← Back to team overview

openstack team mailing list archive

Re: Entities in OpenStack Auth


On Fri, Mar 04, 2011 at 09:46:16AM -0500, Jay Pipes wrote:
> Are you proposing that an entity always be the owner of something?

I'm proposing every resources has an owner.

> If so, I dislike using the term "entity", since entity does not imply
> ownership. I'd prefer "owner" or "account", since the latter implies
> control over something. Entity connotes neither ownership nor control.

Sure, and I think with other discussions we've moved back to
'account'. I just needed to use something different to not confuse
with swift 'accounts' in case we wanted something different.

> I'd like to get the semantics around these terms correct. We've
> already run into numerous issues with the term "metadata" and I really
> don't feel like introducing another source of confusion in both the
> documentation and the code comments.

We'll have accounts. You can be authenticated as a certain account,
all resources are owned by one account, and resources/accounts can
provide ACLs/roles to other accounts.

This means for your deployment an account can be a user, project,
/etc/group, dog, cat, etc. It's up to the IDM to map whatever you're
using into accounts for OpenStack services, and the authz system to
manage relationships between those accounts.