<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">The idea of a Domain is that it is a
single administrative entity, such as a company. <br>
<br>
When a person joins a company, they get an email adddress. THat
address does not change regardless of the position they hold. <br>
<br>
Tenants are administrative groupings below that. It is
unfortunate that we used the name tenants for this, as it actually
contradicts the usual meaning of the term. We will be shortly
switching back to using the term projects, and I think that is
clearer.<br>
<br>
<br>
It certainly makes sense for a user to belong to one domain, but
have access to a project controlled in another domain. Here is a
scenario. Joe's Sporting Goods and Local Bank are both companies
that have a presense in a coud provider. Each has their own
domain. <a class="moz-txt-link-abbreviated" href="mailto:tom@localbank.com">tom@localbank.com</a> is going to set up a Point of Sale
system for Joe. So Joe creates a project called
joes-point-of-sale and provides access to user <a class="moz-txt-link-abbreviated" href="mailto:tom@localbank.com">tom@localbank.com</a>.<br>
<br>
<br>
<br>
<br>
On 07/18/2012 02:46 AM, Matt Joyce wrote:<br>
</div>
<blockquote
cite="mid:CAGYSk8eRhttTNdb3u=FnmRC=j90kn2SS4Z9A+9dTYPV8Z09yLg@mail.gmail.com"
type="cite">I could see service users and security / operations
teams having a need to span many domains.<br>
<br>
-Matt<br>
<br>
<div class="gmail_quote">On Tue, Jul 17, 2012 at 11:24 PM, Tim
Bell <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:Tim.Bell@cern.ch" target="_blank">Tim.Bell@cern.ch</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-GB">
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I
thought that the v3 API supports domains as a group of
tenants which would make the question rather
different.</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Thus,
I guess the question is</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>A.<span
style="font:7.0pt "Times New Roman"">
</span></span></span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Should
there be users in multiple tenants in a single domain
?</span></p>
<p><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>B.<span
style="font:7.0pt "Times New Roman"">
</span></span></span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Should
there be users in multiple domains ?</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">There
are clear use cases for A (such as researchers working
on multiple projects sharing project quotas)</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">For
B, it is less clear as if I am a domain administrator,
I do not want to be told that I cannot allocate user X
since another domain has already taken it. On the
other hand, there is a clear architectural benefit
from having the concept of identity (and
authentication) split off from roles and projects.</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Tim</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<div style="border:none;border-left:solid blue
1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #b5c4df
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""
lang="EN-US">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""
lang="EN-US"> openstack-bounces+tim.bell=<a
moz-do-not-send="true"
href="mailto:cern.ch@lists.launchpad.net"
target="_blank">cern.ch@lists.launchpad.net</a>
[mailto:<a moz-do-not-send="true"
href="mailto:openstack-bounces%2Btim.bell"
target="_blank">openstack-bounces+tim.bell</a>=<a
moz-do-not-send="true"
href="mailto:cern.ch@lists.launchpad.net"
target="_blank">cern.ch@lists.launchpad.net</a>]
<b>On Behalf Of </b>John Postlethwait<br>
<b>Sent:</b> 18 July 2012 07:42<br>
<b>To:</b> Rouault, Jason (Cloud Services)<br>
<b>Cc:</b> <a moz-do-not-send="true"
href="mailto:openstack@lists.launchpad.net"
target="_blank">openstack@lists.launchpad.net</a></span></p>
<div>
<div class="h5"><br>
<b>Subject:</b> Re: [Openstack] Identity API v3
- Why allow multi-tenant users?</div>
</div>
</div>
</div>
<div>
<div class="h5">
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Helvetica","sans-serif"">Forcing
a user to remember different usernames
and/or passwords for each project they are a
part of, when it is possible they are part
of N projects, really isn't an acceptable
option in my opinion.</span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Helvetica","sans-serif""> </span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Helvetica","sans-serif"">I
believe that regardless of the engineering
complexities, the end users shouldn't have
to feel pain in order to make engineering
the solutions and features they interact
with easier. Software is for end users (in
their various forms) and as such we need to
take that into account when we make
decisions. While no functionality is lost
per se, there is a major end-user impact,
and that should be reason enough to
implement it…</span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">John Postlethwait</p>
</div>
<div>
<p class="MsoNormal">Nebula, Inc.</p>
</div>
<div>
<p class="MsoNormal"><a moz-do-not-send="true"
