[Openstack] Entities in OpenStack Auth
eday at oddments.org
Fri Mar 4 17:35:46 UTC 2011
On Fri, Mar 04, 2011 at 09:46:16AM -0500, Jay Pipes wrote:
> Are you proposing that an entity always be the owner of something?
I'm proposing every resources has an owner.
> If so, I dislike using the term "entity", since entity does not imply
> ownership. I'd prefer "owner" or "account", since the latter implies
> control over something. Entity connotes neither ownership nor control.
Sure, and I think with other discussions we've moved back to
'account'. I just needed to use something different to not confuse
with swift 'accounts' in case we wanted something different.
> I'd like to get the semantics around these terms correct. We've
> already run into numerous issues with the term "metadata" and I really
> don't feel like introducing another source of confusion in both the
> documentation and the code comments.
We'll have accounts. You can be authenticated as a certain account,
all resources are owned by one account, and resources/accounts can
provide ACLs/roles to other accounts.
This means for your deployment an account can be a user, project,
/etc/group, dog, cat, etc. It's up to the IDM to map whatever you're
using into accounts for OpenStack services, and the authz system to
manage relationships between those accounts.
More information about the Openstack