[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Libvir] Authenticate APIs ?



On Mon, Jan 15, 2007 at 08:50:47PM +0000, Mark McLoughlin wrote:
> On Thu, 2007-01-11 at 00:39 +0000, Daniel P. Berrange wrote:
> 
> > Finally, one could simply say, this is all rather complicated, why don't
> > we just use a simple username+password for everything. While this would
> > be nice from a coding POV, I think we need to be forward looking and 
> > ensure we're setup to cope with things like Kerberos single-sign-on.
> > This is why I'm looking at SASL for the QEMU authentication process - if
> > you use libsasl.so you're app doesn't even need to know what auth method
> > it is using - the admin can simple create an appropriate config file 
> > for sasl, and bingo you're fully kerberized & single sign-on capable.
> 
> 	SASL and all it entails does seem like the only sane approach.
> 
> 	Perhaps look at the D-Bus API ... I vaguely remember being impressed at
> the work Havoc did with SASL in D-BUS.

This is a joke, right :-)  D-Bus auth protocol was indeed designed to allow
a SASL impl to be dropped in, but AFAIR neither the client/server side was
ever implemented in the code, since its not needed for local node only comms. 
There's still a nice big TODO item there.

> 	Also, it might be nice to keep all the "remote stuff" nicely isolated
> from the rest of the libvirt API which is nice and straightforward right
> now.

Yeah, I really don't want to push a complex API onto all users of the
library.

Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]