<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=utf-8">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Hi Yuriy,<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>The “dual” link concept between user and tenant (user <->
tenant, and user <-> role <-> tenant) is a little bit confusing for
me (perhaps, I don’t understand the nuances of it). What happens if a user belongs
to a tenant but has no role in it? It seems to me that instead of having a default
tenant for a user, we should have a default <i>role</i> for a user instead. With
a default role, we can always make sure that the user is authenticated.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Regards,<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Liem<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Yuriy Taraday
[mailto:yorik.sar@gmail.com] <br>
<b>Sent:</b> Thursday, July 14, 2011 10:37 PM<br>
<b>To:</b> openstack@lists.launchpad.net<br>
<b>Cc:</b> Ziad Sawalha; Rouault, Jason (Cloud Services); Nguyen, Liem Manh<br>
<b>Subject:</b> Re: [Openstack] Keystone tenants vs. Nova projects<o:p></o:p></span></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I think, there should not be such thing as default tenant.<o:p></o:p></p>
<div>
<p class=MsoNormal>If user does not specify tenant in authentication data, ones
token should not be bound to any tenant, and user should have access to
resources based on global role assignments.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>If user specify tenant, one should be either explicitly
bound to tenant (probably through UserRoleAssignment model, but it is not the
best way) or in some global role. Then one will have access to resources based
on global role assignments and tenant role assignments.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>I'm not sure whether users should be added to a tenant and
then to roles in this tenant or we should remove totally direct link between
user and tenant, so that user is in tenant if and only if one is in any role in
this tenant.<br clear=all>
<o:p></o:p></p>
<div>
<p class=MsoNormal>Kind regards, Yuriy.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<p class=MsoNormal>On Fri, Jul 15, 2011 at 00:07, Nguyen, Liem Manh <<a
href="mailto:liem_m_nguyen@hp.com">liem_m_nguyen@hp.com</a>> wrote:<o:p></o:p></p>
<div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'>When one creates a user, should a user
always have a tenant associated with her? If that’s the case, then the
“default” tenant is the tenant that the user is associated with at creation
time? Sorry for responding to the question with another question, but it
is unclear for me from looking at the model (there is no non-null constraint on
the tenant_id fk on the user table).</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'>Thanks,</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'>Liem</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span
style='font-size:10.0pt'>From:</span></b><span style='font-size:10.0pt'>
openstack-bounces+liem_m_nguyen=<a href="http://hp.com" target="_blank">hp.com</a>@<a
href="http://lists.launchpad.net" target="_blank">lists.launchpad.net</a>
[mailto:<a href="mailto:openstack-bounces%2Bliem_m_nguyen" target="_blank">openstack-bounces+liem_m_nguyen</a>=<a
href="http://hp.com" target="_blank">hp.com</a>@<a
href="http://lists.launchpad.net" target="_blank">lists.launchpad.net</a>] <b>On
Behalf Of </b>Ziad Sawalha<br>
<b>Sent:</b> Thursday, July 14, 2011 12:22 PM</span><o:p></o:p></p>
<div>
<div>
<p class=MsoNormal><br>
<b>To:</b> Rouault, Jason (Cloud Services); Yuriy Taraday; <a
href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
<b>Subject:</b> Re: [Openstack] Keystone tenants vs. Nova projects<o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.5pt;color:black'>In the example I gave below they are not
members of any group and have no roles assigned to them. Should they still be
authenticated?</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.5pt;color:black'> </span><o:p></o:p></p>
</div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span
style='font-size:11.0pt;color:black'>From: </span></b><span style='font-size:
11.0pt;color:black'>"Rouault, Jason (Cloud Services)" <<a
href="mailto:jason.rouault@hp.com" target="_blank">jason.rouault@hp.com</a>><br>
<b>Date: </b>Thu, 14 Jul 2011 16:25:22 +0000<br>
<b>To: </b>Ziad Sawalha <<a href="mailto:ziad.sawalha@rackspace.com"
target="_blank">ziad.sawalha@rackspace.com</a>>, Yuriy Taraday <<a
href="mailto:yorik.sar@gmail.com" target="_blank">yorik.sar@gmail.com</a>>,
"<a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a>"
<<a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a>><br>
<b>Subject: </b>RE: [Openstack] Keystone tenants vs. Nova projects</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.5pt;color:black'> </span><o:p></o:p></p>
</div>
<div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'>A user can specify a tenantID at the
time of authentication. If no tenantID is specified during
authentication, then I would expect the ‘default’ tenant for the user would
apply. The capabilities of User1 on TenantA (in this case the default
tenant for the user) would be determined by their role and group assignments
within the context of TenantA. </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'>Jason</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span
style='font-size:10.0pt;color:black'>From:</span></b><span style='font-size:
10.0pt;color:black'> Ziad Sawalha [<a href="mailto:ziad.sawalha@rackspace.com"
target="_blank">mailto:ziad.sawalha@rackspace.com</a>] <br>
<b>Sent:</b> Wednesday, July 13, 2011 10:35 PM<br>
<b>To:</b> Rouault, Jason (Cloud Services); Yuriy Taraday; <a
href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
<b>Subject:</b> Re: [Openstack] Keystone tenants vs. Nova projects</span><o:p></o:p></p>
</div>
</div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='color:black'> </span><o:p></o:p></p>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.5pt;color:black'>What if:</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.5pt;color:black'> </span><o:p></o:p></p>
</div>
<div>
