<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 10/30/2012 04:00 AM, Henry Nash
wrote:<br>
</div>
<blockquote
cite="mid:9EF9FB51-CE42-47E7-9635-DA28B60024BB@linux.vnet.ibm.com"
type="cite"><base href="x-msg://2808/">Gabriel,
<div><br>
</div>
<div>So I think you are right to ask that this is made clear and
concrete - I'll work with the core contributors of Keystone to
make it so.</div>
<div><br>
</div>
<div>To your specific point:</div>
<div>- Let's call the initial Domain, the "Global Domain", rather
than the default domain</div>
</blockquote>
No. It is default. It is not global. The other domains do not
nest inside this domain. Calling it the Global domain is
confusing. I would accept: unnamed domain, or implicit domain, but
don't think either of those are an improvement to default.<br>
<br>
<blockquote
cite="mid:9EF9FB51-CE42-47E7-9635-DA28B60024BB@linux.vnet.ibm.com"
type="cite">
<div>- If the Cloud Provider doesn't explicitly create any
domains, then everything exists in the Global Domain. There is
no need to specify a domain in any calls, since everything will
default to the Global domain. The v2 API will work just fine
(which knows nothing about domains)</div>
</blockquote>
That is correct<br>
<blockquote
cite="mid:9EF9FB51-CE42-47E7-9635-DA28B60024BB@linux.vnet.ibm.com"
type="cite">
<div>- If they do create some domains, then they indicate (on
creation) whether each of these <i>share</i> the namespace of
the Global domain, or have their own <i>private</i> namespace.
<br>
</div>
</blockquote>
No. Domain are non-overlapping sets.<br>
<blockquote
cite="mid:9EF9FB51-CE42-47E7-9635-DA28B60024BB@linux.vnet.ibm.com"
type="cite">
<div>- If all of these new domains were specified as <i>shared</i> then
all user and tenant names are still globally unique. A caller
still does not technically need to specify a domain, although
scoping things down to a domain (or of course project) is likely
for most operations (just like it is today)</div>
</blockquote>
I fail to see the benefit.<br>
<blockquote
cite="mid:9EF9FB51-CE42-47E7-9635-DA28B60024BB@linux.vnet.ibm.com"
type="cite">
<div>- If, however, some of these new domains were specified as <i>private</i>
then any users who are part of a private domain must specify the
domain in order to authenticate. By design, authentication will
fail if they don't specify a domain (since you won't exist in
the global domain). Once a user in a private domain is
authenticated, they are scoped to that domain. [implementation:
we need to work out whether the domainID is encoded in the token
- this is my assumption since this means the Domain Name/ID is
NOT required for subsequent requests....and validation, by
Keystone, can still be achieved ]</div>
</blockquote>
We are reimplementing tokens/projects here. <br>
<blockquote
cite="mid:9EF9FB51-CE42-47E7-9635-DA28B60024BB@linux.vnet.ibm.com"
type="cite">
<div>- It is perfectly possible (but of course up to the Cloud
Provider) to support a mixture of <i>shared</i> and <i>private</i>
domains (representing different customer types)....but the point
being that the Cloud Provider will tell their customers how they
should access they system (i.e. provide them with any domain
specification that may or may not be required).</div>
</blockquote>
<br>
I think that this complicates things. I would instead recommend
that a provider either go with a single domain or explicit domaiuns,
as mixing the two is wierd, but some installations will need to make
their existing deployments work.<br>
<br>
I like the idea that the domain will be implicit from the hostname
of the web front end, and also possibly of a Keystone endpoint.
