[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Libvir] Authenticate APIs ?



On Mon, Jan 15, 2007 at 06:20:19PM +0000, Richard W.M. Jones wrote:
> [Apologies that this is not threaded with the original post]
> 
> > Following on from the issue of certificate management, is the issue of
> > authentication. This hasn't been an issue thus far, because Xen has zero
> > authentication. I'm not planning to make this same mistake with the QEMU
> > management daemon though - its going to have a secure data transport and
> > real authentication from day-1. Thus we need to consider how 
> authentication
> > is exposed at the libvirt client API layer.
> >
> > First off, there are many possible authentication approaches:
> >
> >   - Username + password
> >   - Username + one time key
> >   - Username + password digest
> >   - Kerberos tickets
> >   - x509 certificates
> >   - ...etc
> 
> I would definitely avoid over-engineering a solution.

Yes, that's my biggest concern at this stage - I think my initial mail
proposal has rather lot of complexity which will be a PITA for people using
libvirt. For the near-term I think we might be better ignoring my first
proposal in this thread & just requiring either

 a. certificate based authentication

or

 b. username + password, making use of the fact that  URIs already
    have provision for embeedding a username & password, so we'd not
    need extra libvirt APIs for this.

Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]