On 27 June 2013 04:55, Adam Young <[email protected]> wrote: > Right now Keystone provides so called bearer tokens: This means that whoever > has a token can do whatever the token entitles him to do. If I > manage to get somebody's token I can do whatever this person is able to do. > To fix it, the other services that use tokens to: > > 1. Authenticate the identity > 2. Match the name in the token to the identity that authenticated the > connection.
I am confused: HTTP is a message orientated protocol, connection based authentication is a terrible antipattern. Do you really mean 'connection' here? > If the names match then you can be sure that the user that connected to the > service and presented a token is the same user that acquired the token from > keystone in the first place. That would prevent the use case of 'create a token and hand it off' which AIUI Heat depends on/will depend on. > To make this happen we need to add authentication to the connections between > clients and services. Again, if you mean actual TCP Connection here then this design is deeply flawed. Whats the actual problem we're trying to solve (vs this proposed solution). -Rob -- Robert Collins <[email protected]> Distinguished Technologist HP Cloud Services _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
