On Jul 5, 2013, at 1:52 PM, Mark Lamourine <markllama gmail com> wrote:
There is no registration process today in Openshift - are you referring to an external tool created to provision a user? If not, because users are lazily
provisioned in Openshift there can be no human intervention at user create time. The info needs to come from the auth service at authorization time, which means additional support has to be added to process that info.
Either way, I suspect most organizations using Kerberos to the gear will be using Kerberos to the console and broker.
I'm referring to the possibility of additional Kerberos entities beyond a principal to be registered. Ie, more information than just a principal name, or a different type of value.
Was referring to Kerberos specific concepts
Then you have to distribute the list of users who can access the app, which is essentially the same problem as described for sshkey/principal propagation. Still seems like the same mechanism to me.