What is happening with API security and file access?

As of Oct-2009:

1) To improve the API security, we are going to move the domain, username and password out of the individual Python scripts and into a separate file. The API library will look for this file containing the user's credentials rather than having to have the credentials in every script. This will make the scripts sharable and usable across users and accounts. I'm looking for a Python expert that can do this the right ("Pythonic") way.

Update 20-Feb-2010: This has been done. You now run the 000_setup_config.py script to put the user credentials into configuration file.

2) To further improve the security, we will replace the un/pw with a generated API key. This will mean that we no longer need to keep cleartext un/pw in a file. The API will be generate and stored per user and can be disabled or changed at any time.

3) We are also going to ensure that user administration, such as password changes, project memberships, etc. can not be done via the API.

4) The API for the file management will be based off the Nirvanix Python API with some extensions. You can play with this today if you want (send me an email), although it won't be all that useful until we roll out the new file manager. Update 20-Feb-2010: We are going with Amazon S3 instead of Nirvanix.

5) Any kind of file upload/download or sync, etc. will be based on the Python API. Update 20-Feb-2010: What this meant was that we will not allow users to connect directly to the storage service, but must go through the ShotRunner application and authentication as an intermediary. There will also likely be a client-side application that will be used to bulk upload and sync files.

Let me know if you have any questions or suggestions on this.