<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On Thu, May 29, 2014 at 12:59 PM, Tim Bell <span dir="ltr"><<a href="mailto:Tim.Bell@cern.ch" target="_blank">Tim.Bell@cern.ch</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">





<div lang="EN-GB" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">A further vote to maintain compatibility . One of the key parts to a good federation design is to be using it in the field and encountering
 real life problems.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Production sites expect stability of interfaces and functions. If this cannot be reasonably ensured, the federation function deployment
 scope will be very limited and remain lightly used. Without usage, the real end user functional gaps and additional requirements cannot be determined.</span></p></div></div></blockquote><div><br></div><div>+1</div><div>

<br></div><div>Maintaining compatibility with OS-FEDERATION is not something we can compromise on: backwards compatibility should be guaranteed. If we made a terrible decision in the established groundwork that precludes solving a use case with sufficiently high demand (and I have not seen any evidence suggesting that to be the case), we'll have to build an alternative solution in parallel - not redesign OS-FEDERATION.</div>

<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-GB" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u><u></u></span></p>


<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Tim<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif""> Brad Topol [mailto:<a href="mailto:btopol@us.ibm.com" target="_blank">btopol@us.ibm.com</a>]
<br>
<b>Sent:</b> 29 May 2014 19:31</span></p><div class=""><br>
<b>To:</b> OpenStack Development Mailing List (not for usage questions)<br>
</div><div><div class="h5"><b>Subject:</b> Re: [openstack-dev] [keystone] Redesign of Keystone Federation<u></u><u></u></div></div><p></p>
</div>
</div><div><div class="h5">
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">+1!   Excellent summary and analysis Morgan!</span>
<br>
<br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif"">--Brad</span> <br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif""><br>
<br>
Brad Topol, Ph.D.<br>
IBM Distinguished Engineer<br>
OpenStack<br>
<a href="tel:%28919%29%20543-0646" value="+19195430646" target="_blank">(919) 543-0646</a><br>
Internet:  <a href="mailto:btopol@us.ibm.com" target="_blank">btopol@us.ibm.com</a><br>
Assistant: Kendra Witherspoon <a href="tel:%28919%29%20254-0680" value="+19192540680" target="_blank">(919) 254-0680</a></span> <br>
<br>
<br>
<br>
<span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#5f5f5f">From:        </span><span style="font-size:7.5pt;font-family:"Arial","sans-serif"">Morgan Fainberg <<a href="mailto:morgan.fainberg@gmail.com" target="_blank">morgan.fainberg@gmail.com</a>></span>
<br>
<span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#5f5f5f">To:        </span><span style="font-size:7.5pt;font-family:"Arial","sans-serif"">"OpenStack Development Mailing List (not for usage questions)" <<a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a>>,
</span><br>
<span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#5f5f5f">Date:        </span><span style="font-size:7.5pt;font-family:"Arial","sans-serif"">05/29/2014 01:07 PM</span>
<br>
<span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#5f5f5f">Subject:        </span><span style="font-size:7.5pt;font-family:"Arial","sans-serif"">Re: [openstack-dev] [keystone] Redesign of Keystone Federation</span>
<u></u><u></u></p>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="3" width="100%" noshade style="color:#a0a0a0" align="center">
</div>
<p class="MsoNormal"><br>
<br>
<br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif"">I agree that there is room for improvement on the Federation design within Keystone. I would like to re-iterate what Adam said that we are already seeing efforts to fully integrate further protocol
 support (OpenID Connect, etc) within the current system. Lets be sure that whatever redesign work is proposed and accepted takes into account the current stakeholders (that are really using Federation) and ensure full backwards compatibility.</span>
<br>
<br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif"">I firmly believe we can work within the Apache module framework for Juno. Moving beyond Juno we may need to start implementing the more native modules (proposal #2). Lets be sure whatever redesign
 work we perform this cycle doesn’t lock us exclusively into one path or another. It shouldn’t be too hard to continue making incremental improvements (agile methodology) and keeping the stakeholders engaged.</span>
<br>
<br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif"">David and Kristy, the slides and summit session are a great starting place for this work. Now we need to get the proposal drafted up in the new Keystone-Specs repository (
</span><a href="https://git.openstack.org/cgit/openstack/keystone-specs" target="_blank"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">https://git.openstack.org/cgit/openstack/keystone-specs</span></a><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">
 ) so we can keep this conversation on track. Having the specification clearly outlined and targeted will help us address any concerns with the proposal/redesign as we move into implementation.</span>
<br>
<br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Cheers,</span> <br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Morgan</span> <u></u>
<u></u></p>
<p><b><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">—<br>
Morgan Fainberg</span></b> <u></u><u></u></p>
<p style="margin-bottom:12.0pt"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><br>
From: Adam Young </span><a href="mailto:ayoung@redhat.com" target="_blank"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">ayoung@redhat.com</span></a><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><br>


