<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Consolas","serif";}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:black;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:2131392416;
mso-list-type:hybrid;
mso-list-template-ids:520768046 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'>Agree that this is a tricky technical issue, and I agree that the issue of management of Authn and Authz should be external to Nova and all other OpenStack components.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'>I believe there are two fundamental problems to be solved and that we will confuse ourselves if we try to mix them together:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'><o:p> </o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'>Single administrative / security domain topology. Consisting of potentially multiple zones there is a single authority for identities and authn/authz. Components within each zone have connectivity to the security authority. The issue of how the singular authority is distributed/replicated is a problem solved by the IDM (LDAP, AD, etc.).<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'>This is the base topology that any private or public cloud will need to implement. It will be overlaid on the required network topology to provide true isolation for resources owned by an identity.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'><o:p> </o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'>Multiple security domain topologies. This is the federated cloud model that OpenStack has on the strategic roadmap. Overlaid on #1, a set of resources is identified by the #1 security authority and a virtual network is created that all of these resources attach to. A secondary cloud can attach to this network and treat it as an extension of its native network (VPN, tunneling, etc.). Once this topology is established, the administrative domain within the overlay is owned by the security domain of the secondary cloud (opaque to the underlying host cloud). <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'>The issue of how to create connectivity between the secondary security domain and the newly created overlay in the remote cloud is still TBD.<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'>John<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'><o:p> </o:p></span></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> openstack-bounces+john=openstack.org@lists.launchpad.net [mailto:openstack-bounces+john=openstack.org@lists.launchpad.net] <b>On Behalf Of </b>Khaled Hussein<br><b>Sent:</b> Monday, March 28, 2011 11:02 AM<br><b>To:</b> OpenStack<br><b>Subject:</b> Re: [Openstack] Federated Identity Management (bursting and zones)<o:p></o:p></span></p></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I personally think that having an external Identity Management solution is the best option. In my mind there are vare valuable benefits for having a highly scalable, enterprise class, identity management solution on OpenStack such as (1) Separation of concerns of Authentication and Authorization from the core OpenStack services and (2) Providing a unified authentication and user management system for OpenStack services (i.e. Swift, Nova, Glance, ..etc.). <o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I think this is worthy of a summit discussion.<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Thanks,<o:p></o:p></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'>Khaled<o:p></o:p></p><div><p class=MsoNormal>On Mon, Mar 28, 2011 at 10:27 AM, <<a href="mailto:ksankar@doubleclix.net">ksankar@doubleclix.net</a>> wrote:<o:p></o:p></p><div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:black'>Couple of quick thoughts:<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:black'>IMHO, -2. Rely on external system- is the best solution. This enables the decoupling of authorization, which then can be extended or integrated with existing systems, as appropriate by Openstack deployments. This also can be an instance of a federated identity management. <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:black'><a href="http://-1.Replicated" target="_blank">-1.Replicated</a> user accounts- is the worst as it can create sync problems.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:black'>Cheers<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:black'><k/><o:p></o:p></span></p></div><blockquote style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 6.0pt;margin-left:6.0pt;margin-top:5.0pt;margin-bottom:5.0pt'><div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:black'>-------- Original Message --------<br>Subject: [Openstack] Federated Identity Management (bursting and zones)<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:black'>From: Sandy Walsh <<a href="mailto:sandy.walsh@rackspace.com" target="_blank">sandy.walsh@rackspace.com</a>><o:p></o:p></span></p></div><div><div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:black'>Date: Mon, March 28, 2011 7:15 am<br>To: "<a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a>" <<a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a>><o:p></o:p></span></p><div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Currently, we link Nova deployments (aka Zones) with a single admin account. All operations done in the child zone are done with this admin account. <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Obviously this needs to change. A simple operation such as "get_all_servers" should only return the servers that User X owns. In the current implementation, all the servers the admin account can see will be returned.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>We need some form of federated identity management. User accounts must be shared between homogeneous and heterogeneous deployments. ie. all private, all public or public/private (aka Hybrid) via Bursting.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>There are some possibilities here:<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>1. Replicate User accounts across zones. A user account would map to N child zone accounts ... one for each child zone. These "placeholder" accounts are hidden from the user and synchronized when the parent changes.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>2. Rely on an external/shared user management service. Let the Auth/RBAC system sort out visibility, control, etc. This system would need to be publicly available to both groups in the hybrid scenario.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>3. Continue with the admin account and filter access control/visibility in the parent zone. <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>... and I'm sure there are others. <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Nasty problem. Lots of issues and concerns with each approach. <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Is there anyone actively working on this who can share some info?<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>What is the currently sentiment in terms of an approach?<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Summit discussion?<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Thanks,<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Sandy<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>PS> I did some scanning of the BP's and don't see anything directly addressing this. <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><a href="https://blueprints.launchpad.net/nova/+spec/bursting" target="_blank">https://blueprints.launchpad.net/nova/+spec/bursting</a><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><a href="https://blueprints.launchpad.net/nova/+spec/authentication-consistency" target="_blank">https://blueprints.launchpad.net/nova/+spec/authentication-consistency</a><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><a href="https://blueprints.launchpad.net/nova/+spec/bexar-auth-manager-api" target="_blank">https://blueprints.launchpad.net/nova/+spec/bexar-auth-manager-api</a><o:p></o:p></span></p></div></div><pre><span style='color:black'>Confidentiality Notice: This e-mail message (including any attached or<o:p></o:p></span></pre><pre><span style='color:black'>embedded documents) is intended for the exclusive and confidential use of the<o:p></o:p></span></pre><pre><span style='color:black'>individual or entity to which this message is addressed, and unless otherwise<o:p></o:p></span></pre><pre><span style='color:black'>expressly indicated, is confidential and privileged information of Rackspace.<o:p></o:p></span></pre><pre><span style='color:black'>Any dissemination, distribution or copying of the enclosed material is prohibited.<o:p></o:p></span></pre><pre><span style='color:black'>If you receive this transmission in error, please notify us immediately by e-mail<o:p></o:p></span></pre><pre><span style='color:black'>at <a href="mailto:abuse@rackspace.com" target="_blank">abuse@rackspace.com</a>, and delete the original message.<o:p></o:p></span></pre><pre><span style='color:black'>Your cooperation is appreciated.<o:p></o:p></span></pre><div class=MsoNormal align=center style='text-align:center'><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:black'><hr size=2 width="100%" align=center></span></div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:black'>_______________________________________________<br>Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><o:p></o:p></span></p></div></div></div></blockquote></div><p class=MsoNormal style='margin-bottom:12.0pt'><br>_______________________________________________<br>Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>Post to : <a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p></div></div><pre><o:p> </o:p></pre><pre>Confidentiality Notice: This e-mail message (including any attached or<o:p></o:p></pre><pre>embedded documents) is intended for the exclusive and confidential use of the<o:p></o:p></pre><pre>individual or entity to which this message is addressed, and unless otherwise<o:p></o:p></pre><pre>expressly indicated, is confidential and privileged information of Rackspace.<o:p></o:p></pre><pre>Any dissemination, distribution or copying of the enclosed material is prohibited.<o:p></o:p></pre><pre>If you receive this transmission in error, please notify us immediately by e-mail<o:p></o:p></pre><pre>at abuse@rackspace.com, and delete the original message.<o:p></o:p></pre><pre>Your cooperation is appreciated.<o:p></o:p></pre></div></body></html>