<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" id="owaParaStyle"></style>
</head>
<body style="word-wrap:break-word" fpstyle="1" ocsi="0">
<div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;">I'm curious about the interactions from the user side with OAuth (cmdline)
<div><br>
</div>
<div>Unless there's work underway on this already I wouldn't mind throwing a BP/spec together on how this might work (if possible). </div>
<div><br>
</div>
<div>Any objections?</div>
<div><br>
</div>
<div>-S<br>
<br>
<div style="font-family: Times New Roman; color: #000000; font-size: 16px">
<hr tabindex="-1">
<div id="divRpF205140" style="direction: ltr; "><font face="Tahoma" size="2" color="#000000"><b>From:</b> openstack-bounces+sandy.walsh=rackspace.com@lists.launchpad.net [openstack-bounces+sandy.walsh=rackspace.com@lists.launchpad.net] on behalf of Vishvananda
Ishaya [vishvananda@gmail.com]<br>
<b>Sent:</b> Monday, March 28, 2011 2:19 PM<br>
<b>To:</b> Khaled Hussein<br>
<b>Cc:</b> openstack@lists.launchpad.net<br>
<b>Subject:</b> Re: [Openstack] Federated Identity Management (bursting and zones)<br>
</font><br>
</div>
<div></div>
<div>Agreed, Pluggable option 2 with a default OAuth implementation seems like the best strategy.
<div><br>
</div>
<div>Vish<br>
<div><br>
<div>
<div>On Mar 28, 2011, at 9:42 AM, Khaled Hussein wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">I was thinking of having OAuth implementation for authorization/delegation in an external identity management solution, option 2 :). The IdM solution can be extensible to support other Identity Federation protocols as well such as SAML.<br>
<br>
Khaled<br>
<br>
<div class="gmail_quote">On Mon, Mar 28, 2011 at 11:17 AM, Jay Pipes <span dir="ltr">
<<a href="mailto:jaypipes@gmail.com" target="_blank">jaypipes@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex">
<div class="im">On Mon, Mar 28, 2011 at 10:15 AM, Sandy Walsh <<a href="mailto:sandy.walsh@rackspace.com" target="_blank">sandy.walsh@rackspace.com</a>> wrote:<br>
> Currently, we link Nova deployments (aka Zones) with a single admin account.<br>
> All operations done in the child zone are done with this admin account.<br>
> Obviously this needs to change. A simple operation such as "get_all_servers"<br>
> should only return the servers that User X owns. In the current<br>
> implementation, all the servers the admin account can see will be returned.<br>
> We need some form of federated identity management. User accounts must be<br>
> shared between homogeneous and heterogeneous deployments. ie. all private,<br>
> all public or public/private (aka Hybrid) via Bursting.<br>
> There are some possibilities here:<br>
> 1. Replicate User accounts across zones. A user account would map to N child<br>
> zone accounts ... one for each child zone. These "placeholder" accounts are<br>
> hidden from the user and synchronized when the parent changes.<br>
> 2. Rely on an external/shared user management service. Let the Auth/RBAC<br>
> system sort out visibility, control, etc. This system would need to be<br>
> publicly available to both groups in the hybrid scenario.<br>
> 3. Continue with the admin account and filter access control/visibility in<br>
> the parent zone.<br>
> ... and I'm sure there are others.<br>
<br>
</div>
4. Use OAuth?<br>
<font color="#888888"><br>
-jay<br>
</font>
<div>
<div></div>
<div class="h5"><br>
_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
</div>
</div>
</blockquote>
</div>
<br>
_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
<style type="text/css">embed[type*="application/x-shockwave-flash"],embed[src*=".swf"],object[type*="application/x-shockwave-flash"],object[codetype*="application/x-shockwave-flash"],object[src*=".swf"],object[codebase*="swflash.cab"],object[classid*="D27CDB6E-AE6D-11cf-96B8-444553540000"],object[classid*="d27cdb6e-ae6d-11cf-96b8-444553540000"],object[classid*="D27CDB6E-AE6D-11cf-96B8-444553540000"]{ display: none !important;}</style><style type="text/css">embed[type*="application/x-shockwave-flash"],embed[src*=".swf"],object[type*="application/x-shockwave-flash"],object[codetype*="application/x-shockwave-flash"],object[src*=".swf"],object[codebase*="swflash.cab"],object[classid*="D27CDB6E-AE6D-11cf-96B8-444553540000"],object[classid*="d27cdb6e-ae6d-11cf-96b8-444553540000"],object[classid*="D27CDB6E-AE6D-11cf-96B8-444553540000"]{ display: none !important;}</style>
<PRE>
Confidentiality Notice: This e-mail message (including any attached or
embedded documents) is intended for the exclusive and confidential use of the
individual or entity to which this message is addressed, and unless otherwise
expressly indicated, is confidential and privileged information of Rackspace.
Any dissemination, distribution or copying of the enclosed material is prohibited.
If you receive this transmission in error, please notify us immediately by e-mail
at abuse@rackspace.com, and delete the original message.
Your cooperation is appreciated.
</PRE></body>
</html>