← Back to team overview

openstack team mailing list archive

Re: Federated Identity Management (bursting and zones)

 

From: Eric Day [eday@xxxxxxxxxxxx]
> Service Provider zones could be configured to access authz.myco.com
> for any authentication requests that come in for the myco.com namespace. 

Hmm, yes I think that might be possible (with the obvious performance concerns). 

My concern was that we would have to make a call back to authz.myco.com to check *every* instance. By having a pared-down set to work with we can avoid having to scan all the instances under MyCo's control. 

But, you are correct that we could get that pared down list from authz.myco.com just as easily as from sp.authz. 

Let me stew on that one some more.

> For example, you could have the accounts:
> 
> alice
> alice_shares
> bob

Yes, I thought about that more over the weekend. While it's attractive for up-front simplicity it makes account management much harder. Whenever we want to delegate a command from MyCo to SP we need to decide which account we will use to perform the operation. User account management will become just as complicated as Resource Group synchronization. 

-S

Confidentiality Notice: This e-mail message (including any attached or
embedded documents) is intended for the exclusive and confidential use of the
individual or entity to which this message is addressed, and unless otherwise
expressly indicated, is confidential and privileged information of Rackspace.
Any dissemination, distribution or copying of the enclosed material is prohibited.
If you receive this transmission in error, please notify us immediately by e-mail
at abuse@xxxxxxxxxxxxx, and delete the original message.
Your cooperation is appreciated.




References