[Galene] Hierarchical tokens

[Galene] Hierarchical tokens

[Juliusz Chroboczek]

I've just implemented hierarchical tokens, that apply to a whole
subtree.

So now, if you do

    galenectl create-token -group public -include-subgroups

you'll get a token that works in the whole public/* hierarchy.

Next step is adding support for tokens at the root of the hierarchy, so
that you can have global tokens.

-- Juliusz

[Galene] Re: Hierarchical tokens

[Juliusz Chroboczek]

>> Next step is adding support for tokens at the root of the hierarchy, so
>> that you can have global tokens.
> 
> Wonderful for corporate setups.

I'd expect our tie-wearing friends to prefer using an authentication
server and stateless tokens.  This way, there's no user data in Galene
itself, all the authorisation data sits in a small authorisation server
that the system admins fully understand.

I assume that most system admins are more familiar with Python than Go,
which is why I wrote the sample at

  https://github.com/jech/galene-sample-auth-server

-- Juliusz

[Galene] Re: Hierarchical tokens

[Juliusz Chroboczek]

>> I'd expect our tie-wearing friends to prefer using an authentication
>> server and stateless tokens.  This way, there's no user data in Galene
>> itself, all the authorisation data sits in a small authorisation server
>> that the system admins fully understand.

> Agreed for 'real' users - the scenario I was trying to make simpler is
> transient setups where you easily want to delegate actions 'top down';
> e.g. for a short lived projects and were your users are at peer
> organisations.

Uh-huh.  I'd rather be doing global tokens than global usernames.

-- Juliusz