This can be done with vhosts for Apache, and a simple config value
for Eventlet.<br>
<br>
<br>
<blockquote
cite="mid:9EF9FB51-CE42-47E7-9635-DA28B60024BB@linux.vnet.ibm.com"
type="cite">
<div><br>
</div>
<div>Very keen to hear other concerns you may have.</div>
<div><br>
</div>
<div>Henry<br>
<div>
<div>On 27 Oct 2012, at 21:22, Gabriel Hurley wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite"><span class="Apple-style-span"
style="border-collapse: separate; font-family: Helvetica;
font-style: normal; font-variant: normal; font-weight:
normal; letter-spacing: normal; line-height: normal;
orphans: 2; text-align: -webkit-auto; text-indent: 0px;
text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; -webkit-border-horizontal-spacing: 0px;
-webkit-border-vertical-spacing: 0px;
-webkit-text-decorations-in-effect: none;
-webkit-text-size-adjust: auto; -webkit-text-stroke-width:
0px; font-size: medium; ">
<div bgcolor="white" link="blue" vlink="purple"
lang="EN-US">
<div class="WordSection1" style="page: WordSection1; ">
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New Roman',
serif; color: black; "><span style="font-size: 11pt;
font-family: Calibri, sans-serif; color: rgb(31,
73, 125); ">There are various options for how
Horizon can handle the UX problems associated with
adding additional domains. Making it a part of the
URL is one which could be supported, but I’m not
inclined to make that the only method. The
implementation details can be hashed out when we
get there.<o:p></o:p></span></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New Roman',
serif; color: black; "><span style="font-size: 11pt;
font-family: Calibri, sans-serif; color: rgb(31,
73, 125); "><o:p> </o:p></span></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New Roman',
serif; color: black; "><span style="font-size: 11pt;
font-family: Calibri, sans-serif; color: rgb(31,
73, 125); ">I am more concerned about the
experience for CLI/API users; adding more
parameters they have to pass is quite unfriendly.
And I have to say that Keystone’s track record for
handling “default” options has been quite poor
(see “default tenant”). The mixed support for
lookups via ID vs. name is also a mess. There
needs to be consistency around what is unique and
in what scope (which is where this thread
started). So far I haven’t heard a concrete answer
on that.<o:p></o:p></span></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New Roman',
serif; color: black; "><span style="font-size: 11pt;
font-family: Calibri, sans-serif; color: rgb(31,
73, 125); "><o:p> </o:p></span></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New Roman',
serif; color: black; "><span style="font-size: 11pt;
font-family: Calibri, sans-serif; color: rgb(31,
73, 125); ">For example, if tenants uniqueness is
scoped to a domain, and lookups via tenant name
are possible, and there’s a default domain… well
haven’t you just painted yourself into a corner
where tenant names in the default domain must be
unique while names in any other domain do not?
It’s these kinds of issues that need to really be
thought through.<o:p></o:p></span></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New Roman',
serif; color: black; "><span style="font-size: 11pt;
font-family: Calibri, sans-serif; color: rgb(31,
73, 125); "><o:p> </o:p></span></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 27pt; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New Roman',
serif; color: black; text-indent: -0.25in; "><span
style="font-size: 11pt; font-family: Calibri,
sans-serif; color: rgb(31, 73, 125); "><span>-<span
style="font: normal normal normal 7pt/normal
'Times New Roman'; "> <span
class="Apple-converted-space"> </span></span></span></span><span
