[Openstack] Federated Identity Management (bursting and zones)

Vishvananda Ishaya vishvananda at gmail.com
Mon Mar 28 17:19:03 UTC 2011 

Agreed, Pluggable option 2 with a default OAuth implementation seems like the best strategy.

Vish

On Mar 28, 2011, at 9:42 AM, Khaled Hussein wrote:

> I was thinking of having OAuth implementation for authorization/delegation in an external identity management solution, option 2 :). The IdM solution can be extensible to support other Identity Federation protocols as well such as SAML.
> 
> Khaled
> 
> On Mon, Mar 28, 2011 at 11:17 AM, Jay Pipes <jaypipes at gmail.com> wrote:
> On Mon, Mar 28, 2011 at 10:15 AM, Sandy Walsh <sandy.walsh at rackspace.com> wrote:
> > Currently, we link Nova deployments (aka Zones) with a single admin account.
> > All operations done in the child zone are done with this admin account.
> > Obviously this needs to change. A simple operation such as "get_all_servers"
> > should only return the servers that User X owns. In the current
> > implementation, all the servers the admin account can see will be returned.
> > We need some form of federated identity management. User accounts must be
> > shared between homogeneous and heterogeneous deployments. ie. all private,
> > all public or public/private (aka Hybrid) via Bursting.
> > There are some possibilities here:
> > 1. Replicate User accounts across zones. A user account would map to N child
> > zone accounts ... one for each child zone. These "placeholder" accounts are
> > hidden from the user and synchronized when the parent changes.
> > 2. Rely on an external/shared user management service. Let the Auth/RBAC
> > system sort out visibility, control, etc. This system would need to be
> > publicly available to both groups in the hybrid scenario.
> > 3. Continue with the admin account and filter access control/visibility in
> > the parent zone.
> > ... and I'm sure there are others.
> 
> 4. Use OAuth?
> 
> -jay
> 
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
> 
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20110328/5d8f10d4/attachment.html>

More information about the Openstack mailing list