Re: [openstack-dev] [all][keystone][product] api keys/application specific passwords

On Wed, May 17, 2017 at 12:21 AM, Monty Taylor wrote: > On 05/16/2017 02:44 PM, Sean Dague wrote: > >> On 05/16/2017 03:40 PM, Monty Taylor wrote: >> >>> On 05/16/2017 10:20 AM, Doug Hellmann wrote: >>> Excerpts from Chris Dent's message of 2017-05-16 15:16:08 +0100:

Re: [openstack-dev] [all][keystone][product] api keys/application specific passwords

On 18/05/17 09:23, Monty Taylor wrote: But think of the following use cases: As a user, I want to make an API key that I'm going to use for general automation just like I use my Password auth plugin based user account today. I want it to be able to do everything I can do today - but I value

Re: [openstack-dev] [all][keystone][product] api keys/application specific passwords

On 05/18/2017 04:32 PM, Zane Bitter wrote: On 18/05/17 07:53, Sean Dague wrote: My worry about policy also is that I'm not sure how safe it is for a project owned API key to inherit permissions from the user who created it. I can't think of a better way to it though but I'm still slightly

Re: [openstack-dev] [all][keystone][product] api keys/application specific passwords

On 18/05/17 07:53, Sean Dague wrote: My worry about policy also is that I'm not sure how safe it is for a project owned API key to inherit permissions from the user who created it. I can't think of a better way to it though but I'm still slightly uncomfortable with it since a user with more

Re: [openstack-dev] [all][keystone][product] api keys/application specific passwords

I followed up with Sean in IRC [0]. My last note about rebuilding role assignment dynamically doesn't really make sense. I was approaching this from a different perspective. [0] http://eavesdrop.openstack.org/irclogs/%23openstack-dev/%23openstack-dev.2017-05-18.log.html#t2017-05-18T15:20:32 On

Re: [openstack-dev] [all][keystone][product] api keys/application specific passwords

On Thu, May 18, 2017 at 8:45 AM, Sean Dague wrote: > On 05/18/2017 09:27 AM, Doug Hellmann wrote: > > Excerpts from Adrian Turjak's message of 2017-05-18 13:34:56 +1200: > > > >> Fully agree that expecting users of a particular cloud to understand how > >> the policy stuff works

Re: [openstack-dev] [all][keystone][product] api keys/application specific passwords

On 05/18/2017 09:27 AM, Doug Hellmann wrote: > Excerpts from Adrian Turjak's message of 2017-05-18 13:34:56 +1200: > >> Fully agree that expecting users of a particular cloud to understand how >> the policy stuff works is pointless, but it does fall on the cloud >> provider to educate and

Re: [openstack-dev] [all][keystone][product] api keys/application specific passwords

Excerpts from Adrian Turjak's message of 2017-05-18 13:34:56 +1200: > Fully agree that expecting users of a particular cloud to understand how > the policy stuff works is pointless, but it does fall on the cloud > provider to educate and document their roles and the permissions of > those roles.

Re: [openstack-dev] [all][keystone][product] api keys/application specific passwords

On 05/18/2017 06:53 AM, Sean Dague wrote: On 05/17/2017 09:34 PM, Adrian Turjak wrote: On 17/05/17 23:20, Sean Dague wrote: On 05/16/2017 07:34 PM, Adrian Turjak wrote: Anyway that aside, I'm sold on API keys as a concept in this case provided they are project owned rather than user owned,

Re: [openstack-dev] [all][keystone][product] api keys/application specific passwords

On 05/17/2017 09:34 PM, Adrian Turjak wrote: > > > On 17/05/17 23:20, Sean Dague wrote: >> On 05/16/2017 07:34 PM, Adrian Turjak wrote: >> >>> Anyway that aside, I'm sold on API keys as a concept in this case >>> provided they are project owned rather than user owned, I just don't >>> think we

Re: [openstack-dev] [all][keystone][product] api keys/application specific passwords

On 17/05/17 23:20, Sean Dague wrote: > On 05/16/2017 07:34 PM, Adrian Turjak wrote: > >> Anyway that aside, I'm sold on API keys as a concept in this case >> provided they are project owned rather than user owned, I just don't >> think we should make them too unique, and we shouldn't be giving

Re: [openstack-dev] [all][keystone][product] api keys/application specific passwords

