[Openstack] OpenStack Identity: Keystone API Proposal

Ziad Sawalha ziad.sawalha at rackspace.com
Thu Jul 14 04:41:56 UTC 2011 

We've taken much of that out of the current API; so the API does not allow
creating these entities through the service API.

And we don't have delegation over tenant administration either, although
the API we have in place can fully support atier that implements itÅ .

Z

On 7/13/11 11:30 AM, "Bryan Taylor" <btaylor at rackspace.com> wrote:

>How is this different in effect than letting swift or nova be tenants?
>Each tenant gets to define users, roles, and groups, right?
>
>On 07/13/2011 10:39 AM, Jay Pipes wrote:
>> On Wed, Jul 13, 2011 at 12:45 AM, Ziad Sawalha
>> <ziad.sawalha at rackspace.com>  wrote:
>>> Here's a possible use case we can implement to address this:
>>>
>>> A service 'registers' itself with Keystone and reserves a name (Ex.
>>>Swift,
>>> or nova). Keystone will guarantee uniqueness.
>>> Registered services can then create roles for the service (Ex.
>>>swift:admin
>>> or nova:netadmin) or tuples as suggested below (nova:delete:volume)
>>> On token validation, Keystone returns these roles and a service can
>>>apply
>>> it's own policies based on them.
>>>
>>> This is super-simplified and we can expand on it.
>>> Other benefits:
>>>
>>> Registration would also be handy to allow services to add and manage
>>> endpoints as well.
>>> We can also tie this with the concept of a ClientID so services can
>>>identify
>>> themselves as well with a long-lived token
>>> (see https://github.com/rackspace/keystone/issues/84)
>>> Common names for services could be implemented as shareable among
>>>different
>>> implementations (Ex: compute:admin)
>>>
>>> Thoughts?
>>
>> Sounds like a very reasonable approach to me.
>>
>>> And comments inline ZNS>>
>>
>> Hehe, you guys need a better mail client ;)
>>
>> -jay
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to     : openstack at lists.launchpad.net
>> Unsubscribe : https://launchpad.net/~openstack
>> More help   : https://help.launchpad.net/ListHelp
>
>This email may include confidential information. If you received it in
>error, please delete it.
>_______________________________________________
>Mailing list: https://launchpad.net/~openstack
>Post to     : openstack at lists.launchpad.net
>Unsubscribe : https://launchpad.net/~openstack
>More help   : https://help.launchpad.net/ListHelp

This email may include confidential information. If you received it in error, please delete it.

More information about the Openstack mailing list