style="font-size: 11pt; font-family: Calibri,
sans-serif; color: rgb(31, 73, 125); ">Gabriel<o:p></o:p></span></div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New Roman',
serif; color: black; "><span style="font-size: 11pt;
font-family: Calibri, sans-serif; color: rgb(31,
73, 125); "><o:p> </o:p></span></div>
<div style="border-top-style: none;
border-right-style: none; border-bottom-style: none;
border-width: initial; border-color: initial;
border-left-style: solid; border-left-color: blue;
border-left-width: 1.5pt; padding-top: 0in;
padding-right: 0in; padding-bottom: 0in;
padding-left: 4pt; ">
<div>
<div style="border-right-style: none;
border-bottom-style: none; border-left-style:
none; border-width: initial; border-color:
initial; border-top-style: solid;
border-top-color: rgb(181, 196, 223);
border-top-width: 1pt; padding-top: 3pt;
padding-right: 0in; padding-bottom: 0in;
padding-left: 0in; ">
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; color: black; "><b><span
style="font-size: 10pt; font-family:
Tahoma, sans-serif; color: windowtext; ">From:</span></b><span
style="font-size: 10pt; font-family: Tahoma,
sans-serif; color: windowtext; "><span
class="Apple-converted-space"> </span><a
moz-do-not-send="true"
href="mailto:openstack-bounces+gabriel.hurley=nebula.com@lists.launchpad.net">openstack-bounces+gabriel.hurley=nebula.com@lists.launchpad.net</a>
[<a class="moz-txt-link-freetext" href="mailto:openstack-bounces+gabriel.hurley=">mailto:openstack-bounces+gabriel.hurley=</a><a
moz-do-not-send="true"
href="mailto:nebula.com@lists.launchpad.net">nebula.com@lists.launchpad.net</a>]<span
class="Apple-converted-space"> </span><b>On
Behalf Of<span
class="Apple-converted-space"> </span></b>Adam
Young<br>
<b>Sent:</b><span
class="Apple-converted-space"> </span>Friday,
October 26, 2012 4:19 PM<br>
<b>To:</b><span
class="Apple-converted-space"> </span>Henry
Nash<br>
<b>Cc:</b><span
class="Apple-converted-space"> </span>OpenStack
Development Mailing List; <a
moz-do-not-send="true"
href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a>
(<a moz-do-not-send="true"
href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a>)<br>
<b>Subject:</b><span
class="Apple-converted-space"> </span>Re:
[Openstack] [keystone] Domain Name Spaces<o:p></o:p></span></div>
</div>
</div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New Roman',
serif; color: black; "><o:p> </o:p></div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New Roman',
serif; color: black; ">On 10/26/2012 07:17 PM,
Henry Nash wrote:<o:p></o:p></div>
</div>
<blockquote style="margin-top: 5pt; margin-bottom:
5pt; ">
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New Roman',
serif; color: black; ">So to pick up on a couple
of the areas of contention:<o:p></o:p></div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; color: black; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; color: black; ">a) Roles. I
agree that role names must stay globally
unique. One way of thinking about this is
that it is not actually keystone that is
creating the "role name space" it is the other
services (Nova etc.) by specifying roles in
their policy files. Until those services
support domain specific segmentation, then
role names stay global.<o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; color: black; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; color: black; ">b) Will
multi-domains make it more complicated in
terms of authorisation - e.g. will the users
have to input a Domain Name into Horizon the
whole time? The first thing I would say is
that if the cloud administrator has create
multiple domains, then the keystone API should
indeed require the domain specification.
