Open Stack

Short answer: it's going in that direction, but doesn't implement it all yet.

Longer answer:
Federation (and delegation) are going to be quick follows once we get the first phase of work done. The first phase was to build Keystone and support the current SWIFT and NOVA use cases. Once we have all services able to work with one auth/identity systems, we will iterate and add functionality.

We're trying to keep Keystone as modular and pluggable as possible to support any back-end (LDAP, Active Directory, etc…) and many protocols (such as OAUTH2.0, SAML, etc…). That should allow us to build in the necessary delegation and federation with Keystone.

We've also given Keystone the task of maintaining tenants (which are an implementation of Resource Group). This does not preclude us from creating additional, arbitrarily created resource groups, but gives us a basic implementation to start with.

Keystone will also contain a set of extensions for global user groups and tenant groups (groups of users that are contained in and scoped to a single tenant). We're keeping those as extensions for now until we've had the chance to make sure the model will work with as many back-end stores as possible.

You're welcome,
Z


From: andi abes <andi.abes at gmail.com<mailto:andi.abes at gmail.com>>
Date: Sun, 12 Jun 2011 10:58:54 -0400
To: Ziad Sawalha <ziad.sawalha at rackspace.com<mailto:ziad.sawalha at rackspace.com>>
Cc: "openstack at lists.launchpad.net<mailto:openstack at lists.launchpad.net>" <openstack at lists.launchpad.net<mailto:openstack at lists.launchpad.net>>
Subject: Re: [Openstack] OpenStack Identity: Keystone API Proposal

Ziad, thanks the quick edits.

One more quick question, mostly because I haven't followed the full keystone discussions. How does this API relate (if at all) to: http://wiki.openstack.org/FederatedAuthZwithZones

Specifically, around resource groups and federated authentication.

tia,
a.

On Sat, Jun 11, 2011 at 11:40 AM, Ziad Sawalha <ziad.sawalha at rackspace.com<mailto:ziad.sawalha at rackspace.com>> wrote:
I've updated the dev guide with your suggestions:
- Section 4.4 explains the GET /tenants call needs to be authenticated and the examples now show passing in the authentication header.
- Section 5.2.1 is new and talks about authenticating for the Admin API and puts in a reference for bootstrapping the system (creating a first administrator). Here, I've left it as a reference to the admin guide which is yet to be developed (jaypipes volunteered to help us create that in RST), but I also refer to the readme which today has instructions for setting up your Keystone instance.

Let me know if that gets you going, Andi.

Regards,
Ziad


From: Ziad Sawalha <ziad.sawalha at rackspace.com<mailto:ziad.sawalha at rackspace.com>>
Date: Sat, 11 Jun 2011 14:44:12 +0000
To: Andiabes <andi.abes at gmail.com<mailto:andi.abes at gmail.com>>

Cc: "openstack at lists.launchpad.net<mailto:openstack at lists.launchpad.net>" <openstack at lists.launchpad.net<mailto:openstack at lists.launchpad.net>>
Subject: Re: [Openstack] OpenStack Identity: Keystone API Proposal

Your guess is correct. The only calls you should be able to make without having a token are the calls to discover the service (getting version info, WADL contract, dev guide, help, etc…) and to get a token. After that, all other calls require passing in a token.

On the Admin APIs, the token passed in must have the necessary administrative privileges.

To bootstrap Keystone with a blank identity store, you can execute bin/keystone-manage to create your initial administrative identity(ies).

If you use the sample data creation script provided, it will create an admin user (and create a token for that user) which you can use.

We'll clarify that in the dev guide.

Thanks Andi

Ziad

From: Andiabes <andi.abes at gmail.com<mailto:andi.abes at gmail.com>>
Date: Fri, 10 Jun 2011 21:08:18 -0400
To: Ziad Sawalha <ziad.sawalha at rackspace.com<mailto:ziad.sawalha at rackspace.com>>
Cc: "openstack at lists.launchpad.net<mailto:openstack at lists.launchpad.net>" <openstack at lists.launchpad.net<mailto:openstack at lists.launchpad.net>>
Subject: Re: [Openstack] OpenStack Identity: Keystone API Proposal

It might be useful to include in the API guide some information about authentication to keystone itself. I.e when requesting a list of users,tenants etc the requestor should somehow authenticate itself
I'm guessing that the flow involve acquiring a token that authenticates the user to keystone as a user who has privileges to manage the relevant entities.?

