openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #01547
Re: Federated Identity Management (bursting and zones)
Agreed, Pluggable option 2 with a default OAuth implementation seems like the best strategy.
Vish
On Mar 28, 2011, at 9:42 AM, Khaled Hussein wrote:
> I was thinking of having OAuth implementation for authorization/delegation in an external identity management solution, option 2 :). The IdM solution can be extensible to support other Identity Federation protocols as well such as SAML.
>
> Khaled
>
> On Mon, Mar 28, 2011 at 11:17 AM, Jay Pipes <jaypipes@xxxxxxxxx> wrote:
> On Mon, Mar 28, 2011 at 10:15 AM, Sandy Walsh <sandy.walsh@xxxxxxxxxxxxx> wrote:
> > Currently, we link Nova deployments (aka Zones) with a single admin account.
> > All operations done in the child zone are done with this admin account.
> > Obviously this needs to change. A simple operation such as "get_all_servers"
> > should only return the servers that User X owns. In the current
> > implementation, all the servers the admin account can see will be returned.
> > We need some form of federated identity management. User accounts must be
> > shared between homogeneous and heterogeneous deployments. ie. all private,
> > all public or public/private (aka Hybrid) via Bursting.
> > There are some possibilities here:
> > 1. Replicate User accounts across zones. A user account would map to N child
> > zone accounts ... one for each child zone. These "placeholder" accounts are
> > hidden from the user and synchronized when the parent changes.
> > 2. Rely on an external/shared user management service. Let the Auth/RBAC
> > system sort out visibility, control, etc. This system would need to be
> > publicly available to both groups in the hybrid scenario.
> > 3. Continue with the admin account and filter access control/visibility in
> > the parent zone.
> > ... and I'm sure there are others.
>
> 4. Use OAuth?
>
> -jay
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
Follow ups
References