12:15 PM, Kurt Griffiths wrote: On 8/25/14, 9:50 AM, Ryan Brown rybr...@redhat.com wrote: I'm actually quite partial to roles because, in my experience, service accounts rarely have their credentials rotated more than once per eon. Having the ability to let instances grab

Re: [openstack-dev] [Keystone][Marconi][Heat] Creating accounts in Keystone

2014-08-27 Thread Zane Bitter
On 27/08/14 12:15, Kurt Griffiths wrote: On 8/25/14, 9:50 AM, Ryan Brown rybr...@redhat.com wrote: I'm actually quite partial to roles because, in my experience, service accounts rarely have their credentials rotated more than once per eon. Having the ability to let instances grab tokens would

Re: [openstack-dev] [Keystone][Marconi][Heat] Creating accounts in Keystone

2014-08-27 Thread Clint Byrum
Excerpts from Adam Young's message of 2014-08-24 20:17:34 -0700: On 08/23/2014 02:01 AM, Clint Byrum wrote: I don't know how Zaqar does its magic, but I'd love to see simple signed URLs rather than users/passwords. This would work for Heat as well. That way we only have to pass in a single

Re: [openstack-dev] [Keystone][Marconi][Heat] Creating accounts in Keystone

2014-08-25 Thread Zane Bitter
On 24/08/14 23:17, Adam Young wrote: On 08/23/2014 02:01 AM, Clint Byrum wrote: I don't know how Zaqar does its magic, but I'd love to see simple signed URLs rather than users/passwords. This would work for Heat as well. That way we only have to pass in a single predictably formatted string.

Re: [openstack-dev] [Keystone][Marconi][Heat] Creating accounts in Keystone

2014-08-25 Thread Ryan Brown
On 08/22/2014 05:35 PM, Zane Bitter wrote: On AWS the very first thing a user does is create a bunch of IAM accounts so that they virtually never have to use the credentials associated with their natural person ever again. There are both user accounts and service accounts - the latter IIUC

Re: [openstack-dev] [Keystone][Marconi][Heat] Creating accounts in Keystone

2014-08-24 Thread Adam Young
On 08/23/2014 02:01 AM, Clint Byrum wrote: I don't know how Zaqar does its magic, but I'd love to see simple signed URLs rather than users/passwords. This would work for Heat as well. That way we only have to pass in a single predictably formatted string. Excerpts from Zane Bitter's message of

Re: [openstack-dev] [Keystone][Marconi][Heat] Creating accounts in Keystone

2014-08-23 Thread Clint Byrum
I don't know how Zaqar does its magic, but I'd love to see simple signed URLs rather than users/passwords. This would work for Heat as well. That way we only have to pass in a single predictably formatted string. Excerpts from Zane Bitter's message of 2014-08-22 14:35:38 -0700: Here's an

[openstack-dev] [Keystone][Marconi][Heat] Creating accounts in Keystone

2014-08-22 Thread Zane Bitter
Here's an interesting fact about Zaqar (the project formerly known as Marconi) that I hadn't thought about before this week: it's probably the first OpenStack project where a major part of the API primarily faces software running in the cloud rather than facing the user. That is to say,