There is an integration scenario that might work better for you using the X-Impersonate header. Passing the header lets a single user account manage child accounts as the child user directly. A few caveats - impersonate requires the user to be created in mongo by the impersonate call, so if the user has logged in first to the API you'll have to fix up the user with oo-admin-ctl-user. See https://github.com/openshift/origin-server/blob/master/controller/lib/openshift/controller/authentication.rb#L240
for more on how impersonate works. You can mark an account as being able to impersonate with:
oo-admin-ctl-user --allowsubaccounts true -l <adminacct>
The only other form of true impersonation is through tokens, and longer term that will be the recommended way to give one user access to your account temporarily.
In general we recommend all API consumers to use authorization tokens for a few reasons.
1) it means that other clients can centrally revoke access to other sessions in a consistent way
2) tokens can be limited in rights - for instance, a token that only grants read access, or a token that allows access only to a single app.
3) it simplifies clients and is higher performance - the token is stored in the Openshift mongo db and is faster to retrieve, vs auth calls to an external service which must be done on every request.
4) a token can be changed more easily than a password
On Jun 23, 2013, at 6:58 AM, XuQing Tan <missedone gmail com> wrote: