[Openstack] Federated Identity Management (bursting and zones)
khaled.hussein at rackspace.com
Mon Mar 28 16:42:49 UTC 2011
I was thinking of having OAuth implementation for authorization/delegation
in an external identity management solution, option 2 :). The IdM solution
can be extensible to support other Identity Federation protocols as well
such as SAML.
On Mon, Mar 28, 2011 at 11:17 AM, Jay Pipes <jaypipes at gmail.com> wrote:
> On Mon, Mar 28, 2011 at 10:15 AM, Sandy Walsh <sandy.walsh at rackspace.com>
> > Currently, we link Nova deployments (aka Zones) with a single admin
> > All operations done in the child zone are done with this admin account.
> > Obviously this needs to change. A simple operation such as
> > should only return the servers that User X owns. In the current
> > implementation, all the servers the admin account can see will be
> > We need some form of federated identity management. User accounts must be
> > shared between homogeneous and heterogeneous deployments. ie. all
> > all public or public/private (aka Hybrid) via Bursting.
> > There are some possibilities here:
> > 1. Replicate User accounts across zones. A user account would map to N
> > zone accounts ... one for each child zone. These "placeholder" accounts
> > hidden from the user and synchronized when the parent changes.
> > 2. Rely on an external/shared user management service. Let the Auth/RBAC
> > system sort out visibility, control, etc. This system would need to be
> > publicly available to both groups in the hybrid scenario.
> > 3. Continue with the admin account and filter access control/visibility
> > the parent zone.
> > ... and I'm sure there are others.
> 4. Use OAuth?
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openstack