<html dir="ltr">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<style type="text/css" id="owaParaStyle"></style>

</head>

<body style="word-wrap:break-word" fpstyle="1" ocsi="0">

<div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;">Excellent ... timely and much needed!

<div><br>

</div>

<div>For completeness here is the link to Zone AuthZ requirements: <a href="http://wiki.openstack.org/FederatedAuthZwithZones" target="_blank">http://wiki.openstack.org/FederatedAuthZwithZones</a></div>

<div><br>

</div>

<div><a href="http://wiki.openstack.org/FederatedAuthZwithZones" target="_blank"></a>Look forward to helping out where I can.</div>

<div><br>

</div>

<div>-S<br>

<br>

<div style="font-family: Times New Roman; color: #000000; font-size: 16px">

<hr tabindex="-1">

<div id="divRpF750787" style="direction: ltr; "><font face="Tahoma" size="2" color="#000000"><b>From:</b> openstack-bounces+sandy.walsh=rackspace.com@lists.launchpad.net [openstack-bounces+sandy.walsh=rackspace.com@lists.launchpad.net] on behalf of Ziad Sawalha

 [ziad@sawalha.com]<br>

<b>Sent:</b> Monday, April 18, 2011 8:42 AM<br>

<b>To:</b> openstack@lists.launchpad.net<br>

<b>Subject:</b> [Openstack] Proposing an Identity Service in OpenStack (a.k.a. Auth)<br>

</font><br>

</div>

<div></div>

<div><span class="Apple-style-span" style="font-family: Calibri, sans-serif; font-size: 14px; "><span id="OLK_SRC_BODY_SECTION">

<div>

<div style="word-wrap:break-word; color:rgb(0,0,0); font-size:14px; font-family:Calibri,sans-serif">

<div><span class="Apple-style-span" style="background-color:transparent">Hi Everyone,</span></div>

<div><span class="Apple-style-span" style="background-color:transparent"><br>

</span></div>

<div><span class="Apple-style-span" style="background-color:transparent">For OpenStack to achieve the goal of being a "massively scalable cloud operating system", it needs a common approach to some of the problems that an "operating system"deals with such as

 Authentication (auth-n) and Authorization (auth-z). There has been much discussion on the topic (see below) so we are proposing we combine all these efforts into a new OpenStack project that addresses the auth of all other projects.</span></div>

<div><span class="Apple-style-span" style="background-color:transparent"><br>

</span></div>

<div><span class="Apple-style-span" style="background-color:transparent">I would like to raise this for discussion at the upcoming summit in Santa Clara and put forward the following as a starting point for the discussion:</span></div>

<div><span class="Apple-style-span" style="background-color:transparent"><br>

</span></div>

<div><span class="Apple-style-span" style="background-color:transparent">SCOPE</span></div>

<div><span class="Apple-style-span" style="background-color:transparent">The potential scope for an auth service is huge; this is not a simple problem, especially when you deal with authorization and, eventually, usage metering. We suggest we start with a minimum

 viable product (MVP) and that the most immediate requirements that need to be addressed are what has already been solved for in Swift and Nova today.</span></div>

<div><span class="Apple-style-span" style="background-color:transparent"><br>

</span></div>

<div><span class="Apple-style-span" style="background-color:transparent">We propose to start building in (1-2 week) iterations during the Diablo development phase:</span></div>

<div>

<div><span class="Apple-style-span" style="background-color:transparent">* One Service: there should be one auth-n service (this does not presume or preclude auth-z)</span></div>

<div><span class="Apple-style-span" style="background-color:transparent">* Service is a new Core service</span></div>

<div><span class="Apple-style-span" style="background-color:transparent">* Protocol: initial implementation of Rackspace auth token</span></div>

<div><span class="Apple-style-span" style="background-color:transparent">* Anyscale: single dev machine to globally distributed</span></div>

<div><span class="Apple-style-span" style="background-color:transparent">* Integrate with Swift, Nova </span></div>

<div><span class="Apple-style-span" style="background-color:transparent">* Independent: I can run this on its own (no coupling to other services). Therefore can be installed and run with any services that are OpenStack compatible.</span></div>

</div>

<div><span class="Apple-style-span" style="background-color:transparent"><br>

</span></div>

<div>

<div><span class="Apple-style-span" style="background-color:transparent">TIMELINE</span></div>

<div><span class="Apple-style-span" style="background-color:transparent">Iteration 0 (1-2 weeks): MVP prototype</span></div>

<div><span class="Apple-style-span" style="background-color:transparent">* blueprint</span></div>

<div><span class="Apple-style-span" style="background-color:transparent">* We need lightweight delegation (one tenant / multiple users) on validate (this extends scope of what is in Rackspace and Swift, but is needed for Nova)</span></div>