Sent from my iPad

On Jun 10, 2011, at 7:24 PM, Ziad Sawalha <ziad.sawalha at rackspace.com<mailto:ziad.sawalha at rackspace.com>> wrote:

Time flies! It's June 10th already. In my last email to this community I had proposed today as the day to lock down the Keystone API so we can finalize implementation by Diablo-D2 (June 30th).

We've been working on this feverishly over the past couple of weeks and have just pushed out a proposed API here:<https://github.com/rackspace/keystone/raw/master/keystone/content/identitydevguide.pdf>https://github.com/rackspace/keystone/raw/master/keystone/content/identitydevguide.pdf

For any and all interested, the original source and code is on Github (<https://github.com/rackspace/keystone/raw/master/keystone/content/identitydevguide.pdf>https://github.com/rackspace/keystone), along with the current implementation of Keystone, examples, sample data, tests, instructions, and all the goodies we could muster to put together. The project also lives on Launchpad at <http://launchpad.net/keystone> http://launchpad.net/keystone.

The API we just put out there is still a proposal. We're going to be focusing on the implementation, but would still love to get community input, feedback, and participation.

Have a great weekend and regards to all,

Ziad





Confidentiality Notice: This e-mail message (including any attached or
embedded documents) is intended for the exclusive and confidential use of the
individual or entity to which this message is addressed, and unless otherwise
expressly indicated, is confidential and privileged information of Rackspace.
Any dissemination, distribution or copying of the enclosed material is prohibited.
If you receive this transmission in error, please notify us immediately by e-mail
at abuse at rackspace.com<mailto:abuse at rackspace.com>, and delete the original message.
Your cooperation is appreciated.


_______________________________________________
Mailing list: <https://launchpad.net/~openstack> https://launchpad.net/~openstack
Post to     : <mailto:openstack at lists.launchpad.net> openstack at lists.launchpad.net<mailto:openstack at lists.launchpad.net>
Unsubscribe : <https://launchpad.net/~openstack> https://launchpad.net/~openstack
More help   : <https://help.launchpad.net/ListHelp> https://help.launchpad.net/ListHelp

Confidentiality Notice: This e-mail message (including any attached or
embedded documents) is intended for the exclusive and confidential use of the
individual or entity to which this message is addressed, and unless otherwise
expressly indicated, is confidential and privileged information of Rackspace.
Any dissemination, distribution or copying of the enclosed material is prohibited.
If you receive this transmission in error, please notify us immediately by e-mail
at abuse at rackspace.com<mailto:abuse at rackspace.com>, and delete the original message.
Your cooperation is appreciated.


_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack at lists.launchpad.net<mailto:openstack at lists.launchpad.net> Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp

Confidentiality Notice: This e-mail message (including any attached or
embedded documents) is intended for the exclusive and confidential use of the
individual or entity to which this message is addressed, and unless otherwise
expressly indicated, is confidential and privileged information of Rackspace.
Any dissemination, distribution or copying of the enclosed material is prohibited.
If you receive this transmission in error, please notify us immediately by e-mail
at abuse at rackspace.com<mailto:abuse at rackspace.com>, and delete the original message.
Your cooperation is appreciated.




Confidentiality Notice: This e-mail message (including any attached or
embedded documents) is intended for the exclusive and confidential use of the
individual or entity to which this message is addressed, and unless otherwise
expressly indicated, is confidential and privileged information of Rackspace.
Any dissemination, distribution or copying of the enclosed material is prohibited.
If you receive this transmission in error, please notify us immediately by e-mail
at abuse at rackspace.com, and delete the original message.
Your cooperation is appreciated.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20110614/faa295cd/attachment.html>