← Back to team overview

openstack team mailing list archive

Re: Federated Identity Management (bursting and zones)

 

Doh! I'm an idiot. Write that down.

Eric, you're correct, we don't need to sync the AuthZ servers. We only need to pass the Resource Group ID's along after the user authenticates (thanks Jorge for reminding me.)

This is along the lines of what you have been suggesting with different User accounts, but without overloading Accounts and sticking to the "Collection of Resources" idea (as used in RBAC, SAML, etc)

There is a complexity here. When we create new Resources on the SP side we need to know which Resource Group to create it on behalf of. 

I've put a little description of the problem here: http://wiki.openstack.org/FederatedAuthZwithZones#On_Behalf_Of

The rest of the wiki has been updated to reflect these changes.

-S

PS> I think we're close to putting a pin in this thing.

Confidentiality Notice: This e-mail message (including any attached or
embedded documents) is intended for the exclusive and confidential use of the
individual or entity to which this message is addressed, and unless otherwise
expressly indicated, is confidential and privileged information of Rackspace.
Any dissemination, distribution or copying of the enclosed material is prohibited.
If you receive this transmission in error, please notify us immediately by e-mail
at abuse@xxxxxxxxxxxxx, and delete the original message.
Your cooperation is appreciated.




Follow ups

References