Re: [Libvir] Authenticate APIs ?
On Mon, Jan 15, 2007 at 08:50:47PM +0000, Mark McLoughlin wrote:
On Thu, 2007-01-11 at 00:39 +0000, Daniel P. Berrange wrote:
> Finally, one could simply say, this is all rather complicated, why don't
> we just use a simple username+password for everything. While this would
> be nice from a coding POV, I think we need to be forward looking and
> ensure we're setup to cope with things like Kerberos single-sign-on.
> This is why I'm looking at SASL for the QEMU authentication process - if
> you use libsasl.so you're app doesn't even need to know what auth method
> it is using - the admin can simple create an appropriate config file
> for sasl, and bingo you're fully kerberized & single sign-on capable.
SASL and all it entails does seem like the only sane approach.
Perhaps look at the D-Bus API ... I vaguely remember being impressed at
the work Havoc did with SASL in D-BUS.
This is a joke, right :-) D-Bus auth protocol was indeed designed to allow
a SASL impl to be dropped in, but AFAIR neither the client/server side was
ever implemented in the code, since its not needed for local node only comms.
There's still a nice big TODO item there.
Also, it might be nice to keep all the "remote stuff"
nicely isolated
from the rest of the libvirt API which is nice and straightforward right
now.
Yeah, I really don't want to push a complex API onto all users of the
library.
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|