[Openstack] [Scaling][Orchestration] Zone changes. WAS: [Question #185840]: Multi-Zone finally working on ESSEX but cant "nova list" (KeyError: 'uuid') + doubts
Caitlin Bestler
Caitlin.Bestler at nexenta.com
Thu Jan 26 23:39:21 UTC 2012
The approach here looks solid, but I'm not sure if it goes far enough.
One issue that Keystone has to resolve eventually is how to authenticate request for tenant-specific file system users.
Basically the core authentication system allows satellite authentication systems to authenticate users within defined scopes.
That is a Tenant X authentication server authenticates file system users for Tenant X. TenantX:Jsmith is a different user than
TenantY:Jsmith.
What you probably want to avoid for that sort of system is *mapping* all of users from each of the Tenants to the central
authentication server. Adding and deleting file system users from *all* tenants could end up being a bit too many transactions
and ultimately requires excessive and error-prone replication of data.
What we need is for TenantX's server to provide the information about who "Jsmith" is, and what jsmith is allowed to do,
But in a way where it cannot reference any of TenantY's resources.
More information about the Openstack
mailing list