[Libvir] Authenticate APIs ?
Daniel P. Berrange
berrange at redhat.com
Mon Jan 15 20:54:05 UTC 2007
On Mon, Jan 15, 2007 at 08:50:47PM +0000, Mark McLoughlin wrote:
> On Thu, 2007-01-11 at 00:39 +0000, Daniel P. Berrange wrote:
>
> > Finally, one could simply say, this is all rather complicated, why don't
> > we just use a simple username+password for everything. While this would
> > be nice from a coding POV, I think we need to be forward looking and
> > ensure we're setup to cope with things like Kerberos single-sign-on.
> > This is why I'm looking at SASL for the QEMU authentication process - if
> > you use libsasl.so you're app doesn't even need to know what auth method
> > it is using - the admin can simple create an appropriate config file
> > for sasl, and bingo you're fully kerberized & single sign-on capable.
>
> SASL and all it entails does seem like the only sane approach.
>
> Perhaps look at the D-Bus API ... I vaguely remember being impressed at
> the work Havoc did with SASL in D-BUS.
This is a joke, right :-) D-Bus auth protocol was indeed designed to allow
a SASL impl to be dropped in, but AFAIR neither the client/server side was
ever implemented in the code, since its not needed for local node only comms.
There's still a nice big TODO item there.
> Also, it might be nice to keep all the "remote stuff" nicely isolated
> from the rest of the libvirt API which is nice and straightforward right
> now.
Yeah, I really don't want to push a complex API onto all users of the
library.
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|
More information about the libvir-list
mailing list