However, that should not mean it should be
laborious for a Horizon user. In the case
where a Cloud Provider has created domains to
encapsulate each of their customers - then if
they want to let those customer use horizon as
the UI, then I would think they want to be
able to give each customer a unique URL which
will point to a Horizon that "knows which
domain to go to".<o:p></o:p></div>
</div>
</blockquote>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New Roman',
serif; color: black; ">Yes, I think that this is
the solution. It will involve HTTPD virtual
hosts, and horizon can then get an additional
config parameter "keystone_domain" as part of the
wsgi config.<br>
<br>
<br>
<br>
<o:p></o:p></div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New Roman',
serif; color: black; "> Maybe the url contains
the Domain Name or ID in the path, and Horizon
pulls this out of its own url (assuming that's
possible) and hence the user is never given an
option to chose a domain. A Cloud Admin would
use a "non domain qualified url" to get to
Horizon (basically as it is now) and hence be
able to see the different domains. Likewise, in
the case of where the Cloud Provider has not
chosen to create any individual domains (and is
just running the cloud in the default domain),
then the "non domain qualified url" would be
used to a Horizon that only showed one, default
domain and hence no choice is required.<o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New Roman',
serif; color: black; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New Roman',
serif; color: black; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New Roman',
serif; color: black; ">Henry<o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New Roman',
serif; color: black; "><o:p> </o:p></div>
<div>
<div>
<div style="margin-top: 0in; margin-right:
0in; margin-left: 0in; margin-bottom:
0.0001pt; font-size: 12pt; font-family:
'Times New Roman', serif; color: black; ">On
26 Oct 2012, at 17:31, heckj wrote:<o:p></o:p></div>
</div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; color: black; "><br>
<br>
<o:p></o:p></div>
<div>
<div style="margin-top: 0in; margin-right:
0in; margin-left: 0in; margin-bottom:
0.0001pt; font-size: 12pt; font-family:
'Times New Roman', serif; color: black; ">Bringing
conversation for domains in Keystone to the
broader mailing lists.<o:p></o:p></div>
<div>
<div style="margin-top: 0in; margin-right:
0in; margin-left: 0in; margin-bottom:
0.0001pt; font-size: 12pt; font-family:
'Times New Roman', serif; color: black; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in; margin-right:
0in; margin-left: 0in; margin-bottom:
0.0001pt; font-size: 12pt; font-family:
'Times New Roman', serif; color: black; "><o:p> </o:p></div>
<div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New Roman',
serif; color: black; ">On Oct 26,
2012, at 5:18 AM, Dolph Mathews <<a
moz-do-not-send="true"
href="mailto:dolph.mathews@gmail.com"
style="color: blue; text-decoration:
underline; ">dolph.mathews@gmail.com</a>>
wrote:<o:p></o:p></div>
</div>
<blockquote style="margin-top: 5pt;
margin-bottom: 5pt; ">
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New Roman',
serif; color: black; ">I think this
discussion would be great for both
mailing lists.<br clear="all">
<o:p></o:p></div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New
Roman', serif; color: black; "><o:p> </o:p></div>
</div>
<p class="MsoNormal" style="margin-top:
0in; margin-right: 0in; margin-left:
0in; margin-bottom: 12pt; font-size:
12pt; font-family: 'Times New Roman',
serif; color: black; ">-Dolph<br>
<br>
<o:p></o:p></p>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New
Roman', serif; color: black; ">On
Fri, Oct 26, 2012 at 5:18 AM, Henry
Nash <<a moz-do-not-send="true"
href="mailto:henry.nash@mac.com"
target="_blank" style="color:
blue; text-decoration: underline;
">henry.nash@mac.com</a>>
wrote:<o:p></o:p></div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left:
0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif; color:
black; ">Hi<o:p></o:p></div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left:
0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif; color:
black; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left:
0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif; color:
black; "><Not sure where best
to have this discussion - here,
as a comment to the v3api doc,
or elsewhere - appreciate some
guidance and will transfer this
to the right place><o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left:
0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif; color:
black; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left:
0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif; color:
black; ">At the Summit we
started a discussion on whether
things like user name, tenant
name etc. should be globally
unique or unique within a
domain. I'd like to widen that
discussion to try and a) agree a
direction, b) agree some changes
to our current spec. Here's my
view as an opening gambit:<o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left:
0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif; color:
black; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left:
0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif; color:
black; ">- When a Keystone
instance is first started, there
is only one, default, Domain.
