openstack team mailing list archive

Thread
Date

Re: Identity API v3 - Why allow multi-tenant users?

To: "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
From: Gabriel Hurley <Gabriel.Hurley@xxxxxxxxxx>
Date: Tue, 29 May 2012 17:59:31 +0000
Accept-language: en-US
In-reply-to: <719CD19D2B2BFA4CB1B3F00D2A8CDCD04EAE3F1E@AUSP01DAG0106.collaborationhost.net>
Thread-index: Ac09vp/w2931++7URvaQiIwK+nDrYQABUVow
Thread-topic: Identity API v3 - Why allow multi-tenant users?

Allowing a user to be associated with multiple tenants (a.k.a. projects) is what we have currently, and it works reasonably well. It has not produced a significantly more complicated system.

I would argue the flipside of your point, which is that the admin permission system in keystone is particularly convoluted and not clearly scoped. The lack of differentiation between the abilities of a project admin vs. a "system" admin, etc.... the fact that being granted admin permissions on *any* project gives you admin permissions for *all* of your Openstack installation... There are some very odd issues in the details of that side of the equation.

All the best,


-          Gabriel

From: openstack-bounces+gabriel.hurley=nebula.com@xxxxxxxxxxxxxxxxxxx [mailto:openstack-bounces+gabriel.hurley=nebula.com@xxxxxxxxxxxxxxxxxxx] On Behalf Of Caitlin Bestler
Sent: Tuesday, May 29, 2012 10:18 AM
To: openstack@xxxxxxxxxxxxxxxxxxx
Subject: [Openstack] Identity API v3 - Why allow multi-tenant users?

One of the major complication I see in the API is that users can be associated with multiple tenants.

What is the benefit of this? What functionality would be lost if a human user merely had to use a different account with each tenant?

There are numerous issues with multi-tenant users. For example, if a user is associated with multiple tenants, who resets the user's password?

References

Identity API v3 - Why allow multi-tenant users?
From: Caitlin Bestler, 2012-05-29