openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #01541
Re: Federated Identity Management (bursting and zones)
On Mon, Mar 28, 2011 at 10:15 AM, Sandy Walsh <sandy.walsh@xxxxxxxxxxxxx> wrote:
> Currently, we link Nova deployments (aka Zones) with a single admin account.
> All operations done in the child zone are done with this admin account.
> Obviously this needs to change. A simple operation such as "get_all_servers"
> should only return the servers that User X owns. In the current
> implementation, all the servers the admin account can see will be returned.
> We need some form of federated identity management. User accounts must be
> shared between homogeneous and heterogeneous deployments. ie. all private,
> all public or public/private (aka Hybrid) via Bursting.
> There are some possibilities here:
> 1. Replicate User accounts across zones. A user account would map to N child
> zone accounts ... one for each child zone. These "placeholder" accounts are
> hidden from the user and synchronized when the parent changes.
> 2. Rely on an external/shared user management service. Let the Auth/RBAC
> system sort out visibility, control, etc. This system would need to be
> publicly available to both groups in the hybrid scenario.
> 3. Continue with the admin account and filter access control/visibility in
> the parent zone.
> ... and I'm sure there are others.
4. Use OAuth?
-jay
Follow ups
References