<p><span style='font-size:11.0pt;color:#1F497D'>-</span><span style='font-size:
7.0pt;color:#1F497D'> </span><span
style='font-size:11.0pt;color:#1F497D'>User1 has TenantA as her default tenant</span><o:p></o:p></p>
<p><span style='color:black'> </span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.5pt;color:black'>Should the service authenticate the user
against TenantA? And if so, why? What does the 'default tenant' grant User1 on
TenantA? It's some nebulous, implied role…</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.5pt;color:black'> </span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.5pt;color:black'> </span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.5pt;color:black'> </span><o:p></o:p></p>
</div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span
style='font-size:11.0pt;color:black'>From: </span></b><span style='font-size:
11.0pt;color:black'>"Rouault, Jason (Cloud Services)" <<a
href="mailto:jason.rouault@hp.com" target="_blank">jason.rouault@hp.com</a>><br>
<b>Date: </b>Wed, 13 Jul 2011 13:18:44 +0000<br>
<b>To: </b>Ziad Sawalha <<a href="mailto:ziad.sawalha@rackspace.com"
target="_blank">ziad.sawalha@rackspace.com</a>>, Yuriy Taraday <<a
href="mailto:yorik.sar@gmail.com" target="_blank">yorik.sar@gmail.com</a>>,
"<a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a>"
<<a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a>><br>
<b>Subject: </b>RE: [Openstack] Keystone tenants vs. Nova projects</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.5pt;color:black'> </span><o:p></o:p></p>
</div>
<div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'>If a user is bound to their default
tenant, why wouldn’t any role assignments for that user in their default tenant
apply?</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='color:black'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'>User1 authenticates specifying TenantB,
this binds User1 into the context of TenantB. In subsequent web service
requests using the token received after authentication, the Auth component
filter would decorate the headers with RoleY.</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'>If User1 authenticates specifying
TenantA, or specifying no Tenant, this binds User1 into the context of
TenantA. The headers would then be decorated with RoleX.</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'>Jason</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span
style='font-size:10.0pt;color:black'>From:</span></b><span style='font-size:
10.0pt;color:black'> <a
href="mailto:openstack-bounces+jason.rouault=hp.com@lists.launchpad.net"
target="_blank">openstack-bounces+jason.rouault=hp.com@lists.launchpad.net</a>
[<a href="mailto:openstack-bounces+jason.rouault=hp.com@lists.launchpad.net"
target="_blank">mailto:openstack-bounces+jason.rouault=hp.com@lists.launchpad.net</a>]
<b>On Behalf Of </b>Ziad Sawalha<br>
<b>Sent:</b> Tuesday, July 12, 2011 10:09 PM<br>
<b>To:</b> Yuriy Taraday; <a href="mailto:openstack@lists.launchpad.net"
target="_blank">openstack@lists.launchpad.net</a><br>
<b>Subject:</b> Re: [Openstack] Keystone tenants vs. Nova projects</span><o:p></o:p></p>
</div>
</div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='color:black'> </span><o:p></o:p></p>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.5pt;color:black'>Our goal is to support Nova use cases
right now. You can provide access to multiple tenants using a role
assignment (assigning a user a role on a specific tenant effectively binds them
to that tenant).</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.5pt;color:black'> </span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.5pt;color:black'>However, this raises the issue of what the
'implied' role of a user is when they are bound to their <i>default</i> tenant.
So we're considering how to alter the model to clean that up. No great solution
yet. Any suggestions are welcome….</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.5pt;color:black'> </span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.5pt;color:black'>Ziad</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.5pt;color:black'> </span><o:p></o:p></p>
</div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span
style='font-size:11.0pt;color:black'>From: </span></b><span style='font-size:
11.0pt;color:black'>Yuriy Taraday <<a href="mailto:yorik.sar@gmail.com"
target="_blank">yorik.sar@gmail.com</a>><br>
<b>Date: </b>Tue, 28 Jun 2011 16:59:08 +0400<br>
<b>To: </b><<a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a>><br>
<b>Subject: </b>[Openstack] Keystone tenants vs. Nova projects</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.5pt;color:black'> </span><o:p></o:p></p>
</div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.5pt;color:black'>Currently Keystone model assumes that user
is bound to exactly one tenant. It conflicts with the fact that in Nova user
can have access to several projects. </span><o:p></o:p></p>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.5pt;color:black'>Which way will it be?<br clear=all>
</span><o:p></o:p></p>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.5pt;color:black'>Kind regards, Yuriy.</span><o:p></o:p></p>
</div>
</div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.5pt;color:black'>_______________________________________________
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a>
</span><span style='font-size:10.5pt;font-family:"Courier New";color:black'>This
email may include confidential information. If you received it in error, please
delete it.</span><o:p></o:p></p>
</div>
</div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.5pt;font-family:"Courier New";color:black'>This email may
include confidential information. If you received it in error, please delete
it.</span><o:p></o:p></p>
</div>
</div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.5pt;font-family:"Courier New";color:black'>This email may
include confidential information. If you received it in error, please delete
it.</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<div id="_vrome_cmd_box">
<p class=MsoNormal>-- PASS THROUGH -- <o:p></o:p></p>
</div>
</div>
</div>
</body>
</html>