The Cloud Provider does not
need to create any new domains,
all projects can exist in this
default domain, as will the
users etc. There is one,
global, name space. Clients
using the v2 API will work just
fine.<o:p></o:p></div>
</div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left:
0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif; color:
black; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left:
0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif; color:
black; ">+1<o:p></o:p></div>
</div>
</div>
</blockquote>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New Roman',
serif; color: black; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New Roman',
serif; color: black; ">Very much what
we were thinking for the initial
implemenation and rollout to make it
backwards "compatible" with the V2
(non-domain) core API<o:p></o:p></div>
</div>
<div style="margin-top: 0in; margin-right:
0in; margin-left: 0in; margin-bottom:
0.0001pt; font-size: 12pt; font-family:
'Times New Roman', serif; color: black;
"><br>
<br>
<o:p></o:p></div>
<div>
<blockquote style="border-top-style:
none; border-right-style: none;
border-bottom-style: none;
border-width: initial; border-color:
initial; border-left-style: solid;
border-left-color: rgb(204, 204, 204);
border-left-width: 1pt; padding-top:
0in; padding-right: 0in;
padding-bottom: 0in; padding-left:
6pt; margin-left: 4.8pt; margin-right:
0in; z-index: auto; ">
<div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left:
0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif; color:
black; ">- If the Cloud Provider
wants to provide their customers
with regions they can administer
themselves and be
self-contained, then they create
a Domain for each customer. It
should be possible for
users/roles to be scoped to a
Domain so that (effectively)
administrative duties can be
delegated to some users in that
Domain. So far so good - all
this can be done with the v3
API.<o:p></o:p></div>
</div>
</div>
</blockquote>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New
Roman', serif; color: black; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New
Roman', serif; color: black; ">Not
clear on if you're referring to
endpoint regions, or just describing
domain isolation?<o:p></o:p></div>
</div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New Roman',
serif; color: black; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New Roman',
serif; color: black; ">I believe
you're describing the key use cases
behind the domains mechanism to begin
with - user and project partitioning
to allow for administration of those
to be clearly "owned" and managed
appropriately.<o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New Roman',
serif; color: black; "><o:p> </o:p></div>
</div>
<div style="margin-top: 0in; margin-right:
0in; margin-left: 0in; margin-bottom:
0.0001pt; font-size: 12pt; font-family:
'Times New Roman', serif; color: black;
"><br>
<br>
<o:p></o:p></div>
<div>
<blockquote style="border-top-style:
none; border-right-style: none;
border-bottom-style: none;
border-width: initial; border-color:
initial; border-left-style: solid;
border-left-color: rgb(204, 204, 204);
border-left-width: 1pt; padding-top:
0in; padding-right: 0in;
padding-bottom: 0in; padding-left:
6pt; margin-left: 4.8pt; margin-right:
0in; z-index: auto; ">
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left:
0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif; color:
black; ">- We still have work to
do to make sure items in other OS
projects that reference tenants
(e.g. Images) can take a Domain or
Project ID, but we'll get to that
soon enough<o:p></o:p></div>
</div>
</blockquote>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New
Roman', serif; color: black; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New
Roman', serif; color: black; ">Everything
will continue to work with projects,
but once middleware starts providing
a DOMAIN_ID and DOMAIN_NAME to the
underlying service, it'll be up to
them to take advantage of it. Images
per domain is an excellent example
use case.<o:p></o:p></div>
</div>
</div>
<div style="margin-top: 0in; margin-right:
0in; margin-left: 0in; margin-bottom:
0.0001pt; font-size: 12pt; font-family:
'Times New Roman', serif; color: black;
"><br>
<br>
<o:p></o:p></div>
<div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New
Roman', serif; color: black; "> <o:p></o:p></div>
</div>
</div>
<blockquote style="margin-top: 5pt;
margin-bottom: 5pt; ">
<div>
<blockquote style="border-top-style:
none; border-right-style: none;
border-bottom-style: none;
border-width: initial; border-color:
initial; border-left-style: solid;
border-left-color: rgb(204, 204,
204); border-left-width: 1pt;
padding-top: 0in; padding-right:
0in; padding-bottom: 0in;
padding-left: 6pt; margin-left:
4.8pt; margin-right: 0in; z-index:
auto; ">
<div>
<div>
<div style="margin-top: 0in;
margin-right: 0in;
margin-left: 0in;
margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif;
