openstack team mailing list archive

Thread
Date

Re: AuthZ functionality in Keystone - Re: [WAS]OpenStack Identity: Keystone API Proposal

To: Vishvananda Ishaya <vishvananda@xxxxxxxxx>
From: Somik Behera <somik@xxxxxxxxxx>
Date: Thu, 18 Aug 2011 15:45:46 -0700
Cc: "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <85BE2CAD-2D6C-4465-AD6A-921BD9F27495@gmail.com>

Hi Vish,

That would be one very reasonable way to do it, but in that case we are
fragmenting AuthZ in multiple services instead of Keystone taking care of
AuthZ across all services.

Depending on Keystone's roadmap and plans, we could take a 2 phased
approach, where Nova doing AuthZ is a temporary solution till Keystone can
do it or  if Keystone  is not going to have this capability, then we go down
the path you are suggesting - Keystone does AuthN and we rely on Nova to
authorize a tenant's access rights to a particular vif.

Thanks,
Somik

On Thu, Aug 18, 2011 at 3:37 PM, Vishvananda Ishaya
<vishvananda@xxxxxxxxx>wrote:

>
> On Aug 18, 2011, at 2:08 PM, Somik Behera wrote:
>
>
>     2.2) Quantum needs to ensure Tenant-X( or user with access to Tenant-X)
> owns Virtual Network Interface named "instance-0001-eth0" available in Nova
> - *This is where we need AuthZ help from Keystone*
>
>
> It seems simpler to me to have a quantum call nova with something like
> get_virtual_interface and pass the token.  Then nova can decide if that
> token has access to the vif.
>
>
>

-- 
Somik Behera | Nicira Networks, Inc. | somik@xxxxxxxxxx <sbehera@xxxxxxxxxx> |
office: 650-390-6790 | cell: 512-577-6645

Follow ups

Re: AuthZ functionality in Keystone - Re: [WAS]OpenStack Identity: Keystone API Proposal
From: Vishvananda Ishaya, 2011-08-18

References

AuthZ functionality in Keystone - Re: [WAS]OpenStack Identity: Keystone API Proposal
From: Somik Behera, 2011-08-18
Re: AuthZ functionality in Keystone - Re: [WAS]OpenStack Identity: Keystone API Proposal
From: Vishvananda Ishaya, 2011-08-18