wrt authentication...
I think users should authenticate against libcloud, using a pluggable auth method. CompanyOne might have it wired up to LDAP for users to auth. CompanyTwo might use Kerb or RSA or whatever. CompanyThree might use a libcloud-specific Users table with local password hashes stored for use only with libcloud.
Then a strategy to map inbound consumers of libcloud to outbound credentials for the various backend drivers. CompanyOne might have a 1:1 mapping of libcloud user to back-end user. For instance, sending *my* particularly EC2 credentials out with commands to EC2. CompanyOne handles 230 people sending in monthly expense reports for their individual AWS bills.
CompanyTwo might have a many:1 mapping, where "bob" logs into libcloud, but uses a singular corporate-wide credential to fire up stuff on EC2. libcloud tracks the accounting for that. While A/P pays a single bill for $2000, they know that "bob" used $42 of it.
CompanyThree might have a dept:1 mapping, where "bob" is a member of JBoss, and uses JBoss EC2 creds, and "bryan" is a member of 'Red Hat' and uses Red Hat creds. That results in a bill from AWS for each department, instead of individual.
Some backends may require no authentication, where libcloud is the sole source of accounting. For internal datacenter clouds, for instance, running VMware ESXi of vSphere or whatever. "bob" used 400 hours of CPU time, and his department's budget is reduced by some arbitrarily determined "cost" per CPU hour.
Depending on the proxying strategy chosen, all users may already be enrolled in the clouds, or they may have to inform libcloud "here are *my* credentials for a particular backend" before that provider is enabled for them.
Next layer up, libcloud could restrict some users from using some backends. Maybe everyone can use the EC2 backend, but only IT can use the internal production cloud backend.
Which also brings up another point, which I think might relate to "clusters" in RHEV-M if I understand them correctly. While we might have "the RHEV-M driver", which may have different clouds powered by that driver. The QA cluster, the IT production cluster, etc. That can wait for v2 of libcloud, though. :)
-Bob