[Openstack] AuthZ functionality in Keystone - Re: [WAS]OpenStack Identity: Keystone API Proposal
Vishvananda Ishaya
vishvananda at gmail.com
Thu Aug 18 22:50:22 UTC 2011
On Aug 18, 2011, at 3:45 PM, Somik Behera wrote:
> Hi Vish,
>
> That would be one very reasonable way to do it, but in that case we are fragmenting AuthZ in multiple services instead of Keystone taking care of AuthZ across all services.
We can't necessarily depend on keystone to keep track of all objects owned by each service. Especially for things like swift where millions of objects are involved. I therefore think the right solution is to have the services responsible for their own objects, and allow them to delegate to keystone in the cases where it makes sense.
>
> Depending on Keystone's roadmap and plans, we could take a 2 phased approach, where Nova doing AuthZ is a temporary solution till Keystone can do it or if Keystone is not going to have this capability, then we go down the path you are suggesting - Keystone does AuthN and we rely on Nova to authorize a tenant's access rights to a particular vif.
>
> Thanks,
> Somik
More information about the Openstack
mailing list