<div><span class="Apple-style-span" style="background-color:transparent">* No delegation beyond existing Nova and Swift implementation</span></div>

<div><span class="Apple-style-span" style="background-color:transparent">* Using a Token</span></div>

<div><span class="Apple-style-span" style="background-color:transparent">* Admin is handled by "groups" (roles) - only group allowed to be returned is ADMIN</span></div>

<div><span class="Apple-style-span" style="background-color:transparent">* nothing as a Service for testing.</span></div>

<div>

<div><span class="Apple-style-span" style="background-color:transparent"><br>

</span></div>

</div>

<div>

<div><span class="Apple-style-span" style="background-color:transparent">Post MVP: iteration 2/3/...: defined from subset of backlog & feedback from community</span></div>

<div><span class="Apple-style-span" style="background-color:transparent"><br>

</span></div>

</div>

<div><span class="Apple-style-span" style="background-color:transparent">Backlog:</span></div>

</div>

</div>

</div>

</span></span><span class="Apple-style-span" style="font-family: Calibri, sans-serif; font-size: 14px; "></span>

<div style="font-family: Calibri, sans-serif; font-size: 14px; ">

<div>

<div><span class="Apple-style-span" style="background-color:transparent">* migration path from cactus</span></div>

<div><span class="Apple-style-span" style="background-color:transparent">* support for ec2 & openstack api</span></div>

<div><span class="Apple-style-span" style="background-color:transparent">* zones support</span></div>

<div><span class="Apple-style-span" style="background-color:transparent">* authz by group/role/attribute/... with pluggable Policy Engine</span></div>

</div>

</div>

<span class="Apple-style-span" style="font-family: Calibri, sans-serif; font-size: 14px; "></span>

<div style="font-family: Calibri, sans-serif; font-size: 14px; "><span class="Apple-style-span" style="background-color:transparent">* Pluggable back-end (ex: database, LDAP, Active Directory, PAM, Swift)</span></div>

<span class="Apple-style-span" style="font-family: Calibri, sans-serif; font-size: 14px; "></span><span class="Apple-style-span" style="font-family: Calibri, sans-serif; font-size: 14px; "><span id="OLK_SRC_BODY_SECTION">

<div>

<div style="word-wrap:break-word; color:rgb(0,0,0); font-size:14px; font-family:Calibri,sans-serif">

<div>

<div><span class="Apple-style-span" style="background-color:transparent">* rbac / roles</span></div>

<div><span class="Apple-style-span" style="background-color:transparent">* Delegation</span></div>

<div><span class="Apple-style-span" style="background-color:transparent">* OAuth for solving 3rd party partner problem / federation</span></div>

<div><span class="Apple-style-span" style="background-color:transparent">* (Generic?) Organizational Model</span></div>

<div><span class="Apple-style-span" style="background-color:transparent">* user management API</span></div>

</div>

<div><span class="Apple-style-span" style="background-color:transparent"><br>

</span></div>

<div><span class="Apple-style-span" style="background-color:transparent"><br>

</span></div>

<div><span class="Apple-style-span" style="background-color:transparent">DESIGN SUMMIT</span></div>

<div><span class="Apple-style-span" style="background-color:transparent">* We are looking forward to starting a discussion with the community on how to incrementally define and execute on a common Auth system for OpenStack</span></div>

</div>

</div>

</span></span><span class="Apple-style-span" style="font-family: Calibri, sans-serif; font-size: 14px; "></span>

<div style="font-family: Calibri, sans-serif; font-size: 14px; "><span class="Apple-style-span" style="background-color:transparent"><br>

</span></div>

<span class="Apple-style-span" style="font-family: Calibri, sans-serif; font-size: 14px; "></span><span class="Apple-style-span" style="font-family: Calibri, sans-serif; font-size: 14px; "><span id="OLK_SRC_BODY_SECTION">

<div>

<div style="word-wrap:break-word; color:rgb(0,0,0); font-size:14px; font-family:Calibri,sans-serif">

<div><span class="Apple-style-span" style="background-color:transparent"><br>

</span></div>

<div><span class="Apple-style-span" style="background-color:transparent">ADDITIONAL INFORMATION</span></div>

<div><span class="Apple-style-span" style="background-color:transparent">For reference, existing blueprints and discussions on the topic are:</span></div>

<div><span class="Apple-style-span" style="background-color:transparent"><br>

</span></div>

<div><span class="Apple-style-span" style="background-color:transparent">SPECS and CODE</span></div>

<div><a href="http://wiki.openstack.org/AuthnAuthz" target="_blank"><span class="Apple-style-span" style="background-color:transparent">http://wiki.openstack.org/AuthnAuthz</span></a><span class="Apple-style-span" style="background-color:transparent"> (spec

 and discussion)</span></div>

<div><a href="http://wiki.openstack.org/openstack-authn" target="_blank"><span class="Apple-style-span" style="background-color:transparent">http://wiki.openstack.org/openstack-authn</span></a><span class="Apple-style-span" style="background-color:transparent"> (spec)</span></div>

