<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="font-family: Calibri, sans-serif; font-size: 14px; "><span id="OLK_SRC_BODY_SECTION"><div><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif; "><div><span class="Apple-style-span" style="background-color: transparent; ">Hi Everyone,</span></div><div><span class="Apple-style-span" style="background-color: transparent; "><br></span></div><div><span class="Apple-style-span" style="background-color: transparent; ">For OpenStack to achieve the goal of being a "massively scalable cloud operating system", it needs a common approach to some of the problems that an "operating system"deals with such as Authentication (auth-n) and Authorization (auth-z). There has been much discussion on the topic (see below) so we are proposing we combine all these efforts into a new OpenStack project that addresses the auth of all other projects.</span></div><div><span class="Apple-style-span" style="background-color: transparent; "><br></span></div><div><span class="Apple-style-span" style="background-color: transparent; ">I would like to raise this for discussion at the upcoming summit in Santa Clara and put forward the following as a starting point for the discussion:</span></div><div><span class="Apple-style-span" style="background-color: transparent; "><br></span></div><div><span class="Apple-style-span" style="background-color: transparent; ">SCOPE</span></div><div><span class="Apple-style-span" style="background-color: transparent; ">The potential scope for an auth service is huge; this is not a simple problem, especially when you deal with authorization and, eventually, usage metering. We suggest we start with a minimum viable product (MVP) and that the most immediate requirements that need to be addressed are what has already been solved for in Swift and Nova today.</span></div><div><span class="Apple-style-span" style="background-color: transparent; "><br></span></div><div><span class="Apple-style-span" style="background-color: transparent; ">We propose to start building in (1-2 week) iterations during the Diablo development phase:</span></div><div><div><span class="Apple-style-span" style="background-color: transparent; ">* One Service: there should be one auth-n service (this does not presume or preclude auth-z)</span></div><div><span class="Apple-style-span" style="background-color: transparent; ">* Service is a new Core service</span></div><div><span class="Apple-style-span" style="background-color: transparent; ">* Protocol: initial implementation of Rackspace auth token</span></div><div><span class="Apple-style-span" style="background-color: transparent; ">* Anyscale: single dev machine to globally distributed</span></div><div><span class="Apple-style-span" style="background-color: transparent; ">* Integrate with Swift, Nova </span></div><div><span class="Apple-style-span" style="background-color: transparent; ">* Independent: I can run this on its own (no coupling to other services). Therefore can be installed and run with any services that are OpenStack compatible.</span></div></div><div><span class="Apple-style-span" style="background-color: transparent; "><br></span></div><div><div><span class="Apple-style-span" style="background-color: transparent; ">TIMELINE</span></div><div><span class="Apple-style-span" style="background-color: transparent; ">Iteration 0 (1-2 weeks): MVP prototype</span></div><div><span class="Apple-style-span" style="background-color: transparent; ">* blueprint</span></div><div><span class="Apple-style-span" style="background-color: transparent; ">* We need lightweight delegation (one tenant / multiple users) on validate (this extends scope of what is in Rackspace and Swift, but is needed for Nova)</span></div><div><span class="Apple-style-span" style="background-color: transparent; ">* No delegation beyond existing Nova and Swift implementation</span></div><div><span class="Apple-style-span" style="background-color: transparent; ">* Using a Token</span></div><div><span class="Apple-style-span" style="background-color: transparent; ">* Admin is handled by "groups" (roles) - only group allowed to be returned is ADMIN</span></div><div><span class="Apple-style-span" style="background-color: transparent; ">* nothing as a Service for testing.</span></div><div><div><span class="Apple-style-span" style="background-color: transparent; "><br></span></div></div><div><div><span class="Apple-style-span" style="background-color: transparent; ">Post MVP: iteration 2/3/...: defined from subset of backlog & feedback from community</span></div><div><span class="Apple-style-span" style="background-color: transparent; "><br></span></div></div><div><span class="Apple-style-span" style="background-color: transparent; ">Backlog:</span></div></div></div></div></span><div><div><div><span class="Apple-style-span" style="background-color: transparent; ">* migration path from cactus</span></div><div><span class="Apple-style-span" style="background-color: transparent; ">* support for ec2 & openstack api</span></div><div><span class="Apple-style-span" style="background-color: transparent; ">* zones support</span></div><div><span class="Apple-style-span" style="background-color: transparent; ">* authz by group/role/attribute/... with pluggable Policy Engine</span></div></div></div><div><span class="Apple-style-span" style="background-color: transparent; ">* Pluggable back-end (ex: database, LDAP, Active Directory, PAM, Swift)</span></div><span id="OLK_SRC_BODY_SECTION"><div><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif; "><div><div><span class="Apple-style-span" style="background-color: transparent; ">* rbac / roles</span></div><div><span class="Apple-style-span" style="background-color: transparent; ">* Delegation</span></div><div><span class="Apple-style-span" style="background-color: transparent; ">* OAuth for solving 3rd party partner problem / federation</span></div><div><span class="Apple-style-span" style="background-color: transparent; ">* (Generic?) Organizational Model</span></div><div><span class="Apple-style-span" style="background-color: transparent; ">* user management API</span></div></div><div><span class="Apple-style-span" style="background-color: transparent; "><br></span></div><div><span class="Apple-style-span" style="background-color: transparent; "><br></span></div><div><span class="Apple-style-span" style="background-color: transparent; ">DESIGN SUMMIT</span></div><div><span class="Apple-style-span" style="background-color: transparent; ">* We are looking forward to starting a discussion with the community on how to incrementally define and execute on a common Auth system for OpenStack</span></div></div></div></span><div><span class="Apple-style-span" style="background-color: transparent; "><br></span></div><span id="OLK_SRC_BODY_SECTION"><div><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif; "><div><span class="Apple-style-span" style="background-color: transparent; "><br></span></div><div><span class="Apple-style-span" style="background-color: transparent; ">ADDITIONAL INFORMATION</span></div><div><span class="Apple-style-span" style="background-color: transparent; ">For reference, existing blueprints and discussions on the topic are:</span></div><div><span class="Apple-style-span" style="background-color: transparent; "><br></span></div><div><span class="Apple-style-span" style="background-color: transparent; ">SPECS and CODE</span></div><div><a href="http://wiki.openstack.org/AuthnAuthz"><span class="Apple-style-span" style="background-color: transparent; ">http://wiki.openstack.org/AuthnAuthz</span></a><span class="Apple-style-span" style="background-color: transparent; "> (spec and discussion)</span></div><div><a href="http://wiki.openstack.org/openstack-authn"><span class="Apple-style-span" style="background-color: transparent; ">http://wiki.openstack.org/openstack-authn</span></a><span class="Apple-style-span" style="background-color: transparent; "> (spec)</span></div><div><a href="http://bazaar.launchpad.net/~anso/nova/authn_and_authz/revision/770"><span class="Apple-style-span" style="background-color: transparent; ">http://bazaar.launchpad.net/~anso/nova/authn_and_authz/revision/770</span></a><span class="Apple-style-span" style="background-color: transparent; "> (auth service prototype)</span></div><div><a href="https://code.launchpad.net/~khussein/swift/authn"><span class="Apple-style-span" style="background-color: transparent; ">https://code.launchpad.net/~khussein/swift/authn</span></a><span class="Apple-style-span" style="background-color: transparent; "> (middleware proposal)</span></div><div><span class="Apple-style-span" style="background-color: transparent; "><br></span></div><div><span class="Apple-style-span" style="background-color: transparent; ">SWIFT</span></div><div><a href="https://blueprints.launchpad.net/swift/+spec/swift-authn"><span class="Apple-style-span" style="background-color: transparent; ">https://blueprints.launchpad.net/swift/+spec/swift-authn</span></a></div><div><a href="https://blueprints.launchpad.net/swift/+spec/bexar-swauth"><span class="Apple-style-span" style="background-color: transparent; ">https://blueprints.launchpad.net/swift/+spec/bexar-swauth</span></a></div><div><span class="Apple-style-span" style="background-color: transparent; "><br></span></div><div><span class="Apple-style-span" style="background-color: transparent; ">NOVA</span></div><div><a href="https://blueprints.launchpad.net/nova/+spec/authentication-consistency"><span class="Apple-style-span" style="background-color: transparent; ">https://blueprints.launchpad.net/nova/+spec/authentication-consistency</span></a></div><div><a href="https://blueprints.launchpad.net/nova/+spec/nova-authn"><span class="Apple-style-span" style="background-color: transparent; ">https://blueprints.launchpad.net/nova/+spec/nova-authn</span></a></div><div><span class="Apple-style-span" style="background-color: transparent; "><br></span></div><div><span class="Apple-style-span" style="background-color: transparent; ">GLANCE</span></div><div><a href="https://blueprints.launchpad.net/glance/+spec/authentication"><span class="Apple-style-span" style="background-color: transparent; ">https://blueprints.launchpad.net/glance/+spec/authentication</span></a></div><div><span class="Apple-style-span" style="background-color: transparent; "><br></span></div><div><span class="Apple-style-span" style="background-color: transparent; ">BURROW</span></div><div><span class="Apple-style-span" style="background-color: transparent; "><a href="https://blueprints.launchpad.net/burrow/+spec/openstack-auth-ldap">https://blueprints.launchpad.net/burrow/+spec/openstack-auth-ldap</a></span></div><div><br></div><div>Regards,</div><div>Ziad</div></div></div></span></span></body></html>