href="tel:206-999-4492" value="+12069994492"
target="_blank">206-999-4492</a></p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
</div>
<p><span style="color:#a0a0a8">On Tuesday, July 17,
2012 at 4:15 PM, Rouault, Jason (Cloud Services)
wrote:</span></p>
<blockquote style="border:none;border-left:solid
windowtext 1.0pt;padding:0cm 0cm 0cm
8.0pt;margin-left:0cm;margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="color:#1f497d">One benefit is the
user does not need to have multiple sets
of credentials to interact with multiple
projects.</span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="color:#1f497d"> </span></p>
<p style="margin:0cm;margin-bottom:.0001pt"><span
style="color:#1f497d">Jason</span></p>
<p style="margin:0cm;margin-bottom:.0001pt">
<span style="color:#1f497d"> </span></p>
<div>
<div style="border:none;border-top:solid
#b5c4df 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p
style="margin:0cm;margin-bottom:.0001pt"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a moz-do-not-send="true"
href="mailto:openstack-bounces+jason.rouault=hp.com@lists.launchpad.net"
target="_blank">openstack-bounces+jason.rouault=hp.com@lists.launchpad.net</a>
[<a moz-do-not-send="true"
href="mailto:openstack-bounces"
target="_blank">mailto:openstack-bounces</a>+jason.rouault=<a
moz-do-not-send="true"
href="mailto:hp.com@lists.launchpad.net"
target="_blank">hp.com@lists.launchpad.net</a>]
<b>On Behalf Of </b>Adam Young<br>
<b>Sent:</b> Tuesday, July 17, 2012
11:55 AM<br>
<b>To:</b> <a
moz-do-not-send="true"
href="mailto:openstack@lists.launchpad.net"
target="_blank">openstack@lists.launchpad.net</a><br>
<b>Subject:</b> Re: [Openstack]
Identity API v3 - Why allow
multi-tenant users?</span></p>
</div>
</div>
<p style="margin:0cm;margin-bottom:.0001pt"> </p>
<div>
<p
style="margin:0cm;margin-bottom:.0001pt">On
05/29/2012 01:18 PM, Caitlin Bestler
wrote:</p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<p
style="margin:0cm;margin-bottom:.0001pt">One
of the major complication I see in the
API is that users can be associated with
multiple tenants.</p>
<p
style="margin:0cm;margin-bottom:.0001pt"> </p>
<p
style="margin:0cm;margin-bottom:.0001pt">What
is the benefit of this? What
functionality would be lost if a human
user merely had to use a different
account with each tenant?</p>
<p
style="margin:0cm;margin-bottom:.0001pt">
</p>
<p
style="margin:0cm;margin-bottom:.0001pt">There
are numerous issues with multi-tenant
users. For example, if a user is
associated with multiple tenants, who
resets the user’s password?</p>
<p
style="margin:0cm;margin-bottom:.0001pt"> </p>
<p
style="margin-right:0cm;margin-bottom:12.0pt;margin-left:0cm"><br>
<br>
</p>
<pre>_______________________________________________</pre>
<pre>Mailing list: <a moz-do-not-send="true" href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a></pre>
<pre>Post to : <a moz-do-not-send="true" href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a></pre>
<pre>Unsubscribe : <a moz-do-not-send="true" href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a></pre>
<pre>More help : <a moz-do-not-send="true" href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a></pre>
</blockquote>
<p style="margin:0cm;margin-bottom:.0001pt">Did
you ever get an answer? This has been
discussed in depth.</p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">_______________________________________________</p>
</div>
<div>
<p class="MsoNormal">Mailing list: <a
moz-do-not-send="true"
href="https://launchpad.net/%7Eopenstack"
target="_blank">https://launchpad.net/~openstack</a></p>
</div>
<div>
<p class="MsoNormal">Post to : <a
moz-do-not-send="true"
href="mailto:openstack@lists.launchpad.net"
target="_blank">openstack@lists.launchpad.net</a></p>
</div>
<div>
<p class="MsoNormal">Unsubscribe : <a
moz-do-not-send="true"
href="https://launchpad.net/%7Eopenstack"
target="_blank">https://launchpad.net/~openstack</a></p>
</div>
<div>
<p class="MsoNormal">More help : <a
moz-do-not-send="true"
href="https://help.launchpad.net/ListHelp"
target="_blank">https://help.launchpad.net/ListHelp</a></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
_______________________________________________<br>
Mailing list: <a moz-do-not-send="true"
href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a moz-do-not-send="true"
href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a moz-do-not-send="true"
href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a moz-do-not-send="true"
href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br>
</blockquote>
</div>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Mailing list: <a class="moz-txt-link-freetext" href="https://launchpad.net/~openstack">https://launchpad.net/~openstack</a>
Post to : <a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a>
Unsubscribe : <a class="moz-txt-link-freetext" href="https://launchpad.net/~openstack">https://launchpad.net/~openstack</a>
More help : <a class="moz-txt-link-freetext" href="https://help.launchpad.net/ListHelp">https://help.launchpad.net/ListHelp</a>
</pre>
</blockquote>
<br>
<br>
</body>
</html>