On 12/06/2012 12:06 AM, Carlo Hamalainen wrote:
> On Wed, Dec 5, 2012 at 8:22 PM, Marcel Poul <[log in to unmask]
> <mailto:[log in to unmask]>> wrote:
>
> I think we can get by with an email until January.
>
> I would like to share my thoughts with you any comments are welcome.
> One of the use cases I work with is as follows:
>
> user -> service 1 -> service 2
> |
> |
> |
> AAA server
>
> User wants to access service 1 e.g. by ssh with moonshot. At the
> same time, he wants to use s2 via s1 (by credentials delegation) e.g
> mounting NFS volume at s@ to s1. The assumption is that s1 and s2
> (maybe AAA server too) are belong to different organization, so the
> Luke Howard's solution for the credentials delegation won't work.
>
>
>
> This is a use case that we also have, so I'll be interested to see what
> Moonshot's capabilities are in this situation.
>
> Cheers,
>
> --
> Carlo Hamalainen
> http://carlo-hamalainen.net
Hi all,
I put one of my thoughts on paper (attached). It uses KDC and kerberos
tickets to bring delegation to moonshot. Any comments and ideas are welcome.
Another approach would be saml delegation as was discussed in this
mailing list too, but I am not very familiar with the mechanism.
I am sure there are other possible ways to bring cross organizational
delegation to mooonshot which I don't know about. So please share any ideas.
Thx,
Marcel Poul
|