Hi stackers, I would like to suggest very simple idea of splitting out of Keystone authentication part in the separated project. Such change has 2 positive outcomes: 1) It will be quite simple to create scalable service with high performance for authentication based on very mature projects like: Kerberos[1] and OpenLDAP[2]. 2) This will reduce scope of Keystone, which means 2 things 2.1) Smaller code base that has less issues and is simpler for testing 2.2) Keystone team would be able to concentrate more on fixing perf/scalability issues of authorization, which is crucial at the moment for large clouds. Thoughts? [1] http://web.mit.edu/kerberos/ [2] http://ldapcon.org/2011/downloads/hummel-slides.pdf Best regards, Boris Pavlovic -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160406/4914c18a/attachment.html>