← Back to team overview

openstack team mailing list archive

Re: Federated Identity Management (bursting and zones)


Not sure that AuthZ has to be federated.  If AuthN can return a list of meaningful groups (something akin to roles) to AuthZ, we can isolate AuthZ to a given deployment.  So we can have a set of standard groups defined, and if Alice's AuthN returns one of those groups, she can launch.  It means we will probably have to define some sort of openstack-compatible authn groups.

On Mar 30, 2011, at 12:44 PM, Sandy Walsh wrote:

> From: Jon Slenk [jslenk@xxxxxxxxxxxx]
>> I think that if the system used capabilities/ZBAC then there would be
> no such weird prompting.
> I see your point, but I'm assuming AuthZ has to be federated as well. We don't know about Alice, she lives in her private cloud. We have to ask her AuthZ system if she can boot a new instance. 
> This flow is saying "The AuthZ resource lives on your side of the fence and I'd like to access it", but to do so Alice needs to grant permission and that interaction seems confusing to me.
> -S
> PS> appreciate the feedback!
> Confidentiality Notice: This e-mail message (including any attached or
> embedded documents) is intended for the exclusive and confidential use of the
> individual or entity to which this message is addressed, and unless otherwise
> expressly indicated, is confidential and privileged information of Rackspace.
> Any dissemination, distribution or copying of the enclosed material is prohibited.
> If you receive this transmission in error, please notify us immediately by e-mail
> at abuse@xxxxxxxxxxxxx, and delete the original message.
> Your cooperation is appreciated.
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp

Follow ups