On 05/16/2017 08:08 PM, Zane Bitter wrote: > On 16/05/17 01:06, Colleen Murphy wrote: >> Additionally, I think OAuth - either extending the existing OAuth1.0 >> plugin or implementing OAuth2.0 - should probably be on the table. > > I believe that OAuth is not a good fit for long-lived things like

Re: [openstack-dev] [all][keystone][product] api keys/application specific passwords

On 05/16/2017 07:34 PM, Adrian Turjak wrote: > Anyway that aside, I'm sold on API keys as a concept in this case > provided they are project owned rather than user owned, I just don't > think we should make them too unique, and we shouldn't be giving them a > unique policy system because that way

Re: [openstack-dev] [all][keystone][product] api keys/application specific passwords

On 16/05/17 01:06, Colleen Murphy wrote: Additionally, I think OAuth - either extending the existing OAuth1.0 plugin or implementing OAuth2.0 - should probably be on the table. I believe that OAuth is not a good fit for long-lived things like an application needing to communicate with its own

Re: [openstack-dev] [all][keystone][product] api keys/application specific passwords

On 15/05/17 20:07, Adrian Turjak wrote: On 16/05/17 01:09, Lance Bragstad wrote: On Sun, May 14, 2017 at 11:59 AM, Monty Taylor > wrote: On 05/11/2017 02:32 PM, Lance Bragstad wrote: Hey all, One of the Baremetal/VM

Re: [openstack-dev] [all][keystone][product] api keys/application specific passwords

On 16/05/17 22:39, Sean Dague wrote: > On 05/15/2017 10:00 PM, Adrian Turjak wrote: >> I'm well aware of the policy work, and it is fantastic to see it >> progressing! I can't wait to actually be able to play with that stuff! >> We've been painstakingly tweaking the json policy files which is a

Re: [openstack-dev] [all][keystone][product] api keys/application specific passwords

On 05/16/2017 02:44 PM, Sean Dague wrote: On 05/16/2017 03:40 PM, Monty Taylor wrote: On 05/16/2017 10:20 AM, Doug Hellmann wrote: Excerpts from Chris Dent's message of 2017-05-16 15:16:08 +0100: On Tue, 16 May 2017, Monty Taylor wrote: FWIW - I'm un-crazy about the term API Key - but I'm

Re: [openstack-dev] [all][keystone][product] api keys/application specific passwords

On 05/16/2017 03:40 PM, Monty Taylor wrote: > On 05/16/2017 10:20 AM, Doug Hellmann wrote: >> Excerpts from Chris Dent's message of 2017-05-16 15:16:08 +0100: >>> On Tue, 16 May 2017, Monty Taylor wrote: >>> FWIW - I'm un-crazy about the term API Key - but I'm gonna just roll with

Re: [openstack-dev] [all][keystone][product] api keys/application specific passwords

On 05/16/2017 10:20 AM, Doug Hellmann wrote: Excerpts from Chris Dent's message of 2017-05-16 15:16:08 +0100: On Tue, 16 May 2017, Monty Taylor wrote: FWIW - I'm un-crazy about the term API Key - but I'm gonna just roll with that until someone has a better idea. I'm uncrazy about it for two

Re: [openstack-dev] [all][keystone][product] api keys/application specific passwords

Excerpts from Chris Dent's message of 2017-05-16 15:16:08 +0100: > On Tue, 16 May 2017, Monty Taylor wrote: > > > FWIW - I'm un-crazy about the term API Key - but I'm gonna just roll with > > that until someone has a better idea. I'm uncrazy about it for two reasons: > > > > a) the word "key"

Re: [openstack-dev] [all][keystone][product] api keys/application specific passwords

On Tue, May 16, 2017 at 8:54 AM, Monty Taylor wrote: > On 05/16/2017 05:39 AM, Sean Dague wrote: > >> On 05/15/2017 10:00 PM, Adrian Turjak wrote: >> >>> >>> >>> On 16/05/17 13:29, Lance Bragstad wrote: >>> On Mon, May 15, 2017 at 7:07 PM, Adrian Turjak

Re: [openstack-dev] [all][keystone][product] api keys/application specific passwords

On Tue, 16 May 2017, Monty Taylor wrote: FWIW - I'm un-crazy about the term API Key - but I'm gonna just roll with that until someone has a better idea. I'm uncrazy about it for two reasons: a) the word "key" implies things to people that may or may not be true here. If we do stick with it -

Re: [openstack-dev] [all][keystone][product] api keys/application specific passwords

