← Back to team overview

openstack team mailing list archive

Re: [Scaling][Orchestration] Zone changes. WAS: [Question #185840]: Multi-Zone finally working on ESSEX but cant "nova list" (KeyError: 'uuid') + doubts


The approach here looks solid, but I'm not sure if it goes far enough.

One issue that Keystone has to resolve eventually is how to authenticate request for tenant-specific file system users.
Basically the core authentication system allows satellite authentication systems to authenticate users within defined scopes.
That is a Tenant X authentication server authenticates file system users for Tenant X. TenantX:Jsmith is a different user than

What you probably want to avoid for that sort of system is *mapping* all of users from each of the Tenants to the central
authentication server. Adding and deleting file system users from *all* tenants could end up being a bit too many transactions
and ultimately requires excessive and error-prone replication of data.

What we need is for TenantX's server to provide the information about who "Jsmith" is, and what jsmith is allowed to do,
But in a way where it cannot reference any of TenantY's resources.