<html><body><span style="font-family:Verdana; color:#000000; font-size:10pt;"><div>Yep, we would need to support OAuth and SAML. OAuth solves only the authentication aspect. We also need the authorization layer which resolves the visibility, filtering and so forth. </div><div><br></div><div>This is a good time to think this layer through and offer a set of lightweight mechanisms that are extensible as well as well integratable with existing systems.</div><div><br></div><div>As Sandy pointed out, we should have a summit discussion; and we want to be pragmatic otherwise this domain can get pretty wide very fast.</div><div><br></div><div>Cheers</div><div><k/><br></div>
<blockquote id="replyBlockquote" webmail="1" style="border-left: 2px solid blue; margin-left: 8px; padding-left: 8px; font-size:10pt; color:black; font-family:verdana;">
<div id="wmQuoteWrapper">
-------- Original Message --------<br>
Subject: Re: [Openstack] Federated Identity Management (bursting and<br>
zones)<br>
From: Khaled Hussein <<a href="http://khaled.hussein@rackspace.com>">khaled.hussein@rackspace.com></a>;<br>
Date: Mon, March 28, 2011 9:42 am<br>
To: Jay Pipes <<a href="mailto:jaypipes@gmail.com">jaypipes@gmail.com</a>><br>
Cc: "<a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a>" <<a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a>><br>
<br>
I was thinking of having OAuth implementation for authorization/delegation in an external identity management solution, option 2 :). The IdM solution can be extensible to support other Identity Federation protocols as well such as SAML.<br> <br>Khaled<br><br><div class="gmail_quote">On Mon, Mar 28, 2011 at 11:17 AM, Jay Pipes <span dir="ltr"><<a target="_blank" href="mailto:jaypipes@gmail.com">jaypipes@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"> <div class="im">On Mon, Mar 28, 2011 at 10:15 AM, Sandy Walsh <<a target="_blank" href="mailto:sandy.walsh@rackspace.com">sandy.walsh@rackspace.com</a>> wrote:<br> > Currently, we link Nova deployments (aka Zones) with a single admin account.<br> > All operations done in the child zone are done with this admin account.<br> > Obviously this needs to change. A simple operation such as "get_all_servers"<br> > should only return the servers that User X owns. In the current<br> > implementation, all the servers the admin account can see will be returned.<br> > We need some form of federated identity management. User accounts must be<br> > shared between homogeneous and heterogeneous deployments. ie. all private,<br> > all public or public/private (aka Hybrid) via Bursting.<br> > There are some possibilities here:<br> > 1. Replicate User accounts across zones. A user account would map to N child<br> > zone accounts ... one for each child zone. These "placeholder" accounts are<br> > hidden from the user and synchronized when the parent changes.<br> > 2. Rely on an external/shared user management service. Let the Auth/RBAC<br> > system sort out visibility, control, etc. This system would need to be<br> > publicly available to both groups in the hybrid scenario.<br> > 3. Continue with the admin account and filter access control/visibility in<br> > the parent zone.<br> > ... and I'm sure there are others.<br> <br> </div>4. Use OAuth?<br> <font color="#888888"><br> -jay<br> </font><div><div></div><div class="h5"><br> _______________________________________________<br> Mailing list: <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br> Post to : <a target="_blank" href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br> Unsubscribe : <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br> More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br> </div></div></blockquote></div><br> <hr>_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp">https://help.launchpad.net/ListHelp</a><br>
</div>
</blockquote></span></body></html>