Please note: This schedule is for OpenStack Active Technical Contributors participating in the Icehouse Design Summit sessions in Hong Kong. These are working sessions to determine the roadmap of the Icehouse release and make decisions across the project. To see the full OpenStack Summit schedule, including presentations, panels and workshops, go to http://openstacksummitnovember2013.sched.org.
In the havana release, we added OAuth 1.0a support to keystone; I received a lot of suggestions to enhance this feature. The point of this session is to vet those suggestions and gauge participant interest.
Another goal of the session is a two-parter, 1) Quickly establish the differences between oauth and trusts for the crowd. And 2) See if there are any other delegation models, or a way to wrap oauth and trusts, so they are not completely different code paths.
Future OAuth work suggestions: - Changing the token secret to be a hash of information, rather than just uuid. Dolphm already has a prototype working. The point of this is that it could be used offline. - Adding a web UI, pretty self-explanatory, this would make using the oauth delegation mechanism much easier. Would this go directly into horizon? Or can this exist in keystone? - Using policy config files to assert delegation. ayoung suggested that if we let Keystone parse the policy config files it is handed. Keystone would then be able to deduce what a give token would be allowed to do. THen, instead of delegating a whole a role, a user could delegate the ability to execute individual api functions. Then, a token could say: only let the bearer execute function X on Nova. - Moving to a newer and better library, oauthlib. Near the end of the release, there were some concerns brought up about the current library being used.
