Greetings all - was suggested I might be able to ask a question here, I'll go back to lurking if not!
There are a lot of ways to solve the problem of authenticating to hundreds of disposable systems. The method I'm currently putting in place during our move from Slicehost to EC2 is to set up a multi-master 389 Directory Server. I'm using openssh-lpk, which was originally an old patch that never got in to the official openssh package but that is becoming a helper daemon (instead of a patch) as of Fedora14. I installed the Fed14 packages on my Fed13 instance; I'm a bad person. What I can then do is put public keys for users in the directory server, and then - since the AMI is set up to ask my ldap server for info - viola! Brand new instances can already be key-auth'd by brand new accounts, without creating the account on the other side (and thus, without putting the key in authorized_hosts), in a way that is dynamic enough that I can add/revoke auth to any number of instances within seconds. There's more to it than what I've said, but hopefully you get the idea.
I had to mostly just do it all with little guidance (not a big deal, but I like using tested methods...) as I didn't find much "out there" about authing to a cloud. Is documentation about what I've done the sort of thing in which Cloud SIG would be interested? Most such documentation is currently found in snippets of someone's blog somewhere; there are many necessary incidentals to making cloud computing successful for an enterprise, so it would seem they'd be better addressed, especially for small/mid-sized companies that don't need complicated setups. Things like cfengine seem somehow...innappropriate...for disposable systems that are going to created in a "blessed" state anyway, and only need minor tweeks.
On that note, is Cloud SIG working on gathering documentation of the "making a Cloud useful, once it exists" variety?
ps - I mentioned it to gholms already via email, but the official python package for Slicehost (pyactiveresource) is not yet a fedora package; should it be one? Or is it simple enough that it's assumed someone will just pip install it, if needed?