← Back to team overview

openstack team mailing list archive

Re: Federated Identity Management (bursting and zones)


From: Vishvananda Ishaya [vishvananda@xxxxxxxxx]

> I think account/action tuple isn't too complicated.  If we decide not to use use the resource_groups as
> tags, meaning multiple can be applied to same object, then we probably need this functionality.  Or else we 
> will have some crazy user with a different resource_group owner for every single vm in their organization.

That could still happen regardless. Again, I think it's easier to just update one group than run around updating tags on many instances. 

> Yes, I was agreeing with your point.  Again the multilple ownership I was suggesting was single-ownership 
> with tags that act as pseudo-owners.  Canonical url can still be under the "owner", but allowing to list by 
> tag, for example, makes listing all the instances under a shared group possible without crazy aggregation
> schemes.  Again, not sure it is worth the complexity, so if we can find a way around the listing issues and
> organization level roles issues that I mentioned in my other email, I'm happy to avoid it.

Perhaps I'm missing where the 'crazy aggregation' part comes in? We get a flat list of Resource Groups from MyCo and do a Select against the DB for all of them. Only MyCo AuthZ has to worry about nesting, we just have a flat list. 


Confidentiality Notice: This e-mail message (including any attached or
embedded documents) is intended for the exclusive and confidential use of the
individual or entity to which this message is addressed, and unless otherwise
expressly indicated, is confidential and privileged information of Rackspace.
Any dissemination, distribution or copying of the enclosed material is prohibited.
If you receive this transmission in error, please notify us immediately by e-mail
at abuse@xxxxxxxxxxxxx, and delete the original message.
Your cooperation is appreciated.