Externalization of user and certificates management in Eucalyptus

Registered by Nick Barcet

User and certificate management is currently done solely via the web interface of eucalyptus. Password use there cannot be the same as on the rest of the systems in an enterprise, accounts have to be recreated manually, existing x509 architechture cannot be used.
Making the managegement of user and certificate use a plugin architecture, one should be able to redirect all calls to the backend of his choice (LDAP/SGBD/Flatfile/...). Additional backend can be written for customers upon requests.

Blueprint information

Status:
Not started
Approver:
None
Priority:
Undefined
Drafter:
None
Direction:
Needs approval
Assignee:
None
Definition:
New
Series goal:
None
Implementation:
Unknown
Milestone target:
None

Sprints

Whiteboard

== Current state ==

Not possible at the moment
the code has been designed for it
expected to stay the same for 10.04

== future ==
Use cases:
 * I want to connect to my UEC interface, using the credentials that are provided by my enterprise system
 * I want to use the same credentials for API authentication (dangerous as it breaks ec2 compatibility)

Potential solutions:
 * Authentication is redirected via SASL (authentication delegation).
  ** Note: SASL supports caching, timeouts and already has several backends, including LDAP, PAM, imap, kerberos, etc., but it only supports authentication, not authorization.
 * API to synchronize users
 * Use a plugin mechanism to allow externalization of user storage

== For use case 2 ==
Quick and dirty solution:
 When a user is created -> eua credentials are pushed into a file
 User connects
 Authenticate
Not applicable.

Use case 1
 1. account auto-creation when an authenticated user logs into the administrative web interface (via standard http env)
 2. generic optional hooks at the request level to check whether a user account has been revoked.

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.