[Openstack] OpenStack Identity: Keystone API Proposal
Jay Pipes
jaypipes at gmail.com
Wed Jul 13 15:39:44 UTC 2011
On Wed, Jul 13, 2011 at 12:45 AM, Ziad Sawalha
<ziad.sawalha at rackspace.com> wrote:
> Here's a possible use case we can implement to address this:
>
> A service 'registers' itself with Keystone and reserves a name (Ex. Swift,
> or nova). Keystone will guarantee uniqueness.
> Registered services can then create roles for the service (Ex. swift:admin
> or nova:netadmin) or tuples as suggested below (nova:delete:volume)
> On token validation, Keystone returns these roles and a service can apply
> it's own policies based on them.
>
> This is super-simplified and we can expand on it.
> Other benefits:
>
> Registration would also be handy to allow services to add and manage
> endpoints as well.
> We can also tie this with the concept of a ClientID so services can identify
> themselves as well with a long-lived token
> (seeĀ https://github.com/rackspace/keystone/issues/84)
> Common names for services could be implemented as shareable among different
> implementations (Ex: compute:admin)
>
> Thoughts?
Sounds like a very reasonable approach to me.
> And comments inline ZNS>>
Hehe, you guys need a better mail client ;)
-jay
More information about the Openstack
mailing list