← Back to team overview

openstack team mailing list archive

Re: Federated Identity Management (bursting and zones)

 

I agree with Vish here. A common set of group names would be a good
first step and allow us to federate authn without the upfront
complexity of trying to also federate authz. Come to think of it,
there's no reason that role A would need to have similar privileges in
zones X and Y. More likely than not, they would have different
privileges, and therefore a federated authz service wouldn't really
make sense.

-jay

On Wed, Mar 30, 2011 at 4:38 PM, Vishvananda Ishaya
<vishvananda@xxxxxxxxx> wrote:
> Not sure that AuthZ has to be federated.  If AuthN can return a list of meaningful groups (something akin to roles) to AuthZ, we can isolate AuthZ to a given deployment.  So we can have a set of standard groups defined, and if Alice's AuthN returns one of those groups, she can launch.  It means we will probably have to define some sort of openstack-compatible authn groups.
>
> Vish
>
> On Mar 30, 2011, at 12:44 PM, Sandy Walsh wrote:
>
>> From: Jon Slenk [jslenk@xxxxxxxxxxxx]
>>
>>> I think that if the system used capabilities/ZBAC then there would be
>> no such weird prompting.
>>
>> I see your point, but I'm assuming AuthZ has to be federated as well. We don't know about Alice, she lives in her private cloud. We have to ask her AuthZ system if she can boot a new instance.
>>
>> This flow is saying "The AuthZ resource lives on your side of the fence and I'd like to access it", but to do so Alice needs to grant permission and that interaction seems confusing to me.
>>
>> -S
>>
>> PS> appreciate the feedback!
>>
>>
>> Confidentiality Notice: This e-mail message (including any attached or
>> embedded documents) is intended for the exclusive and confidential use of the
>> individual or entity to which this message is addressed, and unless otherwise
>> expressly indicated, is confidential and privileged information of Rackspace.
>> Any dissemination, distribution or copying of the enclosed material is prohibited.
>> If you receive this transmission in error, please notify us immediately by e-mail
>> at abuse@xxxxxxxxxxxxx, and delete the original message.
>> Your cooperation is appreciated.
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~openstack
>> More help   : https://help.launchpad.net/ListHelp
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>



Follow ups

References