<div><a href="http://bazaar.launchpad.net/~anso/nova/authn_and_authz/revision/770" target="_blank"><span class="Apple-style-span" style="background-color:transparent">http://bazaar.launchpad.net/~anso/nova/authn_and_authz/revision/770</span></a><span class="Apple-style-span" style="background-color:transparent"> (auth

 service prototype)</span></div>

<div><a href="https://code.launchpad.net/~khussein/swift/authn" target="_blank"><span class="Apple-style-span" style="background-color:transparent">https://code.launchpad.net/~khussein/swift/authn</span></a><span class="Apple-style-span" style="background-color:transparent"> (middleware

 proposal)</span></div>

<div><span class="Apple-style-span" style="background-color:transparent"><br>

</span></div>

<div><span class="Apple-style-span" style="background-color:transparent">SWIFT</span></div>

<div><a href="https://blueprints.launchpad.net/swift/+spec/swift-authn" target="_blank"><span class="Apple-style-span" style="background-color:transparent">https://blueprints.launchpad.net/swift/+spec/swift-authn</span></a></div>

<div><a href="https://blueprints.launchpad.net/swift/+spec/bexar-swauth" target="_blank"><span class="Apple-style-span" style="background-color:transparent">https://blueprints.launchpad.net/swift/+spec/bexar-swauth</span></a></div>

<div><span class="Apple-style-span" style="background-color:transparent"><br>

</span></div>

<div><span class="Apple-style-span" style="background-color:transparent">NOVA</span></div>

<div><a href="https://blueprints.launchpad.net/nova/+spec/authentication-consistency" target="_blank"><span class="Apple-style-span" style="background-color:transparent">https://blueprints.launchpad.net/nova/+spec/authentication-consistency</span></a></div>

<div><a href="https://blueprints.launchpad.net/nova/+spec/nova-authn" target="_blank"><span class="Apple-style-span" style="background-color:transparent">https://blueprints.launchpad.net/nova/+spec/nova-authn</span></a></div>

<div><span class="Apple-style-span" style="background-color:transparent"><br>

</span></div>

<div><span class="Apple-style-span" style="background-color:transparent">GLANCE</span></div>

<div><a href="https://blueprints.launchpad.net/glance/+spec/authentication" target="_blank"><span class="Apple-style-span" style="background-color:transparent">https://blueprints.launchpad.net/glance/+spec/authentication</span></a></div>

<div><span class="Apple-style-span" style="background-color:transparent"><br>

</span></div>

<div><span class="Apple-style-span" style="background-color:transparent">BURROW</span></div>

<div><span class="Apple-style-span" style="background-color:transparent"><a href="https://blueprints.launchpad.net/burrow/+spec/openstack-auth-ldap" target="_blank">https://blueprints.launchpad.net/burrow/+spec/openstack-auth-ldap</a></span></div>

<div><br>

</div>

<div>Regards,</div>

<div>Ziad</div>

</div>

</div>

</span></span></div>

</div>

</div>

</div>

<style type="text/css">embed[type*="application/x-shockwave-flash"],embed[src*=".swf"],object[type*="application/x-shockwave-flash"],object[codetype*="application/x-shockwave-flash"],object[src*=".swf"],object[codebase*="swflash.cab"],object[classid*="D27CDB6E-AE6D-11cf-96B8-444553540000"],object[classid*="d27cdb6e-ae6d-11cf-96b8-444553540000"],object[classid*="D27CDB6E-AE6D-11cf-96B8-444553540000"]{   display: none !important;}</style><style type="text/css">embed[type*="application/x-shockwave-flash"],embed[src*=".swf"],object[type*="application/x-shockwave-flash"],object[codetype*="application/x-shockwave-flash"],object[src*=".swf"],object[codebase*="swflash.cab"],object[classid*="D27CDB6E-AE6D-11cf-96B8-444553540000"],object[classid*="d27cdb6e-ae6d-11cf-96b8-444553540000"],object[classid*="D27CDB6E-AE6D-11cf-96B8-444553540000"]{   display: none !important;}</style>

<PRE>

Confidentiality Notice: This e-mail message (including any attached or

embedded documents) is intended for the exclusive and confidential use of the

individual or entity to which this message is addressed, and unless otherwise

expressly indicated, is confidential and privileged information of Rackspace.

Any dissemination, distribution or copying of the enclosed material is prohibited.

If you receive this transmission in error, please notify us immediately by e-mail

at abuse@rackspace.com, and delete the original message.

Your cooperation is appreciated.

</PRE></body>

</html>