Hi Mike, On Thu, Mar 03, 2011 at 12:33:11PM -0800, Michael Mayo wrote: > Here are my thoughts, as a client developer: > 1. Hit auth server first for token, then hit compute and storage endpoints > 2. Signed requests > This is a little more painful from a development standpoint, but it's not > really that big of a deal. The only downside to this approach is that > it's not curl or browser friendly. However, the upside of preventing > replay attacks is pretty valuable.
Signatures don't prevent replay attacks, they are instead the only thing you can do when the request can be seen by a third part (for some time period assuming we use time-based signatures). If we force SSL use (and this goes for all methods), we have much less to worry about for any kind of attack. > 3. HTTP Basic > HTTP Basic is great because it's super easy to use and it's curl and > browser friendly. However, replay attacks are possible so you open > yourself up to a security issue there. > My Vote (Assuming I Actually Have One) Well, basic (and token for that matter) are not limited to replay attacks. With a token or basic auth you can do anything you want. Again, SSL is the solution for both here. > I think signed requests are the best option since it's more secure than > HTTP Basic. We could make an oscurl command line tool that would sign a > request and behave exactly like curl. That shouldn't be too hard. But if > that can't happen, HTTP Basic is the next best choice. Requiring API > users to get a new auth token every n hours via an auth endpoint kind of > sucks, especially from a mobile client perspective. I agree the token round-trip may not be the best for mobile apps, but they can at least be cached. We're also getting something else with a token server though: service discovery (via service URL headers returned with token). This can be important for auto-configuring apps since you can simply enter a auth URL and the app will find out which services to expose and what the URLs for each service are. -Eric > On Mar 3, 2011, at 9:04 AM, Jorge Williams wrote: > > I agree with Greg here. Signatures complicate life for our clients, > they are not browser friendly, and I'm not really convinced that we need > them. If we are going to have a default (and I think that we should) it > should be dead simple to integrate with. I would vote for basic auth > with https. > > -jOrGe W. > > On Mar 3, 2011, at 9:40 AM, Greg wrote: > > On Mar 2, 2011, at 8:30 PM, Jesse Andrews wrote: > > I would prefer a signature based approach as the default (as > signatures limits replay attacks; tokens allow an eavesdropper to > make arbitrary requests if they obtain a token). > > On the other hand, signatures make simple things difficult, such as > quick curl requests, dev testing, etc. The usual tradeoff of security > and convenience. > > _______________________________________________ > > Mailing list: https://launchpad.net/~openstack > > Post to : openstack@lists.launchpad.net > > Unsubscribe : https://launchpad.net/~openstack > > More help : https://help.launchpad.net/ListHelp > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : openstack@lists.launchpad.net > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp > > Mike Mayo > 901-299-9306 > @greenisus > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : openstack@lists.launchpad.net > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
