On Thu, Mar 03, 2011 at 12:03:28PM -0800, Vishvananda Ishaya wrote: > Rationale: Openstack components need a common solution for Authentication > (authn) and Authorization (authz). Mailing list discussions tend to devolve > into hypotheticals, so we decided to put together a proposal and prototype, > so we all see the proposed system in action.
Yeah, as I stated in the Etherpad, I think there is still a lot of value in mailing list discussions. I think we reached a healthy level of discussion to start putting it into code, which you guys were a little ahead on. :) I'm not saying the ML is the most efficient place for discussions (far from it), but until we get efficient virtual whiteboards and watercoolers it's the best we have. > http://plansthis.com/auth First, why not on http://etherpad.openstack.org/? :) Overall I think this is a great start. The main things I think need to be addressed are: The owner account (who you are acting on behalf of) doesn't need to be in the token and shouldn't be required for requests. The request should be self contained and specify who the owner of the resource is. Of course if can be optional if the auth middleware sets a default owner context for the request, but we shouldn't rely on that alone for the owner in requests. I know this may not be in the scope of the first branch, but removing the user and project entities and replacing it with a single "account" entity with relations to other accounts is pretty high on my list for being able to reuse it in other services. Eventually splitting this out to openstack-common (post cactus as we discussed) so it can easily be consumed by other services. -Eric _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