On 05/16/2017 05:39 AM, Sean Dague wrote: On 05/15/2017 10:00 PM, Adrian Turjak wrote: On 16/05/17 13:29, Lance Bragstad wrote: On Mon, May 15, 2017 at 7:07 PM, Adrian Turjak > wrote: Based on the specs that are currently up

Re: [openstack-dev] [all][keystone][product] api keys/application specific passwords

On 05/15/2017 10:00 PM, Adrian Turjak wrote: > > > On 16/05/17 13:29, Lance Bragstad wrote: >> >> >> On Mon, May 15, 2017 at 7:07 PM, Adrian Turjak >> > wrote: >> Based on the specs that are currently up in Keystone-specs, I >>

Re: [openstack-dev] [all][keystone][product] api keys/application specific passwords

On Sun, May 14, 2017 at 6:59 PM, Monty Taylor wrote: > On 05/11/2017 02:32 PM, Lance Bragstad wrote: > >> Hey all, >> >> One of the Baremetal/VM sessions at the summit focused on what we need >> to do to make OpenStack more consumable for application developers [0]. >> As a

Re: [openstack-dev] [all][keystone][product] api keys/application specific passwords

On 16/05/17 16:13, Colleen Murphy wrote: > On Tue, May 16, 2017 at 2:07 AM, Adrian Turjak > > wrote: > > > > Tangentially related to this (because my reasons are different), > on our cloud I'm actually working on something like

Re: [openstack-dev] [all][keystone][product] api keys/application specific passwords

On Tue, May 16, 2017 at 2:07 AM, Adrian Turjak wrote: > > > Tangentially related to this (because my reasons are different), on our > cloud I'm actually working on something like this, but under the hood all > I'm doing is creating a user with a generated password and

Re: [openstack-dev] [all][keystone][product] api keys/application specific passwords

On 16/05/17 14:00, Adrian Turjak wrote: > > On 16/05/17 13:29, Lance Bragstad wrote: >> >> >> On Mon, May 15, 2017 at 7:07 PM, Adrian Turjak >> > wrote: >> >> >> On 16/05/17 01:09, Lance Bragstad wrote: >>> >>> >>> On Sun, May 14,

Re: [openstack-dev] [all][keystone][product] api keys/application specific passwords

On 16/05/17 13:29, Lance Bragstad wrote: > > > On Mon, May 15, 2017 at 7:07 PM, Adrian Turjak > > wrote: > > > On 16/05/17 01:09, Lance Bragstad wrote: >> >> >> On Sun, May 14, 2017 at 11:59 AM, Monty Taylor >>

Re: [openstack-dev] [all][keystone][product] api keys/application specific passwords

On Mon, May 15, 2017 at 7:07 PM, Adrian Turjak wrote: > > On 16/05/17 01:09, Lance Bragstad wrote: > > > > On Sun, May 14, 2017 at 11:59 AM, Monty Taylor > wrote: > >> On 05/11/2017 02:32 PM, Lance Bragstad wrote: >> >>> Hey all, >>> >>> One of the

Re: [openstack-dev] [all][keystone][product] api keys/application specific passwords

On 16/05/17 01:09, Lance Bragstad wrote: > > > On Sun, May 14, 2017 at 11:59 AM, Monty Taylor > wrote: > > On 05/11/2017 02:32 PM, Lance Bragstad wrote: > > Hey all, > > One of the Baremetal/VM sessions at the summit focused

Re: [openstack-dev] [all][keystone][product] api keys/application specific passwords

On Sun, May 14, 2017 at 11:59 AM, Monty Taylor wrote: > On 05/11/2017 02:32 PM, Lance Bragstad wrote: > >> Hey all, >> >> One of the Baremetal/VM sessions at the summit focused on what we need >> to do to make OpenStack more consumable for application developers [0]. >> As

Re: [openstack-dev] [all][keystone][product] api keys/application specific passwords

On 05/11/2017 02:32 PM, Lance Bragstad wrote: Hey all, One of the Baremetal/VM sessions at the summit focused on what we need to do to make OpenStack more consumable for application developers [0]. As a group we recognized the need for application specific passwords or API keys and nearly

[openstack-dev] [all][keystone][product] api keys/application specific passwords

Hey all, One of the Baremetal/VM sessions at the summit focused on what we need to do to make OpenStack more consumable for application developers [0]. As a group we recognized the need for application specific passwords or API keys and nearly everyone (above 85% is my best guess) in the session