[Openstack] Federated Identity Management (bursting and zones)
Vishvananda Ishaya
vishvananda at gmail.com
Tue Apr 5 16:27:50 UTC 2011
On Apr 5, 2011, at 9:07 AM, Sandy Walsh wrote:
>
>> groups = AuthZ.get_resource_groups('alice')
>> instances = set()
>> for group in groups:
>> instances.union(set(nova.get_instances(group)))
>> return instances
>
> Agree that this could result in lots of little queries as written above, but the db can do all the work quite easily with some small tweaks.
>
> return nova.get_instances(groups)
Ok so we are aggregating at the service layer. That does make optimization a bit easier. Especially if the user can specify with the OnBehalfOf idea a subset of the instances he wants to list.
>
>> I would still suggest that this makes some actions inside a service very annoying. How does one list all of the
>> instances belonging to an organization, or accessible to a user? Do we push to the client side?
>>
>> I'm also not sure that it gives us useful control over something like roles. Imagine Jon, a security adminstrator
>> for OrganizationA. You want him to be able to network isolate vms for OrganizationA. How do you specify
>> that he can isolate any one of OrganizationAs instances?
>>
>> (Jon, can_isolate, ????)
>> Is it assumed that we specify a special role and Auth is going to return a giant list of all of the resource
>> groups that are in organizationA?
>
> Either that or a wildcard for all perhaps?
>
> (Jon, can_isolate, *)
Wildcards won't work if one provider is supporting multiple organizations (this has been specifically requested by some clients btw, so it isn't just astronauting), unless we support more of a regex wildcard:
(jon, can_isolate, OrganizationA.*)
That would be a cool feature, but it would require the auth service to return groups according to a specific format. Otherwise, the giant list should definitely work up to a certain size.
Vish
More information about the Openstack
mailing list