openstack team mailing list archive

[Caitlin Bestler <Caitlin.Bestler@xxxxxxxxxxx>]

The approach here looks solid, but I'm not sure if it goes far enough.

One issue that Keystone has to resolve eventually is how to authenticate request for tenant-specific file system users.
Basically the core authentication system allows satellite authentication systems to authenticate users within defined scopes.
That is a Tenant X authentication server authenticates file system users for Tenant X. TenantX:Jsmith is a different user than
TenantY:Jsmith.

What you probably want to avoid for that sort of system is *mapping* all of users from each of the Tenants to the central
authentication server. Adding and deleting file system users from *all* tenants could end up being a bit too many transactions
and ultimately requires excessive and error-prone replication of data.

What we need is for TenantX's server to provide the information about who "Jsmith" is, and what jsmith is allowed to do,
But in a way where it cannot reference any of TenantY's resources.