This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-API] Xen Management API draft

To: Ewan Mellor <ewan@xxxxxxxxxxxxx>
Subject: Re: [Xen-API] Xen Management API draft
From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
Date: Mon, 26 Jun 2006 16:41:57 +0100
Cc: Xen-API <xen-api@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Mon, 26 Jun 2006 08:42:13 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <20060626151239.GB9884@xxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-api-request@lists.xensource.com?subject=help>
List-id: Discussion of API issues surrounding Xen <xen-api.lists.xensource.com>
List-post: <mailto:xen-api@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=unsubscribe>
References: <20060622170130.GI25606@xxxxxxxxxxxxxxxxxxxxxx> <449C7DB8.4000504@xxxxxxxxxx> <20060625154903.GC30399@xxxxxxxxxx> <20060626151239.GB9884@xxxxxxxxxxxxxxxxxxxxxx>
Reply-to: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
Sender: xen-api-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.4.1i
On Mon, Jun 26, 2006 at 04:12:39PM +0100, Ewan Mellor wrote:
> On Sun, Jun 25, 2006 at 04:49:03PM +0100, Daniel P. Berrange wrote:
> >  * What is the motivation for implementing an explicit login_with_password
> >    method rather than utilizing the existing HTTP authentication protocols ?
> We discussed this on xen-devel last week -- HTTP auth doesn't seem to be
> widely supported, so we didn't want to rely upon it.  Also, this way we can
> use the XML-RPC over something other than HTTP (such as a raw unix domain
> socket).
> >    The proposed login API utilizing a simple username/password pair is quite
> >    limiting, preventing the use of any of the more advanced authentication
> >    protocols such as challenge/response, public / private key, kerberos 
> >    ticket passing.
> > 
> >    The latter would be particuarly important if the apps using this API want
> >    to integrate with any kind of single sign on system. Perhaps it would be
> >    possible to define a more advanced login process which could be backed by
> >    something like SASL
> > 
> >      http://www.ietf.org/rfc/rfc2222.txt
> >      http://asg.web.cmu.edu/sasl/
> What would be involved in making this work?  The username / password is
> already a step up for Xen -- how complicated is SASL or similar?

I'm not familiar enough with it to give any estimates on work involved, but
it would definitely be more complex than user/password, however, this is to
be expected given the much broader capabilities. There's fairly comprehensive
docs in the Cyrus SASL source distribution, for example,


Another possibility would be to integrate with PAM, fully supporting the
conversation function callbacks

|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 

xen-api mailing list