Externalization of user and certificates management in Eucalyptus
User and certificate management is currently done solely via the web interface of eucalyptus. Password use there cannot be the same as on the rest of the systems in an enterprise, accounts have to be recreated manually, existing x509 architechture cannot be used.
Making the managegement of user and certificate use a plugin architecture, one should be able to redirect all calls to the backend of his choice (LDAP/SGBD/
Blueprint information
- Status:
- Not started
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- None
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- New
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by
Whiteboard
== Current state ==
Not possible at the moment
the code has been designed for it
expected to stay the same for 10.04
== future ==
Use cases:
* I want to connect to my UEC interface, using the credentials that are provided by my enterprise system
* I want to use the same credentials for API authentication (dangerous as it breaks ec2 compatibility)
Potential solutions:
* Authentication is redirected via SASL (authentication delegation).
** Note: SASL supports caching, timeouts and already has several backends, including LDAP, PAM, imap, kerberos, etc., but it only supports authentication, not authorization.
* API to synchronize users
* Use a plugin mechanism to allow externalization of user storage
== For use case 2 ==
Quick and dirty solution:
When a user is created -> eua credentials are pushed into a file
User connects
Authenticate
Not applicable.
Use case 1
1. account auto-creation when an authenticated user logs into the administrative web interface (via standard http env)
2. generic optional hooks at the request level to check whether a user account has been revoked.