← Back to team overview

openstack team mailing list archive

Re: Federated Identity Management (bursting and zones)


From: Vishvananda Ishaya [vishvananda@xxxxxxxxx]
> Ok so we are aggregating at the service layer.  That does make optimization a bit easier.  Especially 
> if the user can specify with the OnBehalfOf idea a subset of the instances he wants to list.

Yeah, previously it would have been expensive to do this in the services, but now I think it's small enough that a nice little authz client library could handle it. 

>> Either that or a wildcard for all perhaps?
>> (Jon, can_isolate, *)

> Wildcards won't work if one provider is supporting multiple organizations (this has been specifically 
> requested by some clients btw, so it isn't just astronauting), unless we support more of a regex wildcard:
> (jon, can_isolate, OrganizationA.*)
> That would be a cool feature, but it would require the auth service to return groups according to a 
> specific format.  Otherwise, the giant list should definitely work up to a certain size.

Makes sense. This would be the Reseller use case that comes up frequently. 

Sounds like the Resource Group naming is going to be just as important as Instance ID naming. 


> Vish

Confidentiality Notice: This e-mail message (including any attached or
embedded documents) is intended for the exclusive and confidential use of the
individual or entity to which this message is addressed, and unless otherwise
expressly indicated, is confidential and privileged information of Rackspace.
Any dissemination, distribution or copying of the enclosed material is prohibited.
If you receive this transmission in error, please notify us immediately by e-mail
at abuse@xxxxxxxxxxxxx, and delete the original message.
Your cooperation is appreciated.

Follow ups