← Back to team overview

openstack team mailing list archive

Re: [keystone] Multi-tenants per user, authentication tokens and global roles

 

On 07/26/2012 08:30 PM, Ryan Lane wrote:
I'm working on upgrading to essex, which means I need to start using
keystone. My use case seems to not fit keystone very well, though...

In my environment, one user can be a member of many projects (some
users are in up to 20-30 projects). Management of projects is done
nearly completely though the web interface, and users may work on
resources in multiple projects at the same time. Our web interface can
show all or a subset of user's project's resources in the same view.

In Nova, using the EC2 API, I could query all resources for a user on
their behalf using an admin user, or I could use their access/secret
key and change the tenant for requesting each project.

>From what I can tell in Keystone, when a user authenticates, they get
a token directly linked with a tenant. If I want to do API calls on a
user's behalf in a tenant, I must authenticate them for that tenant.
It seems there's no way for me to make requests on a user's behalf for
multiple projects without authenticating them for every single tenant.
Is this the case? Is there any way for me to handle this? I'd really
like to avoid authenticating a user 30 times on login, then needing to
store all 30 of their tokens.

Not in Essex. When we discussed the Domains blueprint, one issue that I brought up was nested groups/projects. That would solve your problem. It is not currently being developed.


I have another issue as well. My environment is meant to be integrated
and more of a private-style cloud. We have a group of administrators
that should be able to manage all instances, networks, etc. In Nova's
auth there were global groups. In Keystone there are no global groups.
Will this ever be added into keystone? It's really annoying to need to
constantly add/remove ourselves from projects to manage them.
Again, this is really a group nesting problem. I am not sure if the domain blueprint would help you out here:
https://review.openstack.org/#/c/8114/
https://blueprints.launchpad.net/keystone/+spec/keystone-domains
http://etherpad.openstack.org/keystone-domains


- Ryan

_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp




Follow ups

References