Re: [Libvir] Authenticate APIs ?
On Mon, Jan 15, 2007 at 06:20:19PM +0000, Richard W.M. Jones wrote:
[Apologies that this is not threaded with the original post]
> Following on from the issue of certificate management, is the issue of
> authentication. This hasn't been an issue thus far, because Xen has zero
> authentication. I'm not planning to make this same mistake with the QEMU
> management daemon though - its going to have a secure data transport and
> real authentication from day-1. Thus we need to consider how
authentication
> is exposed at the libvirt client API layer.
>
> First off, there are many possible authentication approaches:
>
> - Username + password
> - Username + one time key
> - Username + password digest
> - Kerberos tickets
> - x509 certificates
> - ...etc
I would definitely avoid over-engineering a solution.
Yes, that's my biggest concern at this stage - I think my initial mail
proposal has rather lot of complexity which will be a PITA for people using
libvirt. For the near-term I think we might be better ignoring my first
proposal in this thread & just requiring either
a. certificate based authentication
or
b. username + password, making use of the fact that URIs already
have provision for embeedding a username & password, so we'd not
need extra libvirt APIs for this.
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|