color: black; ">- However,
Cloud Providers want to start
enabling enterprise customers
to run more and more of the
workloads in OpenStack clouds
- over and above, the smaller
sized companies that are doing
this today. For this to work,
the encapsulation of a Domain
need, I think, to be able to
be stricter - and this is
where the name space comes
into play. I think we need to
allow for a Domain to have its
own namespace (i.e. users,
roles, projects etc.) as an
option. I see this as a first
step to allowing each Domain
to have its own AuthZ/N
service (.e.g external ldap
owned and hosted by the
customer who will be using the
Domain)<o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in;
margin-left: 0in;
margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif;
color: black; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in;
margin-left: 0in;
margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif;
color: black; ">Implementation:<o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in;
margin-left: 0in;
margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif;
color: black; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in;
margin-left: 0in;
margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif;
color: black; ">- A simplistic
version would just allow a
flag to specified on Domain
creation that said whether
this a "private" or "shared"
Domain. Shared would use the
current global name space (and
probably be the default for
compatibility reasons).<o:p></o:p></div>
</div>
</div>
</blockquote>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left:
0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif; color:
black; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left:
0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif; color:
black; ">I like the direction of
this -- need to digest
implications :)<o:p></o:p></div>
</div>
</div>
</blockquote>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New Roman',
serif; color: black; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New Roman',
serif; color: black; ">I like the idea
conceptually - but let's be clear on
the implications to the end users:<o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New Roman',
serif; color: black; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New Roman',
serif; color: black; ">Where we're
starting is preserving a global name
space for project names and user
names. Allowing a mix of segregated
and global name spaces imposes a
burden of additional data being needed
to uniquely place authentication and
authorization.<o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New Roman',
serif; color: black; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New Roman',
serif; color: black; ">We've been
keeping to 2 key pieces of info
(username, password) to get
authenticated - and then (via CLI or
Horizon dashboard) you can choose from
a list of protential projects and
carry on. In most practical
circumstances, any user working
primarily from the CLI is already
providing 3-4 pieces of information:<o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New Roman',
serif; color: black; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New Roman',
serif; color: black; ">* username<o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New Roman',
serif; color: black; ">* password<o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New Roman',
serif; color: black; ">* tenant name<o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New Roman',
serif; color: black; ">* auth_url<o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New Roman',
serif; color: black; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New Roman',
serif; color: black; ">to access and
use the cloud.<o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New Roman',
serif; color: black; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New Roman',
serif; color: black; ">By allowing
domains to be their own namespaces,
we're adding another element that will
be absolutely required to identify the
person authenticating:<o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New Roman',
serif; color: black; "> * domain name<o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New Roman',
serif; color: black; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New Roman',
serif; color: black; ">implying a
cascade of changes to the user
experience all the way down through
horizon.<o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New Roman',
serif; color: black; "><o:p> </o:p></div>
</div>
<div style="margin-top: 0in; margin-right:
0in; margin-left: 0in; margin-bottom:
0.0001pt; font-size: 12pt; font-family:
'Times New Roman', serif; color: black;
"><br>
<br>
<o:p></o:p></div>
<div>
<blockquote style="border-top-style:
none; border-right-style: none;
border-bottom-style: none;
border-width: initial; border-color:
initial; border-left-style: solid;
border-left-color: rgb(204, 204, 204);
border-left-width: 1pt; padding-top:
0in; padding-right: 0in;
padding-bottom: 0in; padding-left:
6pt; margin-left: 4.8pt; margin-right:
0in; ">
<div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left:
0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif; color:
black; ">- A more flexible
approach would be to allow the
specification of where the
various sub-services of Keystone
(e.g. AuthN/Z, Service
Catalogue, Resources (i.e Users,
Projects)) are hosted. The
defaults would all point back to
the default domain (i.e. are
global and shared), but instead
could be specified as "self"
(I.e. the new Domain), or, in
the future, some other external
location, e.g. for a remote
ldap.<o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left:
0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif; color:
black; ">- As an aside, this
multi-name space model could
also allow the Cloud Provider
their own name space, separate
from their customers - i.e. they
will have a need to create
admins who can just create
domains and on-board customers
into those domains. These users
& roles could exist in the
default domain, while all the
customers' users/roles exist
solely within their own domains.<o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left:
0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif; color:
black; ">- One potential problem
I do see is with roles. Today,
the role name is, if I
understand it correctly, a kind
of shared secret between, other
services and Keystone - e.g. it
is the actual name of a given
role, say "ProjectAdmin" , that
must match in, say, the Nova
policy file and the role
assignment in Keystone (please
correct me if I have this
wrong).<o:p></o:p></div>
</div>
</div>
</blockquote>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New
Roman', serif; color: black; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New
Roman', serif; color: black; ">You're
100% correct.<o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New
Roman', serif; color: black; "> <o:p></o:p></div>
</div>
<blockquote style="border-top-style:
none; border-right-style: none;
border-bottom-style: none;
border-width: initial; border-color:
initial; border-left-style: solid;
border-left-color: rgb(204, 204, 204);
border-left-width: 1pt; padding-top:
0in; padding-right: 0in;
padding-bottom: 0in; padding-left:
6pt; margin-left: 4.8pt; margin-right:
0in; ">
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left:
0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif; color:
black; ">How would that work if
the role names were not unique
across Domains?<o:p></o:p></div>
</div>
</blockquote>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New
Roman', serif; color: black; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New
Roman', serif; color: black; ">Not
that we would want admins to ever
see Role ID's, or edit policy files
with role ID's, but they provide a
potential solution.<o:p></o:p></div>
</div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New Roman',
serif; color: black; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New Roman',
serif; color: black; ">The different
role names would need to be accounted
for in the policy files the way
they're set up today - the enforcement
there is all at the service level.
There's no current provision for
evaluating policy differently based on
domain. While that's possible, it
sounds like a tremendous cascade of
additional complication, as the
policy, and roles, are all set up and
managed by deployers.<o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New Roman',
serif; color: black; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New Roman',
serif; color: black; ">I think this
might be an interesting addition in
the future, but want to keep the
initial implementation and roll-out of
the policy mechanisms and domains
consistent and simple for a first
roll-out iteration.<o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New Roman',
serif; color: black; "><o:p> </o:p></div>
</div>
<blockquote style="margin-top: 5pt;
margin-bottom: 5pt; ">
<div>
<blockquote style="border-top-style:
none; border-right-style: none;
border-bottom-style: none;
border-width: initial; border-color:
initial; border-left-style: solid;
border-left-color: rgb(204, 204,
204); border-left-width: 1pt;
padding-top: 0in; padding-right:
0in; padding-bottom: 0in;
padding-left: 6pt; margin-left:
4.8pt; margin-right: 0in; z-index:
auto; ">
<div>
<div>
<div style="margin-top: 0in;
margin-right: 0in;
margin-left: 0in;
margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif;
color: black; ">What is the
desired functionality for a
Cloud Provider wanting to give
their enterprise customers
this level of flexibility -
will they have dedicated Nova
endpoints anyway? Sounds too
rigid. This might tie into
another bp we are working on
at IBM in terms of using
Availability zones to allow
Cloud Providers to divide up
their compute resources in a
more flexible way.<o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in;
margin-left: 0in;
margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif;
color: black; ">- Finally, I
wanted to raise the subject of
whether we should make it a
goal to remain compatible with
the v2 API<span
class="Apple-converted-space"> </span><i>once
the cloud provider starts
creating additional domains</i>.<o:p></o:p></div>
</div>
</div>
</blockquote>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left:
0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif; color:
black; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left:
0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif; color:
black; ">Joe and I briefly
discussed this at the summit. As a
migration to v3, we'd obviously be
creating the default domain and
mapping all existing
users/projectse/etc to it. I'd be
fine if the v2 implementation ONLY
interacted with resources in that
default domain; i.e. if you want
to use domains, upgrade to a v3
client.<o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left:
0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif; color:
black; "> <o:p></o:p></div>
</div>
<blockquote style="border-top-style:
none; border-right-style: none;
border-bottom-style: none;
border-width: initial; border-color:
initial; border-left-style: solid;
border-left-color: rgb(204, 204,
204); border-left-width: 1pt;
padding-top: 0in; padding-right:
0in; padding-bottom: 0in;
padding-left: 6pt; margin-left:
4.8pt; margin-right: 0in; ">
<div>
<div>
<div style="margin-top: 0in;
margin-right: 0in;
margin-left: 0in;
margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif;
color: black; ">As stated
above, if just the default
domain is being used, then
fine. And while I agree that,
technically, the v2 API should
still work with the above if
all the other domains point
back to the default domain for
their sub-services - it feels
overly flexible (and maybe
wrong conceptually) to support
v2 semantics across a
multi-domain installation.<o:p></o:p></div>
</div>
</div>
</blockquote>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left:
0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif; color:
black; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left:
0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif; color:
black; ">+1<o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left:
0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif; color:
black; "><o:p> </o:p></div>
</div>
<blockquote style="border-top-style:
none; border-right-style: none;
border-bottom-style: none;
border-width: initial; border-color:
initial; border-left-style: solid;
border-left-color: rgb(204, 204,
204); border-left-width: 1pt;
padding-top: 0in; padding-right:
0in; padding-bottom: 0in;
padding-left: 6pt; margin-left:
4.8pt; margin-right: 0in; ">
<div>
<div>
<div style="margin-top: 0in;
margin-right: 0in;
margin-left: 0in;
margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif;
color: black; "><o:p> </o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in;
margin-left: 0in;
margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif;
color: black; ">Interested in
everyone else's view.<o:p></o:p></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in;
margin-left: 0in;
margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif;
color: black; "><span
style="color: rgb(136, 136,
136); "><o:p> </o:p></span></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in;
margin-left: 0in;
margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif;
color: black; "><span
style="color: rgb(136, 136,
136); ">Henry<o:p></o:p></span></div>
</div>
<div>
<div style="margin-top: 0in;
margin-right: 0in;
margin-left: 0in;
margin-bottom: 0.0001pt;
font-size: 12pt; font-family:
'Times New Roman', serif;
color: black; "><span
style="color: rgb(136, 136,
136); "><o:p> </o:p></span></div>
</div>
</div>
</blockquote>
</div>
<div style="margin-top: 0in;
margin-right: 0in; margin-left: 0in;
margin-bottom: 0.0001pt; font-size:
12pt; font-family: 'Times New Roman',
serif; color: black; "><o:p> </o:p></div>
</blockquote>
</div>
<div style="margin-top: 0in; margin-right:
0in; margin-left: 0in; margin-bottom:
0.0001pt; font-size: 12pt; font-family:
'Times New Roman', serif; color: black; "><o:p> </o:p></div>
</div>
</div>
</div>
<div style="margin-top: 0in; margin-right: 0in;
margin-left: 0in; margin-bottom: 0.0001pt;
font-size: 12pt; font-family: 'Times New Roman',
serif; color: black; "><o:p> </o:p></div>
</div>
</div>
</div>
</div>
</span></blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Mailing list: <a class="moz-txt-link-freetext" href="https://launchpad.net/~openstack">https://launchpad.net/~openstack</a>
Post to : <a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a>
Unsubscribe : <a class="moz-txt-link-freetext" href="https://launchpad.net/~openstack">https://launchpad.net/~openstack</a>
More help : <a class="moz-txt-link-freetext" href="https://help.launchpad.net/ListHelp">https://help.launchpad.net/ListHelp</a>
</pre>
</blockquote>
<br>
</body>
</html>