Reply: OpenStack Development Mailing List (not for usage questions) </span><a href="mailto:openstack-dev@lists.openstack.org" target="_blank"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">openstack-dev@lists.openstack.org</span></a><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><br>


Date: May 28, 2014 at 09:24:26<br>
To: <a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a>
</span><a href="mailto:openstack-dev@lists.openstack.org" target="_blank"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">openstack-dev@lists.openstack.org</span></a><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><br>


Subject:  Re: [openstack-dev] [keystone] Redesign of Keystone Federation </span><br>
<br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif"">On 05/28/2014 11:59 AM, David Chadwick wrote:
<br>
> Hi Everyone <br>
> <br>
> at the Atlanta meeting the following slides were presented during the <br>
> federation session <br>
> <br>
> </span><a href="http://www.slideshare.net/davidwchadwick/keystone-apach-authn" target="_blank"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">http://www.slideshare.net/davidwchadwick/keystone-apach-authn</span></a><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">
<br>
> <br>
> It was acknowledged that the current design is sub-optimal, but was a <br>
> best first efforts to get something working in time for the IceHouse <br>
> release, which it did successfully. <br>
> <br>
> Now is the time to redesign federated access in Keystone in order to <br>
> allow for: <br>
> i) the inclusion of more federation protocols such as OpenID and OpenID <br>
> Connect via Apache plugins <br>
<br>
These are underway: Steve Mar just posted review for OpenID connect. <br>
> ii) federating together multiple Keystone installations <br>
I think Keystone should be dealt with separately. Keystone is not a good <br>
stand-alone authentication mechanism. <br>
<br>
> iii) the inclusion of federation protocols directly into Keystone where <br>
> good Apache plugins dont yet exist e.g. IETF ABFAB <br>
I though this was mostly pulling together other protocols such as Radius? <br>
</span><a href="http://freeradius.org/mod_auth_radius/" target="_blank"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">http://freeradius.org/mod_auth_radius/</span></a><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">
<br>
<br>
> <br>
> The Proposed Design (1) in the slide show is the simplest change to <br>
> make, in which the Authn module has different plugins for different <br>
> federation protocols, whether via Apache or not. <br>
<br>
I'd like to avoid doing non-HTTPD modules for as long as possible. <br>
<br>
> <br>
> The Proposed Design (2) is cleaner since the plugins are directly into <br>
> Keystone and not via the Authn module, but it requires more <br>
> re-engineering work, and it was questioned in Atlanta whether that <br>
> effort exists or not. <br>
<br>
The "method" parameter is all that is going to vary for most of the Auth <br>
mechanisms. X509 and Kerberos both require special set up of the HTTP <br>
connection to work, which means client and server sides need to be in <br>
sync: SAML, OpenID and the rest have no such requirements. <br>
<br>
> <br>
> Kent therefore proposes that we go with Proposed Design (1). Kent will <br>
> provide drafts of the revised APIs and the re-engineered code for <br>
> inspection and approval by the group, if the group agrees to go with <br>
> this revised design. <br>
> <br>
> If you have any questions about the proposed re-design, please don't <br>
> hesitate to ask <br>
> <br>
> regards <br>
> <br>
> David and Kristy <br>
> <br>
> _______________________________________________ <br>
> OpenStack-dev mailing list <br>
> <a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a>
<br>
> </span><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</span></a><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">
<br>
<br>
<br>
_______________________________________________ <br>
OpenStack-dev mailing list <br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a>
<br>
</span><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</span></a><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">
</span><tt><span style="font-size:10.0pt">_______________________________________________</span></tt><span style="font-size:10.0pt;font-family:"Courier New""><br>
<tt>OpenStack-dev mailing list</tt><br>
<tt><a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a></tt><br>
</span><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank"><tt><span style="font-size:10.0pt">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</span></tt></a><u></u><u></u></p>


</div></div></div>
</div>
</div>

<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div></div>