← Back to team overview

openstack team mailing list archive

Re: AuthZ functionality in Keystone - Re: [WAS]OpenStack Identity: Keystone API Proposal

 

On Aug 18, 2011, at 3:45 PM, Somik Behera wrote:

> Hi Vish,
> 
> That would be one very reasonable way to do it, but in that case we are fragmenting AuthZ in multiple services instead of Keystone taking care of AuthZ across all services. 

We can't necessarily depend on keystone to keep track of all objects owned by each service.  Especially for things like swift where millions of objects are involved.  I therefore think the right solution is to have the services responsible for their own objects, and allow them to delegate to keystone in the cases where it makes sense.

> 
> Depending on Keystone's roadmap and plans, we could take a 2 phased approach, where Nova doing AuthZ is a temporary solution till Keystone can do it or  if Keystone  is not going to have this capability, then we go down the path you are suggesting - Keystone does AuthN and we rely on Nova to authorize a tenant's access rights to a particular vif.
> 
> Thanks,
> Somik


Follow ups

References