openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #14795
Re: Identity API v3 - Why allow multi-tenant users?
I thought that the v3 API supports domains as a group of tenants which would make the question rather different.
Thus, I guess the question is
A. Should there be users in multiple tenants in a single domain ?
B. Should there be users in multiple domains ?
There are clear use cases for A (such as researchers working on multiple projects sharing project quotas)
For B, it is less clear as if I am a domain administrator, I do not want to be told that I cannot allocate user X since another domain has already taken it. On the other hand, there is a clear architectural benefit from having the concept of identity (and authentication) split off from roles and projects.
Tim
From: openstack-bounces+tim.bell=cern.ch@xxxxxxxxxxxxxxxxxxx [mailto:openstack-bounces+tim.bell=cern.ch@xxxxxxxxxxxxxxxxxxx] On Behalf Of John Postlethwait
Sent: 18 July 2012 07:42
To: Rouault, Jason (Cloud Services)
Cc: openstack@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Openstack] Identity API v3 - Why allow multi-tenant users?
Forcing a user to remember different usernames and/or passwords for each project they are a part of, when it is possible they are part of N projects, really isn't an acceptable option in my opinion.
I believe that regardless of the engineering complexities, the end users shouldn't have to feel pain in order to make engineering the solutions and features they interact with easier. Software is for end users (in their various forms) and as such we need to take that into account when we make decisions. While no functionality is lost per se, there is a major end-user impact, and that should be reason enough to implement it…
John Postlethwait
Nebula, Inc.
206-999-4492
On Tuesday, July 17, 2012 at 4:15 PM, Rouault, Jason (Cloud Services) wrote:
One benefit is the user does not need to have multiple sets of credentials to interact with multiple projects.
Jason
From: openstack-bounces+jason.rouault=hp.com@xxxxxxxxxxxxxxxxxxx [mailto:openstack-bounces+jason.rouault=hp.com@xxxxxxxxxxxxxxxxxxx] On Behalf Of Adam Young
Sent: Tuesday, July 17, 2012 11:55 AM
To: openstack@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Openstack] Identity API v3 - Why allow multi-tenant users?
On 05/29/2012 01:18 PM, Caitlin Bestler wrote:
One of the major complication I see in the API is that users can be associated with multiple tenants.
What is the benefit of this? What functionality would be lost if a human user merely had to use a different account with each tenant?
There are numerous issues with multi-tenant users. For example, if a user is associated with multiple tenants, who resets the user’s password?
_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to : openstack@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
Did you ever get an answer? This has been discussed in depth.
_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to : openstack@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
Follow ups
References