← Back to team overview

openstack team mailing list archive

Re: Federated Identity Management (bursting and zones)


I don't see how one would give access to an entire organization at once.  That was the purpose of returning multiple subjects from auth in the other proposal.  If I want to give everyone in the "bar" organization in my instance, the check somehow has to be able to find out that bob is a member of "bar".  Getting multiple subjects back from auth makes this easy because bob could be in a member of different subjects that would all be returned:
And I can just say (organization:bar, can_halt, alice)
is there a way to do this type of thing in this proposal?


On Apr 4, 2011, at 1:19 PM, Sandy Walsh wrote:

> Phew, ok, I've boiled down the various federated AuthZ discussions with eday, vish & jorge.
> I've superseded the old blueprint since the bulk of the work is clearly in the Federated AuthZ camp and not the AuthN camp. 
> http://wiki.openstack.org/FederatedAuthZwithZones
> Shorter and more succinct. Should address many of the issues that have arisen to date. 
> -S
> Confidentiality Notice: This e-mail message (including any attached or
> embedded documents) is intended for the exclusive and confidential use of the
> individual or entity to which this message is addressed, and unless otherwise
> expressly indicated, is confidential and privileged information of Rackspace. 
> Any dissemination, distribution or copying of the enclosed material is prohibited.
> If you receive this transmission in error, please notify us immediately by e-mail
> at abuse@xxxxxxxxxxxxx, and delete the original message. 
> Your cooperation is appreciated.
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp

Follow ups