← Back to team overview

openstack team mailing list archive

[keystone] Multi-tenants per user, authentication tokens and global roles

 

I'm working on upgrading to essex, which means I need to start using
keystone. My use case seems to not fit keystone very well, though...

In my environment, one user can be a member of many projects (some
users are in up to 20-30 projects). Management of projects is done
nearly completely though the web interface, and users may work on
resources in multiple projects at the same time. Our web interface can
show all or a subset of user's project's resources in the same view.

In Nova, using the EC2 API, I could query all resources for a user on
their behalf using an admin user, or I could use their access/secret
key and change the tenant for requesting each project.

>From what I can tell in Keystone, when a user authenticates, they get
a token directly linked with a tenant. If I want to do API calls on a
user's behalf in a tenant, I must authenticate them for that tenant.
It seems there's no way for me to make requests on a user's behalf for
multiple projects without authenticating them for every single tenant.
Is this the case? Is there any way for me to handle this? I'd really
like to avoid authenticating a user 30 times on login, then needing to
store all 30 of their tokens.

I have another issue as well. My environment is meant to be integrated
and more of a private-style cloud. We have a group of administrators
that should be able to manage all instances, networks, etc. In Nova's
auth there were global groups. In Keystone there are no global groups.
Will this ever be added into keystone? It's really annoying to need to
constantly add/remove ourselves from projects to manage them.

- Ryan


Follow ups