On 04/27/2015 12:50 PM, Dennis Gilmore wrote:
On Monday, April 27, 2015 06:23:38 PM Pierre-Yves Chibon wrote:
> On Mon, Apr 27, 2015 at 05:59:14PM +0200, Till Maas wrote:
>> On Mon, Apr 27, 2015 at 03:45:00PM +0200, Pierre-Yves Chibon wrote:
[snip]
>>> On the otherside, recently we have been more and more
feeling the need
>>> for a centralized API authentication place. Something along the line of
>>> a personalized 0Auth. This has also pros and cons.
>>>
>>> pros
>>>
>>> - API token per user and per application
>>
>> This is something I would like very much, but also with a fine-grained
>> permissions system. E.g. allowing to create a token that can only be
>> used to retire pkgs in pkgdb could be used to automate retiring pkgs
>> without using credentials that can also a everything else.
>
> This is really something that would be cool to get :)
This is not something that can really be done with certs etc. it would require
a fundamental change in how all the tools deal with permissions.
Why isn't this possible with certs? Seems like an application/tools
authorization problem, not an authentication mechanism problem. One of
my workplaces had an internal system for distributing certs that
provided access for users and service accounts. The ou/cn/dn/groups
system has all the semantics you need to express complex permissions.
API tokens don't give delegation/permissions for free, though I do admit
that certificate expiry leaves...things to be desired.
--
Ryan Brown / Software Engineer, Openstack / Red Hat, Inc.